Tech Insight : DMARC Diligence (Part 3) : Implementing and Optimising DMARC for Maximum Security

In this third and final part of our series of ‘DMARC Diligence’ insights, we explore the detailed process of DMARC deployment, its monitoring, optimisation, and preparing businesses for future email security challenges.

Last Week … 

Last week in part 2 of this series of ‘DMARC Diligence’ articles, we looked at the crucial yet often neglected aspect of securing non-sending or “forgotten” domains against cyber threats. Here we highlighted the potential risks posed by these domains when not protected by DMARC policies, and offered some guidance on how businesses can extend their DMARC implementation to cover all owned domains, thereby preventing unauthorised use for spam or phishing attacks.

This Week … Implementing DMARC: A Step-by-Step Approach 

As noted in the previous article in this series, implementing DMARC is now critical for UK businesses to protect against threats like email spoofing and phishing.

To briefly summarise a step-by-step approach to implementing this, businesses can start by ensuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are correctly set up for the domain(s), as DMARC relies on these for email authentication. Next, it’s a case of creating a DMARC record with a policy of “none” to monitor traffic without affecting it. This record is added to your DNS.

Over time, it’s important to analyse your DMARC reports in order to identify any unauthorised use. Finally, gradually shift your policy to “quarantine” or “reject” to block or flag unauthenticated emails, enhancing your email security posture. Looking at this approach in a bit more detail, implementing DMARC means:

– Understanding SPF and DKIM. Before implementing DMARC, ensure you have SPF and DKIM records correctly set up for your domain. These records help in email verification and are crucial for DMARC to function effectively.

– Creating a DMARC record. Draft a DMARC TXT record for your DNS. Start with a policy of ‘none’ (p=none) to monitor your email traffic without affecting it. This stage is critical for understanding your email ecosystem and preparing for stricter enforcement without impacting legitimate email delivery.

– Analysing the reports. Use the data collected from DMARC reports (Aggregate reports – RUA, and Forensic reports – RUF) to identify legitimate sources of email and potential gaps in email authentication practices.

– Gradually adjusting policy: Gradually adjust your DMARC policy from ‘none’ to ‘quarantine’ (p=quarantine) as you become more confident in your email authentication setup. This move will start to prevent unauthenticated emails from reaching inboxes but may still allow them to be reviewed.

– Full enforcement. Once you’re assured that legitimate emails are correctly authenticated and not negatively impacted, shift your policy to ‘reject’ (p=reject). This is the final step where unauthenticated emails are actively blocked, providing full protection against phishing, and spoofing under DMARC.

– Continuous monitoring and updating. Email authentication landscapes and practices evolve, so it’s crucial to continuously monitor DMARC reports and update your SPF, DKIM, and DMARC settings as necessary to adapt to new email flows, domain changes, or security threats.

Monitoring and Reporting – The Key to Effective DMARC 

For businesses, effective DMARC implementation relies heavily on consistent monitoring and reporting.

Why? 

By analysing DMARC reports, businesses can gain insights into both legitimate and fraudulent email sources using their domain. This process not only helps in identifying authentication failures but also in refining DMARC policies over time (as suggested in the step-by-step approach above) for better security.
Remember, regular reviews of these reports is essential for adapting to new threats and ensuring email communication integrity.

Optimising DMARC Policies 

Optimising a DMARC policy involves fine-tuning it to create a balance between security against spoofing and phishing, and ensuring legitimate emails are delivered smoothly.

But How? 

The starting point (as mentioned above) is the analysis of your DMARC reports to identify authentication failures and adjust your SPF and DKIM setups accordingly.

A Phased Approach 

Taking a phased approach, i.e. gradually increasing the DMARC policy from ‘none’ to ‘quarantine’ and then to ‘reject’ as confidence in your email authentication improves, is the way to minimise potential disruptions to legitimate email flow while maximising protection against unauthorised use of your domain.

Future-Proofing Your Email Security Strategy 

Going forward, looking at ways to future-proof your business email security strategy, these could include:

– Keeping up to date with emerging threats and trends in email security (continuous education).

– Implementing advanced security technologies like AI-driven threat detection can offer proactive protection.

