Why DMARC Is An Essential Protocol To Stop Phishing
Did you know cyber-attacks and phishing actually increased during the height of the pandemic?
According to Forbes, Google recorded massive numbers of phishing websites during 2020.
Remote working has not been lost on cybercriminals. They have seen it as an opportunity to access business networks and systems via workers’ devices and vulnerabilities in remote working connections.
Plus, with practice and smarts like using social engineering to trick us, cyber-attacks like email phishing are harder to detect – they really do look legitimate.
So now is the time to educate yourself on email security. 🙂
What’s in the hackers’ favour is we can’t eliminate the human factor. Many of us will, at some stage, open a phishing email, click on a malicious link or download what may turn out to be ransomware.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance, and it’s one of the protocols created to protect your email domain. However, DMARC is not the only protection you can have, and to have it, you need to implement at least one more, i.e. SPF or DKIM (but better yet – both).
Sender Policy Framework is the first layer of protection that verifies the email sent from your domain was sent by you or other parties that are allowed to send messages on your behalf.
SPF has a couple of significant downsides. For example, if the email is being forwarded, it will no longer pass SPF authentication.
DomainKeys Identified Mail – is another email-validating technique that uses an electronic signature to ensure that the message was not altered on its way from the sender to the recipient.
Just like SPF and DKIM, DMARC is a simple TXT record that has to be added to your DNS record.
DMARC’s 3 Policies
DMARC has three policies: none, quarantine, and reject.
The ‘none’ policy means that nothing will happen to the email whether it passes or fails authentication. Basically, as if there was no DMARC implemented at all.
Why do you need a ‘none’ policy then? First, it is beneficial in the early stages of DMARC implementation: it gives you visibility of email traffic. Second, it allows you to see how many of your emails (and which ones exactly) pass or fail authentication.
The ‘quarantine’ policy brings you to the next level. At this point message that fails authentication will be marked as spam.
The ‘reject’ policy is your ultimate protection. With it, emails that fail authentication will be blocked entirely and will not reach their recipient. But getting to the ‘reject’ policy will take some time and effort.
What Happens During Authentication
Here is a simplified version of DMARC authentication.
- The mail server runs SPF and DKIM authentication.
- If these checks are properly completed, the server applies the stated DMARC policy (none, quarantine, or reject)
- DMARC sends a report with the conclusion on actions towards every email sent from the particular domain
The DMARC Report
DMARC report is a large topic for a different article, but what you should know (and what Google advises you to do) is to find a proper third-party tool to work with DMARC reports.
Why? The thing is, DMARC reports initially were not intended to be readable for people, and they come in XML format.
Another obstacle is the number of reports: DMARC sends one report for one server. Depending on your email reach, you can start receiving hundreds or thousands of them.
So what does a third-party DMARC analyzer do? It gathers, stores, and analyzes your DMARC reports, providing you with a nicely structured, comprehensible view of all your domain information.
DMARC: Security and Deliverability in 2021
Even though there is an obvious reason to implement DMARC to stay on the safe side, still due to many factors, companies hesitate to start using it or switching from the ‘none’ policy to a more secure ‘reject’ if they have the record.
So, what is happening in 2021 that should help more companies make the right decision? Well, there’s the challenge of deliverability and security.
No auth, no entry
If your email doesn’t authenticate, it won’t ‘enter’, i.e. the email provider will reject it.
When you implement DMARC, you command anyone who receives an email from you that doesn’t authenticate to reject it.
With ‘no auth, no entry’, it’s the other way around – the email provider says the email will be rejected if it doesn’t authenticate.
Of course, there is no such thing as a set date when ‘no auth, no entry’ will be massively adopted or that there will be any sort of an email provider alliance that agrees to implement it. However, email providers need to deliver a better service to their users and make sure spam does not get through their filtering systems.
Therefore, as a sender, you need to manage your DMARC authentication so your email deliverability doesn’t gradually start decreasing.
Brand Indicators for Message Identification is your way to stand out in the recipient’s inbox with your logo shown in your email. Providing visibility, brand awareness, and trust with each email requires a DMARC policy set on ‘quarantine’ or ‘reject’.
BIMI is not yet massively adopted. However, as of October 2020, it is supported by Verizon’s AOL and Netscape, Yahoo!.
Google launched its BIMI pilot on July 21st, 2020, and FastMail’s pilot is coming soon (according to BIMI Group). So even though it seems like there is plenty of time, it is better to stay ahead of the curve (and your competitors).
Finally, there is no avoiding the topic of the 2020 pandemic and its impact on cyber-security.
In April 2020 alone, Google states that it blocked a shocking 18 million daily coronavirus-related malware and phishing emails. Such a statistic leaves no doubt that every company, large or small, needs all the protection it can get.
Even though DMARC may seem complicated and challenging to implement at first, it is worth every minute you spend on it. Otherwise, you risk facing financial losses and domain reputation damage due to cyber-attacks.
Plus, witness a decrease in email deliverability rates in the long run.
As Benjamin Franklin said: don’t put off till tomorrow what you can do today. Now is the perfect time to start. Tomorrow may be too late.
Tip: If you don’t know whether you have a DMARC record implemented – use a free domain checker to find out.