What is DMARC?
DMARC, known as Domain-Based Message Authentication, Reporting and Conformance, is a widely recognized standard for email authentication that helps organizations protect email domains from unauthorized use and prevent email-based cyberattacks such as spoofing and phishing, both of which are exceedingly common attack vectors that fall under the Business Email Compromise (BEC) umbrella.
If your organization doesn’t have DMARC configured, we can help with that. Tangent offers a full consultative review of the current email security posture, provides DNS record flattening and implementation as well as ongoing monitoring to ensure no one is attempting to impersonate your organization. Anyone trying to do so will be intercepted and reported to you, coupled with guidance on what to do from there.
More of a fan of visualizing the threats and resolution plans? We can do that too via our Data Reporting Dashboard.
While DMARC is relatively easy to implement, the investigatory, monitoring and enforcement phases of it can be very time consuming, hence why many organizations wind up not implementing it and leaving themselves vulnerable. Along with the enormous security benefits it bring, it also offers communication benefits to organizations in terms of improved brand reputation and email deliverability.
How does DMARC work?
DMARC isn’t just one cybersecurity component: it’s the collaboration of several rules that together determine if an email message reaches a user’s inbox. The email administrator determines these sets of rules, but the two main components for filtering are Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
SPF is a DNS TXT record that indicates the authorized email servers that can send an email on your domain’s behalf. When a recipient email server receives a message with DMARC rules enabled, it looks for the SPF record first. This DNS TXT record should have IP addresses or hostnames registered to send mail. These could be on-premise email servers, third-party servers such as those used with Google WorkSpace or Office 365 or even other sending services like SendGrid, MailChimp or Constant Contact used for marketing on an organization’s behalf.
DKIM is a little more involved than SPF. DKIM also requires a TXT record, but this record is the domain’s public key. DKIM implements asymmetric public-private key encryption. With public-private key encryption, a domain’s public key is used to encrypt a message. In the case of DMARC, a signature is encrypted with the public key published on DNS servers and verified at the recipient’s email server using the domain’s private key.
When an inbound server receives a message with DKIM, it compares the signature using the published public key with the message decrypted using a newly generated key. If the string result is the same, then the recipient’s email server can confirm that the message was not altered in any way. This also ensures that the sender is truly from the listed domain and not spoofed using a fraudulent sender address.
If the email does not match an organization’s SPF/DKIM records, it’ll be discarded, preventing attackers from masquerading as your organization and all of the damage that can bring.
Okay, where is DMARC in this? Both SPF and DKIM have some missing elements that can still be exploited: this is where DMARC steps in. DMARC is a wraparound set of instructional rules that work alongside SPF and DKIM to “patch” their weak spots and allows for a more secure delivery both to and from your organization.
What does DMARC do for me?
DMARC provides a wealth of benefits, both from the internal perspective of making spoofing and impersonation of your users much, much more difficult (sending emails to your staff as if they were other employees at the organization, particularly executives, in order to harvest information and direct them to perform tasks that further the attackers goals), as well as from the external perspective of preventing easy impersonation of your organization to people outside, such as dispatching fake invoices to your vendors or clients (the most common and unpleasant issue to then sort out with them later).
Secondary, non-security benefits also mean that with a clear designation of your organization’s permitted senders, email servers are much more likely to trust messages coming from your authorized mail systems, meaning less chance of winding up in a spam folder somewhere and not being read at all, along with the protection of your ‘brand’ in that it won’t encounter the tarnish of having been impersonated and consequent negative impact on others.
In the big picture, DMARC is another significant component of a Defense-In-Depth strategy when it comes to inbound and outbound email deliverability and protection and well worth the time for addition.