– Regularly reviewing and updating your email authentication protocols (SPF, DKIM, DMARC) to adapt to changes in your email infrastructure.

– Fostering a security-aware culture within your business e.g., using training to recognising phishing attempts and safe email practices.

– Engage in industry forums and cybersecurity communities to help stay ahead of evolving email threats and to gain and share information about best practices.

What Does This Mean For Your Business? 

For UK businesses, implementing and optimising DMARC, as outlined in this final instalment, is a commitment to safeguarding email communications that benefits your business and your customers. Taking a step-by-step approach, as outlined above, from establishing SPF and DKIM records, through to DMARC policy enforcement, are now crucial for building an effective defence against email spoofing and phishing (these are now major threats). Taking the phased approach of regular monitoring and gradual policy adjustments ensures that businesses can not only react to current threats but also proactively adapt to emerging challenges. This strategic approach to email security is essential in maintaining the trust of your customers and partners, protecting your brand’s reputation, and complying with today’s data protection regulations. It’s also worth remembering that actively engaging in continuous education and leveraging advanced technologies are ways to stay ahead in the fast-evolving cybersecurity landscape.

Tech Insight : DMARC Diligence (Part 2) : The Forgotten Domains : A Hidden Vulnerability

In this second article of the “DMARC Diligence” series, we shift our focus towards securing non-sending or “forgotten” domains and outline a strategy for their protection through DMARC implementation.

Recap Of Part 1 

You may remember that in part one of this DMARC Due Diligence series of articles we laid the groundwork by exploring the essentials of the email authentication protocols SPF, DKIM, and DMARC. We learned how these mechanisms work in tandem to validate email sources, ensuring that only authenticated emails reach their intended destinations. The primary takeaway was the importance of implementing these protocols to shield email communications from the prevalent threats of phishing and spoofing attacks.

Here, in Part Two of the three-part series, we take a look at some key issues around securing non-sending or “forgotten” domains.

The Risk Of Non-Sending Domains 

Businesses often accumulate multiple domain names, yet routinely only a select few which are actively used for emails. This leaves a number of domains essentially dormant, with no emails being sent from them. These can be referred to as non-sending or “forgotten” domains.

However, their existence and registration on servers mean that even if they are dormant/forgotten, they’re still viable for exploitation and make ideal targets for cybercriminals to conduct spoofing and phishing attacks under the guise of your reputable name.

How Big Is The Problem? 

The problem of dormant or forgotten domains and their exploitation for email spoofing is significant and aligns with broader issues of email server misconfiguration and domain spoofing that impact businesses globally. For example, a KnowBe4 study (which used a domain spoof test) discovered that 82 per cent of email servers are misconfigured, thereby potentially enabling domain spoofing. Domain spoofing extends beyond email to include website spoofing, where fraudsters profit from the reputation of reputable domains, costing advertisers up to $1 million in lost revenue per month.

Recent Examples  

Examples of non-sending or “forgotten” domains being exploited by cyber-criminals include:

– As reported by Krebs back in 2020, attackers exploiting an authentication weakness at GoDaddy (the world’s largest domain name registrar) by using legitimate but inactive domains to distribute malware, including a potent strain of ransomware named Gand Crab. Despite efforts to fix the vulnerability and clean up affected domains, new campaigns exploiting these dormant domains emerged, thereby highlighting the ongoing challenge of securing unused domains against cyber exploitation.

– Just this month, Cyber Security Company, Guardio Labs reported uncovering what they referred to as a major “SubdoMailing” campaign which involved the hijacking of 8,000+ trusted domains to send millions of spam and malicious phishing emails daily. The big brands whose subdomains they reported were being exploited in the campaign included MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay.

The DMARC Solution For Non-Sending/Forgotten Domains 

As highlighted in the previous article in this series, DMARC offers a way to authenticate mail and specify how unauthenticated emails should be treated. However, its real power lies in its ability to be applied to all your domains, active or dormant. This means that by configuring DMARC records for your non-sending domains, you can effectively seal off a potential backdoor for attackers, preventing them from masquerading as your business in malicious campaigns.

