Tech Insight : DMARC Diligence (Part 3) : Implementing and Optimising DMARC for Maximum Security

In this third and final part of our series of ‘DMARC Diligence’ insights, we explore the detailed process of DMARC deployment, its monitoring, optimisation, and preparing businesses for future email security challenges.

Last Week … 

Last week in part 2 of this series of ‘DMARC Diligence’ articles, we looked at the crucial yet often neglected aspect of securing non-sending or “forgotten” domains against cyber threats. Here we highlighted the potential risks posed by these domains when not protected by DMARC policies, and offered some guidance on how businesses can extend their DMARC implementation to cover all owned domains, thereby preventing unauthorised use for spam or phishing attacks.

This Week … Implementing DMARC: A Step-by-Step Approach 

As noted in the previous article in this series, implementing DMARC is now critical for UK businesses to protect against threats like email spoofing and phishing.

To briefly summarise a step-by-step approach to implementing this, businesses can start by ensuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are correctly set up for the domain(s), as DMARC relies on these for email authentication. Next, it’s a case of creating a DMARC record with a policy of “none” to monitor traffic without affecting it. This record is added to your DNS.

Over time, it’s important to analyse your DMARC reports in order to identify any unauthorised use. Finally, gradually shift your policy to “quarantine” or “reject” to block or flag unauthenticated emails, enhancing your email security posture. Looking at this approach in a bit more detail, implementing DMARC means:

– Understanding SPF and DKIM. Before implementing DMARC, ensure you have SPF and DKIM records correctly set up for your domain. These records help in email verification and are crucial for DMARC to function effectively.

– Creating a DMARC record. Draft a DMARC TXT record for your DNS. Start with a policy of ‘none’ (p=none) to monitor your email traffic without affecting it. This stage is critical for understanding your email ecosystem and preparing for stricter enforcement without impacting legitimate email delivery.

– Analysing the reports. Use the data collected from DMARC reports (Aggregate reports – RUA, and Forensic reports – RUF) to identify legitimate sources of email and potential gaps in email authentication practices.

– Gradually adjusting policy: Gradually adjust your DMARC policy from ‘none’ to ‘quarantine’ (p=quarantine) as you become more confident in your email authentication setup. This move will start to prevent unauthenticated emails from reaching inboxes but may still allow them to be reviewed.

– Full enforcement. Once you’re assured that legitimate emails are correctly authenticated and not negatively impacted, shift your policy to ‘reject’ (p=reject). This is the final step where unauthenticated emails are actively blocked, providing full protection against phishing, and spoofing under DMARC.

– Continuous monitoring and updating. Email authentication landscapes and practices evolve, so it’s crucial to continuously monitor DMARC reports and update your SPF, DKIM, and DMARC settings as necessary to adapt to new email flows, domain changes, or security threats.

Monitoring and Reporting – The Key to Effective DMARC 

For businesses, effective DMARC implementation relies heavily on consistent monitoring and reporting.

Why? 

By analysing DMARC reports, businesses can gain insights into both legitimate and fraudulent email sources using their domain. This process not only helps in identifying authentication failures but also in refining DMARC policies over time (as suggested in the step-by-step approach above) for better security.
Remember, regular reviews of these reports is essential for adapting to new threats and ensuring email communication integrity.

Optimising DMARC Policies 

Optimising a DMARC policy involves fine-tuning it to create a balance between security against spoofing and phishing, and ensuring legitimate emails are delivered smoothly.

But How? 

The starting point (as mentioned above) is the analysis of your DMARC reports to identify authentication failures and adjust your SPF and DKIM setups accordingly.

A Phased Approach 

Taking a phased approach, i.e. gradually increasing the DMARC policy from ‘none’ to ‘quarantine’ and then to ‘reject’ as confidence in your email authentication improves, is the way to minimise potential disruptions to legitimate email flow while maximising protection against unauthorised use of your domain.

Future-Proofing Your Email Security Strategy 

Going forward, looking at ways to future-proof your business email security strategy, these could include:

– Keeping up to date with emerging threats and trends in email security (continuous education).

– Implementing advanced security technologies like AI-driven threat detection can offer proactive protection.

– Regularly reviewing and updating your email authentication protocols (SPF, DKIM, DMARC) to adapt to changes in your email infrastructure.

– Fostering a security-aware culture within your business e.g., using training to recognising phishing attempts and safe email practices.

– Engage in industry forums and cybersecurity communities to help stay ahead of evolving email threats and to gain and share information about best practices.

What Does This Mean For Your Business? 

For UK businesses, implementing and optimising DMARC, as outlined in this final instalment, is a commitment to safeguarding email communications that benefits your business and your customers. Taking a step-by-step approach, as outlined above, from establishing SPF and DKIM records, through to DMARC policy enforcement, are now crucial for building an effective defence against email spoofing and phishing (these are now major threats). Taking the phased approach of regular monitoring and gradual policy adjustments ensures that businesses can not only react to current threats but also proactively adapt to emerging challenges. This strategic approach to email security is essential in maintaining the trust of your customers and partners, protecting your brand’s reputation, and complying with today’s data protection regulations. It’s also worth remembering that actively engaging in continuous education and leveraging advanced technologies are ways to stay ahead in the fast-evolving cybersecurity landscape.

