In many phishing e-mails, there is a forged sender – an attacker claiming to have sent a message from an account or domain where he actually isn’t authenticated and authorized. DMARC is a policy that helps mail servers to detect and prevent these forged senders, domain spoofing, and fraudulent e-mails. It is built upon SPF and DKIM solutions.
Our Cyber Resiliency Team will simulate a real phishing attack to your organization and based on the results collected and our in-depth analysis of the company email system (encryption, protocols, filters, etc.), we will help optimize the system to increase the overall security posture to help keep cybercriminals from entering your network.
Sender Policy Framework
SPF detects forged senders of e-mails and uses publicly available DNS records for this purpose. When mail claims to come from a specific domain, SPF verifies if the sender IP address really belongs to the range of this domain. However, it doesn’t follow the whole chain of senders and detects only if the last sender has been properly authenticated.
DomainKeys Identified Mail
DKIM goes even further and verifies if the mail claiming to come from a specific domain really was authorized by the owner of that domain. It uses a digital signature and the sender public key listed in DNS records.
SPF and DKIM are not enough
SPF and DKIM have greatly reduced the number of phishing e-mails. However, it is not easy to authenticate every outgoing message using these technologies and there can be many false positives (legitimate messages that don’t comply with SPF and DKIM and therefore get blocked). The reason for this is that many companies have a complex infrastructure and also use some 3rd party providers to send e-mails.
That’s where DMARC comes into play. DMARC policies are published in DNS records and include a guide on how to handle messages that don’t comply with SPF and DKIM. They specify if the non-compliant message should be
- Quarantined, or
Afterward, reports are generated (shorter aggregated reports or longer forensic reports) and the company can leverage them to gain more insight into their email channels.
Several steps need to be taken to deploy DMARC in your organization:
- Have fully configured SPF and DKIM
- Create a DMARC record
- Add DMARC record to DNS
- Set policies
- Send test messages for validation
- Parse reports
Smaller organizations can be better off deploying DMARC on their own. However, when your organization has a complex infrastructure, it can be challenging to correctly deploy DMARC. An example of a complex infrastructure is third parties sending mails on behalf of the company, ticketing systems, HR tools, and more. If your company happens to fall into this category, there are many free tools as well as enterprise solutions available to help you deploy DMARC with ease.
Things to consider when choosing a DMARC solution are:
- User-friendly dashboard (easy-to-understand graphs and reports )
- SaaS cloud-based deployment (outsourcing eases the burden from the company’s IT team)
- Domain diagnosis (finding vulnerabilities in the domain decreases the risk)
- Forensic reporting (detailed information is provided to specify the reason of DMARC failure)
- API integration (useful for creating an interconnected infrastructure of tools)
- DNS record change tracking (can help detect malicious activity)
Regarding pricing, there are options to price by volume of sent e-mails or by monitored domain. You can choose either one based on the amount of communication your domain produces and on the number of domains you possess. It is also important to check whether subdomains inherit DMARC policy from the main domain.
To conclude, DMARC is a useful tool to prevent phishing but can be relatively challenging to deploy in larger companies. Luckily, there are enough tools available to help ease the problem.