Step-by-Step DMARC Implementation For Non-Sending Domains 

With this in mind, here’s an example of a step-by-step strategy for businesses with multiple domains for using DMARC to close the backdoor vulnerability that non-sending/forgotten domains provide:

– Conduct a comprehensive domain audit to identify all the domains your business owns. Next, distinguish between those used for sending emails and those that are not.

– For your non-sending domains, establish DMARC records in the DNS with an initial policy of p=none. This monitoring mode allows you to collect data on how these domains might be exploited without impacting legitimate email traffic.

– Analyse DMARC reports. Regularly reviewing the DMARC reports to identify unauthorised usage of your non-sending domains can provide insights to guide you in tightening the DMARC policy to more restrictive settings (p=quarantine or p=reject), effectively blocking malicious emails.

– Ongoing vigilance. With the cyber threat landscape perpetually evolving, getting into the habit of continually monitoring your DMARC reports and adjusting your policies as needed can help maintain robust protection against emerging threats.

What Does This Mean For Your Business? 

Acknowledging and securing your non-sending/forgotten domains with DMARC is now not just a technical safeguard but is now an essential strategy in fortifying your business’s cybersecurity posture. With email fraud now rampant, overlooking these domains could leave your business susceptible to cyberattacks, compromising your integrity and the trust you’ve built with your clients and partners.

Also, as regulations around data protection become increasingly stringent, ensuring that all your domains are shielded with DMARC demonstrates a proactive stance on cybersecurity. This not only helps compliance with laws like GDPR but also positions your business as a trustworthy and secure entity in the digital marketplace.

The protection of non-sending domains via DMARC implementation, therefore, is a crucial step in closing the security gaps within your business’s digital domain strategy.

Next Week…

Next week, in the last of this three-article series, we’ll be focusing on a detailed step-by-step guide for DMARC implementation, the crucial role of monitoring and reporting for effective DMARC management, strategies for optimising DMARC policies, and preparing for future email security challenges. The hope is that this series will provide UK businesses with insights into maximising email security, enhancing brand protection, and ensuring compliance with evolving regulations.

Featured Article : Want A .Dad Domain For Father’s Day

Here we look at most of the modern top-level domains and their uses, along with the advantages and disadvantages of choosing a newer, lesser known, or more specific TLD for your website domain name.

What Are Top Level Domains? 

Top-Level Domains (TLDs) are the highest level in the hierarchical Domain Name System (DNS) structure of the internet, i.e. they are the last segment of a domain name that follows the final dot (e.g., .com, .org, .net). In short, TLDs categorise and classify domain names based on their purpose or geographic location.

Two Main Types 

There are two main categories of TLDs:

  1. Generic Top-Level Domains (gTLDs): These are TLDs that are not specific to any country or geographic region. Some common examples of gTLDs include .com, .org, .net, and .info. Originally, gTLDs were limited to a few generic options, but with the expansion of the internet, many new gTLDs have been introduced to provide more specific categorisations for websites.
  2. Country Code Top-Level Domains (ccTLDs): These are TLDs that are associated with a specific country or territory. Each country is assigned a two-letter code (e.g., .us for the United States, .uk for the United Kingdom, .ca for Canada) to create country-specific TLDs. These TLDs help indicate the geographic association or targeting of a website.

TLDs serve several purposes, including indicating the nature of a website (e.g., .com for commercial, .edu for educational institutions) or its association with a particular country or region. They provide a structured and organised system for domain names on the internet, allowing users to easily identify the purpose or location of a website based on its TLD.

Main Top Level Domains 

There are many TLDs that most of us would recognise e.g., .com, .org., .net, and many country specific TLDs such as .co.uk. However, new TLDs are introduced all the time, and the list below includes many of the newer ones and their intended purpose.

