DMARC – protecting your brand from spoofers
Picture this: your creditor’s clerk receives an urgent e-mail from the CEO following up on a very large, unpaid invoice from a major supplier who is threatening to cut supplies unless the invoice is paid immediately. The clerk pays the supplier. But the CEO never sent that e-mail.
Or this: an e-mail from your company is sent to your entire customer base warning them to immediately update their personal – and banking – details. News soon spreads on social media that many of your now former customers have suffered significant financial loss and inconvenience as a result of that e-mail.
Welcome to the world of spoofing – a technique used in cyber crime attacks in which a malicious sender makes fraudulent use of a company’s brand to trick users into thinking an e-mail message is from a trusted source.
These socially engineered or phishing e-mails are typically very targeted, focusing on your partners, customers, suppliers or – in the case of BEC (Business Email Compromise) messages – your own staff. They are almost impossible for recipients to detect because they don’t come from a lookalike domain or display name with a free e-mail address behind it, but with a forged sender address, often that of a senior individual within the organisation.
According to a 2020 Interpol report, BEC become the cyber criminal scheme of choice to conduct attacks in the wake of the Coronavirus pandemic lockdown as work-from-home became the norm.
Now it’s estimated that well over 3 billion spoofing e-mails are sent daily and that number is rising.
And no organisation or business is immune. Even the Australian Cyber Security Centre got hit, with scammers using its name to send e-mails to individuals claiming that their computers had been compromised. The mails contained a malicious link requesting they download an “anti-virus” to resolve the issue.
“Spoofing e-mails can cause serious problems for the people that receive them, and for the organisations that appear to be sending them,” says Sam Gelbart, CTO at SYNAQ.
He points out that systems such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are useful in that they can help authenticate mail, but they can’t tackle e-mail spoofing on their own because these malicious e-mails originate from an external source and domain owners aren’t always aware their domain is being used for phishing.
However, Domain-based Message Authentication Reporting and Conformance (DMARC) can help to deal with all that.
According to Gelbart, DMARC is a free and open technical specification that can be used by domain owners to authenticate their sent e-mail by aligning and combining with existing SPF and DKIM e-mail security policies into a holistic policy.
First published in 2012, DMARC has been widely adopted around the world, including in South Africa, although, Gelbart says, “more slowly than we’d like” with its adoption more widespread among enterprises at greater brand risk than among smaller organisations.
It works somewhat differently to other anti-virus or e-mail protection techniques in that instead of attempting to keep malicious e-mail out, it provides a way for operators to easily identify legitimate e-mail. Essentially, it moves away from the “filter out the bad” concept of security to a “filter in the good” security model.
“With a DMARC policy in place, senders can indicate that their messages are protected by SPF and/or DKIM. It also tells a receiver what to do if either of those authentication policies fail. This could result in e-mail being to sent to junk, being quarantined or even being rejected entirely,” Gelbart explains.
“DMARC thus removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent and harmful messages. Importantly, DMARC also provides a way for the e-mail receivers to report back to the sender (DMARC Policy Creator) about messages that pass or fail DMARC evaluation.”
While DMARC’s ability to allow e-mail receivers to verify their e-mail from an SPF and DKIM standpoint is important, as this allows them to enforce the DMARC policy of reject, quarantine or “none” – simply gather reporting stats, Gelbart maintains that is only part of the real benefits of DMARC.
“What’s really useful is the DMARC’s reporting capability, which allows e-mail recipients to send reports to domain owners, thus allowing them to understand all their e-mail origins and where authentication failures originate from. This then allows domain owners to take appropriate corrective action such as reconfiguring their SPF and/or DKIM correctly if necessary,” Gelbart adds.
In addition, by using reports received from mail recipients around the world and aggregating them using tools or third-party DMARC analysis providers such as Sendmarc in South Africa, domain owners can see which companies, ISPs or bulk mail providers are allowing spammers and phishers to use their e-mail services to send unauthenticated and fraudulent mail to potential victims. Armed with this information, domain owners can issue take-down instructions to mail providers and ISPs to remove the spammers and spoofers.
“DMARC is a vital tool in beating the spammers and scammers, and in protecting your customers, partners, suppliers and employees from those who would use your brand’s good name to steal data and money. It should, however, be implemented slowly to ensure it is properly aligned. Thereafter, partnering with a DMARC analytics vendor who can provide actionable and understandable visualisations and recommendations from your DMARC reports will make it easier for you to obtain the full benefits of the process,” Gelbart concludes.