All right, you’ve just gone through the whole process of setting up DMARC for your domain. You published your SPF, DKIM and DMARC records, you analysed all your reports, fixed delivery issues, bumped up your enforcement level from p=none to quarantine and finally to reject. You’re officially 100% DMARC-enforced. Congratulations! Now only your emails reach people’s inboxes. No one’s going to impersonate your brand if you can help it.

So that’s it, right? Your domain’s secured and we can all go home happy, knowing your emails are going to be safe. Right…?

Well, not exactly. DMARC is kind of like exercise and diet: you do it for a while and lose a bunch of weight and get some sick abs, and everything’s going great. But if you stop, all those gains you just made are slowly going to diminish, and the risk of spoofing starts creeping back in. But don’t freak out! Just like with diet and exercise, getting fit (ie. getting to 100% enforcement) is the hardest part. Once you’ve done that, you just need to maintain it on that same level, which is much easier.

Okay, enough with the analogies, let’s get down to business. If you’ve just implemented and enforced DMARC on your domain, what’s the next step? How do you continue keeping your domain and email channels secure?

What to Do After Achieving DMARC Enforcement

The #1 reason that email security doesn’t simply end after you reach 100% enforcement is that attack patterns, phishing scams, and sending sources are always changing. A popular trend in email scams often doesn’t even last longer than a couple of months. Think of the WannaCry ransomware attacks in 2018, or even something as recent as the WHO Coronavirus phishing scams in early 2020. You don’t see much of those in the wild right now, do you?

Cybercriminals are constantly changing their tactics, and malicious sending sources are always changing and multiplying, and there’s not much you can do about it. What you can do is prepare your brand for any possible cyberattack that could come at you. And the way to do that is through DMARC monitoring & visibility .

Even after you’re enforced, you still need to be in total control of your email channels. That means you have to know which IP addresses are sending emails through your domain, where you’re having issues with email delivery or authentication, and identify and respond to any potential spoofing attempt or malicious server carrying a phishing campaign on your behalf. The more you monitor your domain, the better you’ll come to understand it. And consequently, the better you’ll be able to secure your emails, your data and your brand.

Why DMARC Monitoring is So Important

Identifying new mail sources
When you monitor your email channels, you’re not just checking to see if everything’s going okay. You’re also going to be looking for new IPs sending emails from your domain. Your organization might change its partners or third party vendors every so often, which means their IPs might become authorized to send emails on your behalf. Is that new sending source just one of your new vendors, or is it someone trying to impersonate your brand? If you analyse your reports regularly, you’ll have a definite answer to that.

PowerDMARC lets you view your DMARC reports according to every sending source for your domain.

Understanding new trends of domain abuse
As I mentioned earlier, attackers are always finding new ways to impersonate brands and trick people into giving them data and money. But if you only ever look at your DMARC reports once every couple of months, you’re not going to notice any telltale signs of spoofing. Unless you regularly monitor the email traffic in your domain, you won’t notice trends or patterns in suspicious activity, and when you are hit with a spoofing attack, you’ll be just as clueless as the people targeted by the email. And trust me, that’s never a good look for your brand.

Find and blacklist malicious IPs
It’s not enough just to find who exactly is trying to abuse your domain, you need to shut them down ASAP. When you’re aware of your sending sources, it’s much easier to pinpoint an offending IP, and once you’ve found it, you can report that IP to their hosting provider and have them blacklisted. This way, you permanently eliminate that specific threat and avoid a spoofing attack.

With Power Take Down, you find the location of a malicious IP, their history of abuse, and have them taken down.

Control over deliverability
Even if you were careful to bring DMARC up to 100% enforcement without affecting your email delivery rates, it’s important to continuously ensure consistently high deliverability. After all, what’s the use of all that email security if none of the emails are making it to their destination? By monitoring your email reports, you can see which ones passed, failed or didn’t align with DMARC, and discover the source of the problem. Without monitoring, it would be impossible to know if your emails are being delivered, let alone fix the issue.

PowerDMARC gives you the option of viewing reports based on their DMARC status so you can instantly identify which ones didn’t make it through.

 

Our cutting-edge platform offers 24×7 domain monitoring and even gives you a dedicated security response team that can manage a security breach for you. Learn more about PowerDMARC extended support.

Why do I Need DKIM? Isn’t SPF Enough?

Remote working has specifically introduced people to an increased number of phishing and cyberattacks. Mostly, the worst amount of phishing attacks are those that one can’t ignore. No matter the amount of work emails being received and sent, and despite the rise in workplace chat and instant messaging apps, for most people working in offices, email continues to dominate the business communication both internally and externally.

However, it’s not a secret that emails are usually the most common entry point for cyberattacks, which involves sneaking malware and exploits into the network and credentials, and reveal the sensitive data. According to data from SophosLabs in September 2020, around 97% of the malicious spam caught by the spam traps were phishing emails, hunting for credentials, or any other information. 

Out of this, the remaining 3% carried a mixed bags of messages that had been carrying links to malicious websites or with those that were booby-trapped attachments. These were mostly hoping to install backdoors, remote access trojans (RATs), information stealer, exploits, or maybe download other malicious files. 

No matter what the source, phishing remains a pretty frighteningly effective tactic for the attackers, whatever their final objective maybe. There are some robust measures all organizations could use to verify as to whether or not an email has come from the person and source that it claims to have come from.