Tech Insight : DMARC Diligence (Part 2) : The Forgotten Domains : A Hidden Vulnerability

In this second article of the “DMARC Diligence” series, we shift our focus towards securing non-sending or “forgotten” domains and outline a strategy for their protection through DMARC implementation.

Recap Of Part 1 

You may remember that in part one of this DMARC Due Diligence series of articles we laid the groundwork by exploring the essentials of the email authentication protocols SPF, DKIM, and DMARC. We learned how these mechanisms work in tandem to validate email sources, ensuring that only authenticated emails reach their intended destinations. The primary takeaway was the importance of implementing these protocols to shield email communications from the prevalent threats of phishing and spoofing attacks.

Here, in Part Two of the three-part series, we take a look at some key issues around securing non-sending or “forgotten” domains.

The Risk Of Non-Sending Domains 

Businesses often accumulate multiple domain names, yet routinely only a select few which are actively used for emails. This leaves a number of domains essentially dormant, with no emails being sent from them. These can be referred to as non-sending or “forgotten” domains.

However, their existence and registration on servers mean that even if they are dormant/forgotten, they’re still viable for exploitation and make ideal targets for cybercriminals to conduct spoofing and phishing attacks under the guise of your reputable name.

How Big Is The Problem? 

The problem of dormant or forgotten domains and their exploitation for email spoofing is significant and aligns with broader issues of email server misconfiguration and domain spoofing that impact businesses globally. For example, a KnowBe4 study (which used a domain spoof test) discovered that 82 per cent of email servers are misconfigured, thereby potentially enabling domain spoofing. Domain spoofing extends beyond email to include website spoofing, where fraudsters profit from the reputation of reputable domains, costing advertisers up to $1 million in lost revenue per month.

Recent Examples  

Examples of non-sending or “forgotten” domains being exploited by cyber-criminals include:

– As reported by Krebs back in 2020, attackers exploiting an authentication weakness at GoDaddy (the world’s largest domain name registrar) by using legitimate but inactive domains to distribute malware, including a potent strain of ransomware named Gand Crab. Despite efforts to fix the vulnerability and clean up affected domains, new campaigns exploiting these dormant domains emerged, thereby highlighting the ongoing challenge of securing unused domains against cyber exploitation.

– Just this month, Cyber Security Company, Guardio Labs reported uncovering what they referred to as a major “SubdoMailing” campaign which involved the hijacking of 8,000+ trusted domains to send millions of spam and malicious phishing emails daily. The big brands whose subdomains they reported were being exploited in the campaign included MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay.

The DMARC Solution For Non-Sending/Forgotten Domains 

As highlighted in the previous article in this series, DMARC offers a way to authenticate mail and specify how unauthenticated emails should be treated. However, its real power lies in its ability to be applied to all your domains, active or dormant. This means that by configuring DMARC records for your non-sending domains, you can effectively seal off a potential backdoor for attackers, preventing them from masquerading as your business in malicious campaigns.

Step-by-Step DMARC Implementation For Non-Sending Domains 

With this in mind, here’s an example of a step-by-step strategy for businesses with multiple domains for using DMARC to close the backdoor vulnerability that non-sending/forgotten domains provide:

– Conduct a comprehensive domain audit to identify all the domains your business owns. Next, distinguish between those used for sending emails and those that are not.

– For your non-sending domains, establish DMARC records in the DNS with an initial policy of p=none. This monitoring mode allows you to collect data on how these domains might be exploited without impacting legitimate email traffic.

– Analyse DMARC reports. Regularly reviewing the DMARC reports to identify unauthorised usage of your non-sending domains can provide insights to guide you in tightening the DMARC policy to more restrictive settings (p=quarantine or p=reject), effectively blocking malicious emails.

– Ongoing vigilance. With the cyber threat landscape perpetually evolving, getting into the habit of continually monitoring your DMARC reports and adjusting your policies as needed can help maintain robust protection against emerging threats.

What Does This Mean For Your Business? 

Acknowledging and securing your non-sending/forgotten domains with DMARC is now not just a technical safeguard but is now an essential strategy in fortifying your business’s cybersecurity posture. With email fraud now rampant, overlooking these domains could leave your business susceptible to cyberattacks, compromising your integrity and the trust you’ve built with your clients and partners.

Also, as regulations around data protection become increasingly stringent, ensuring that all your domains are shielded with DMARC demonstrates a proactive stance on cybersecurity. This not only helps compliance with laws like GDPR but also positions your business as a trustworthy and secure entity in the digital marketplace.

The protection of non-sending domains via DMARC implementation, therefore, is a crucial step in closing the security gaps within your business’s digital domain strategy.

Next Week…

Next week, in the last of this three-article series, we’ll be focusing on a detailed step-by-step guide for DMARC implementation, the crucial role of monitoring and reporting for effective DMARC management, strategies for optimising DMARC policies, and preparing for future email security challenges. The hope is that this series will provide UK businesses with insights into maximising email security, enhancing brand protection, and ensuring compliance with evolving regulations.