  1. .com: Originally intended for commercial websites, it has become a widely used TLD for various types of websites.
  2. .org: Primarily used by non-profit organisations and associations.
  3. .net: Initially designated for network infrastructure, it is now used for a variety of purposes.
  4. .gov: Restricted to U.S. government entities.
  5. .edu: Restricted to accredited educational institutions, such as universities and colleges.
  6. .mil: Restricted to U.S. military entities.
  7. .int: Reserved for international treaty-based organisations and institutions.
  8. .info: Intended for informative websites, although it’s open for general registration.
  9. .biz: Designed for business-oriented websites.
  10. .mobi: Intended for websites optimised for mobile devices.
  11. .name: Meant for personal websites and portfolios.
  12. .pro: Originally intended for professionals like doctors and lawyers, but it’s now open for general registration.
  13. .co: Originally the TLD for Colombia, it has gained popularity as a global alternative to .com.
  14. .io: Originally the TLD for British Indian Ocean Territory, it has become popular among tech companies and startups, and for downloadable games. They are treated as generic top-level domains by Google and there are no restrictions on who can use a .io domain.
  15. .me: Often used for personal websites, blogs, and online resumes.
  16. .tv: Originally the TLD for Tuvalu, it is frequently used by television and media-related websites.
  17. .dev: Geared towards developers, programmers, and technology-focused websites.
  18. .design: Targeted towards designers and creative professionals.
  19. .agency: Suitable for advertising agencies, marketing firms, and creative service providers.
  20. .store: Ideal for e-commerce platforms and online retail businesses.
  21. .blog: Geared towards bloggers and individuals sharing their thoughts and ideas.
  22. .travel: Restricted to entities in the travel and tourism industry.
  23. .photography: Suited for photographers and photography-related websites.
  24. .restaurant: Targeted towards restaurants, cafes, and food establishments.
  25. .esq : a secure domain for lawyers or ‘distinguished’ people.
  26. .foo: a domain from a word used in computer programming that can offer a distinctive and different position.
  27. .nexus: Another a top-level extension designed for entities in the technology industry.
  28. .prof: A domain designed to connect professors to students, colleagues, universities, and peers.
  29. .zip: A domain for storage services (think zip files).
  30. .mov: A domain for anything related to films and video.
  31. .phd: Designed to show the credentials of those with a PhD qualification.
  32. .giving: A domain to be used for fundraising efforts by non-profits, social enterprises, or companies involved in fundraising.
  33. .kids: Useful for websites aimed at entertaining and educational web content for children and youth.
  34. .rsvp: A secure domain for events and reservations, e.g. events, fundraisers, business bookings, and more.
  35. .boo: For fun marketing or special events, e.g. Halloween.
  36. .abbvie: Solely for websites affiliated with US pharmaceutical giant ‘Abbvie’.
  37. .pioneer: A domain solely for those affiliated with the Pioneer Corporation (Japanese company known for electronics).
  38. .channel: For uses by creators and publishers to host or redirect to storefronts featuring digital and physical products.

.Dad Domain For Father’s Day? 

Google’s. dad domains (which could make a good Father’s Day present) can be used for fatherhood-related content e.g., urname.dad, yourblog.dad, yourbusiness.dad. Google says its .dad registry is for dads who want to start a blog or someone showing appreciation for the father figures in their life. Examples of some of the sites and communities on .dad include:

– Classic.dad – All about the Dad Life, such as puns, dad cooking, fixing just about anything with duct tape and more.

– Lifeof.dad and life.dad – a leading community of dads whose mission is to celebrate fatherhood by entertaining and supporting dads.

– WorldsGreatest.dad – a Father’s Day page dedicated to a great dad, complete with photos and captions.

– Mr.dad / expectant.dad /new.dad – a site sharing resources to help dads become the fathers they want to be.

What Are The Advantages And Disadvantages Of Having A Lesser Known Or More Specific Domain? 

Choosing a lesser-known, newer, or very specific Top-Level Domain (TLD) for your website domain name can have both advantages and disadvantages. Here are some considerations:

Advantages: 

– Availability. Lesser-known or newer TLDs may have a wider range of available domain names compared to popular TLDs like .com, where many desirable names are already registered. This gives you a better chance of finding a domain name that matches your brand or business.

– Specificity. Certain TLDs are tailored to specific industries or interests. If the TLD aligns closely with your niche or target audience, it can help communicate your website’s purpose or specialisation right in the domain name, making it more memorable and relevant to visitors.

– Branding. A unique or specific TLD can enhance your brand identity and differentiate your website from competitors. It can give your website a distinctive and memorable web address, which can be advantageous for marketing and branding purposes.

– Availability of keyword-rich names: In some cases, newer or specific TLDs might have more keyword-rich domain names available. This can be valuable for search engine optimisation (SEO) as having relevant keywords in your domain name can potentially improve your website’s visibility in search results.