Tech Insight : DMARC Diligence (Part 1) : The Basics of Email Authentication

In this, the first of a series of three articles explaining DMARC and email authentication, we look at why SPF, DKIM, and DMARC are the key pillars of email authentication.

The Issue 

Businesses face numerous cyber threats, with email being one of the most common attack vectors. Phishing, spoofing, and malware are prevalent issues, making email security a top priority.

Effective email authentication mechanisms/protocols, therefore, like SPF, DKIM, and DMARC are ways to improve email security and are crucial in mitigating these threats, ensuring only authenticated emails reach their destination.

What Is SPF? 

The SPF (Sender Policy Framework) email authentication protocol helps prevent email spoofing by allowing domain owners to specify which mail servers can send emails on their behalf, i.e. to verify the sender of an email message.

This is achieved by publishing SPF records in the domain’s DNS (Domain Name System). DNS is the internet’s system for translating domain names into IP addresses, enabling users to access websites by typing human-readable names instead of numerical codes.

When an email is sent, the recipient’s mail server checks this record to verify the email’s origin. If the server isn’t listed, the email could be rejected or marked as spam.

What Is DKIM?  

DKIM (DomainKeys Identified Mail) adds an additional security layer by attaching a digital signature to outgoing emails. This signature, verified against a public key in the sender’s DNS, ensures the email’s content hasn’t been altered in transit. DKIM’s role in email authentication, therefore, strengthens the integrity and trustworthiness of email communication.

What Is DMARC? 

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. DMARC is essentially an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorised use, such as email spoofing. It does this by allowing them to specify and enforce policies on how their email should be handled if it fails SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) checks, and it provides a way for receiving email servers to report back to the sender about emails that pass or fail these authentication methods. Essentially, DMARC is a set of rules and reporting protocols added to a domain’s DNS records to improve and monitor the security of the email ecosystem associated with that domain.

DMARC, therefore, offers a way to unify SPF and DKIM’s capabilities, allowing domain owners to define how unauthenticated emails should be handled, and it provides detailed feedback on all emails sent from the domain, aiding in the detection and prevention of unauthorised use and email spoofing.

The Evolving Email Security Landscape – Recent Changes By Email Providers 

In response to a surge in email fraud and to comply with global data protection regulations like the GDPR, major email platforms are tightening their email authentication policies. For example, Google and Yahoo recently (February) expanded their guidelines for high-volume emailers. Yahoo said: “Sending properly authenticated messages helps us to better identify and block billions of malicious messages and declutter our users’ inboxes.”   

As an indication of how serious the problem is, it’s estimated that half of the 300 billion emails sent per day are spam … to reiterate, that’s 150 billion spam emails sent each day! Google, for example, says it blocks a staggering 15 billion unwanted emails every day (spam, phishing, and malware).

The regulatory landscape, demanding higher standards of data privacy and security, plus the sheer volume of spam/phishing/spoofing/malware emails have now catalysed action in the form of platforms trying to enforce stricter measures.

For UK businesses, therefore, adapting to these enhanced authentication standards is crucial to ensure emails reach their intended recipients and to maintain compliance with data protection laws, preventing emails from being lost to spam folders or blocked.

The Necessity for DMARC, SPF, and DKIM 

For the reasons just outlined, implementing DMARC, alongside SPF and DKIM, has now transitioned from a best practice to a necessity, hence a sudden push by many platforms to verify domains. These protocols are fundamental in validating email sources, ultimately enhancing deliverability, and protecting against cyber threats. Although it can feel like an extra hoop for businesses to jump through, their adoption ensures that businesses maintain their credibility and that their communications are effectively received.

What Does This Mean For Your Business?

For UK businesses, the implications of not implementing these email authentication protocols can be significant. Without proper setup, domains are at risk of being used for email spoofing, leading to potential data breaches and loss of customer trust. Additionally, non-compliance with the updated policies of email providers can result in emails being undelivered, affecting operations and communications.

To navigate this landscape therefore, businesses must adopt a proactive approach, regularly reviewing and updating their SPF, DKIM, and DMARC configurations to combat evolving threats. This involves not only technical adjustments but also staying informed about the latest in email security practices and threats.

It’s important to remember that adhering to these email authentication standards is not merely about compliance, it’s about securing your digital communication channels. By implementing SPF, DKIM, and DMARC, businesses can significantly reduce the risk of cyber-attacks initiated via email, safeguard their digital assets, and ensure the integrity of their email communications.

Next Time …. 

In this first of three in the series, we’ve looked at understanding the basics of email authentication and its significance in the digital age, i.e. looking at SPF, DKIM, and DMARC and their importance as business cybersecurity tools.

In the next week’s (second) in the three-part DMARC Diligence Tech Insight series, we’ll be taking a look at the critical but often neglected issue of securing multiple domains, including those not actively used for sending emails. It will emphasise the importance of applying DMARC policies to these “forgotten” domains to prevent them from being exploited in cyber-attacks, offering guidance on implementing comprehensive email authentication strategies across all owned domains.