Disadvantages: 

– Familiarity. Lesser-known or newer TLDs may not be as well-recognised or familiar to internet users compared to traditional and popular TLDs like .com or .org. This could lead to a perception of untrustworthiness or unfamiliarity, especially if visitors are accustomed to more established TLDs.

– User perception. Some users may associate specific TLDs with low-quality or spammy websites. If you choose a TLD that has a negative reputation or is commonly used for malicious purposes, it might impact user trust and deter potential visitors.

– SEO considerations. While having keyword-rich domain names can be beneficial for SEO, the impact of TLDs on search engine rankings is debatable. Search engines like Google claim that TLDs do not directly affect rankings. However, user perception and click-through rates can indirectly impact SEO performance, and a less recognisable TLD might affect user behaviour and therefore SEO.

– Limited availability of domain extensions: Depending on the specific TLD you choose, you might have fewer options when it comes to domain registrars or web hosting providers. Some TLDs have limited availability and/or higher registration costs due to exclusivity or being managed by specific entities.

– Ultimately, the decision to choose a lesser-known, newer, or very specific TLD for your website domain name should consider your brand identity, target audience, marketing strategy, and long-term goals. It’s essential to weigh the advantages and disadvantages and consider how the TLD choice aligns with your overall online presence and branding objectives.

Will Having A New Or Lesser-Known Domain Have A Negative Impact On Your Search Engine Rankings? 

According to Google, the choice of TLD does not directly impact a website’s search visibility or rankings.

Google says its primary focus is to provide users with the most relevant and high-quality search results, regardless of the TLD used by a website and that its search algorithms primarily assess factors such as content relevance, user experience, backlinks, and other SEO signals to determine search rankings.

However, it’s important to note that user behaviour and perception can indirectly influence search rankings. If users are less familiar with a specific TLD or have a perception that it is associated with low-quality websites, they may be less likely to click on search results with those TLDs. This lower click-through rate (CTR) can potentially impact the visibility of websites with new or specific TLDs in search engine results.

Additionally, the content and relevance of a website’s pages, its overall SEO optimisation, and the quality and quantity of backlinks it receives remain crucial ranking factors. These factors are not directly influenced by the TLD but rather by the website’s overall optimisation efforts.

It’s worth noting that search engine algorithms and practices may evolve over time (with the introduction of AI within searches), and new information or updates may be introduced. Therefore, it’s always advisable to stay informed about the latest SEO practices and guidelines from search engines like Google to ensure your website performs well in search results, regardless of the TLD chosen.

What Does This Mean For Your Business? 

Choosing the right Top-Level Domain (TLD) for your website domain name is a decision that can significantly impact your online presence and branding. While newer, lesser-known, or very specific TLDs offer certain advantages, they also come with potential drawbacks. It’s crucial to carefully consider these factors and evaluate how they align with your business goals.

The advantages of opting for a lesser-known or specific TLD include, for example, increased availability of domain names, better specificity and relevance to your niche, enhanced branding opportunities, and the potential for keyword-rich domain names. These factors can contribute to better visibility, differentiation from competitors, and improved memorability for your target audience.

However, there are also disadvantages to consider. Lesser-known TLDs may lack familiarity among internet users, potentially leading to a perception of untrustworthiness. User perception and trust are crucial for attracting visitors to your website. Additionally, the impact on search engine rankings remains uncertain, with search engines like Google stating that TLDs do not directly affect rankings. However, user behaviour and click-through rates can indirectly influence SEO performance.

Also, the limited availability of domain extensions and potential higher costs associated with specific TLDs can pose challenges when registering a domain or finding suitable web hosting providers.

Ultimately, the choice of TLD should be aligned with your brand identity, target audience, marketing strategy, and long-term goals. Consider the advantages and disadvantages outlined in this article and weigh them against your specific business needs. Stay informed about the latest SEO practices and guidelines to ensure your website performs well in search results, regardless of the TLD chosen.

Choosing the right TLD, therefore, is a strategic decision that requires careful consideration. By understanding the advantages and disadvantages, you can make an informed choice that aligns with your business objectives and helps create a strong online presence.