How Does DKIM Come to Rescue?

It must be ensured that an organization’s email security should be able to keep a check on every email that’s incoming, which would be against the authentication rules being set by the domain that the email appears to have come from. DomainKeys Identified Mail (DKIM) is one that helps look into an inbound email, in order to check if nothing has been altered. In case of those emails that are legitimate, DKIM would definitely be finding a digital signature which would be linked to a specific domain name.

This domain name would be attached to the header of the email, and there would be a corresponding encryption key back at the source domain. The greatest advantage of DKIM is that it provides a digital signature on your email headers so that the servers receiving it can cryptographically authenticate those headers, deeming it to be valid and original.

These headers are typically signed as ‘From’, ‘To’, ‘Subject’ and ‘Date’.

Why Do You Need DKIM?

Experts in the field of cybersecurity state that DKIM is pretty much needed in the day to day scenario for securing official emails. In DKIM, the signature is being generated by the MTA (Mail Transfer Agent), that creates a unique string of characters called the Hash Value.

Further, the hash value is being stored in the listed domain, which after receiving the email, the receiver could verify the DKIM signature by using the public key that is being registered in the Domain Name System (DNS). After this, this key is being used to decrypt the Hash Value in the header, and also recalculate the hash value from the email that it received.

After this, the experts would be finding out that if these two DKIM signatures are a match, then the MTA would be knowing that the email hasn’t been altered. Additionally, the user is being given further confirmation that the email was being actually sent from the listed domain.

DKIM, which was being originally formed by merging two station keys, Domain keys (the one created by Yahoo) and Identified Internet Mail (by Cisco) in 2004, and has been developing into a new widely adopted authentication technique that makes an organization’s email procedure pretty trustworthy, and which is specifically why leading tech companies like Google, Microsoft and Yahoo always check incoming mail for DKIM signatures.

DKIM Vs. SPF

Sender Policy Framework (SPF) is a form of email authentication that defines a process in order to validate an email message, one that has been sent from an authorized mail server in order to detect forgery and to prevent scam.

While most people hold the opinion that both SPF and DKIM must be used in organizations, but DKIM certainly has an added advantage over the others. The reasons are as follows:

  • In DKIM, the domain owner publishes a cryptographic key, which is being specifically formatted as a TXT record in the overall DNS record
  • The unique DKIM signature that is being attached to the header of the message makes it more authentic
  • Using DKIM proves out to be more fruitful because the DKIM key used by inbound mail servers to detect and decrypt the message’s signature proves the message to be more authentic, and unaltered.

In Conclusion

For most business organizations, not only would DKIM protect their businesses from phishing and spoofing attacks, but DKIM would also be helping in protecting customer relationships and brand reputation.

This is specifically important as DKIM provides an encryption key and a digital signature which doubly proves that an email wasn’t forged or altered. These practices would help organizations and businesses move one step closer improving their email deliverability and sending a secure email, that would be helping in generating revenue. Mostly, it depends on organizations as to how they would be using it and implementing the same. This is most important and relatable as most organizations would be wanting to free themselves from cyber attacks and threats.

If you’re reading this, you’re probably familiar with DMARC reports. Or at least Aggregate Reports (RUA) which you receive when you implement DMARC. Aggregate reports are sent on a daily basis and contain incredibly useful info about emails sent from your domain that failed DMARC, SPF or DKIM authentication. You can see senders’ IP addresses, the number of emails and what day they were sent on, and lots more fun stuff. Check out our in-depth look at DMARC aggregate reports here.

But there’s another kind of report you might not have heard of, the less popular cousin of aggregate reports, so to speak. I’m talking about DMARC Forensic Reports (RUF), also known as Failure Reports. Although these serve, for the most part, the same role as aggregate reports, they’re very different in a lot of ways. Let me show you what I mean.

What Even Are Failure/Forensic Reports?

The best way to talk about RUF is to understand how they’re different from RUA. Aggregate reporting is meant to give you a general overview of the status of email in your domain, so you understand which of your emails and how many of them are having issues getting authenticated, as well as sending sources that may or may not be authorized.

Forensic reports do pretty much the same thing, but kicked into overdrive. Instead of sending a daily report with a summary of all emails that have authentication problems, forensic reports are sent for each individual email that fails DMARC validation. They function almost like a notification, and only contain details specific to that one email that caused the issue.

This goes way beyond the amount of information an aggregate report provides, and can greatly improve your chances of pinpointing the source of the problem as early and as accurately as possible. Learn more about forensic reports by clicking here.

Why Don’t Many Receivers Support Forensic Reports?

Many receiving servers don’t support sending forensic reports to the domain owner, which means that even if you have RUF enabled, you might not receive reports for all emails that fail authentication. There’s an important reasons for this:

Privacy concerns

Although forensic reports usually filter out almost all personally identifiable information from the email, some data like the email subject or recipient email address , which if revealed could be a breach of user privacy. Many email receivers are extremely exacting in what kinds of information from the email can be displayed in a report.

For more information regarding privacy with DMARC, check out our full breakdown on how PowerDMARC protects user privacy.

But that isn’t to say forensic reports aren’t an important resource for your email security strategy. With the amount of granular data they provide, they can offer incredible insight into what’s going on with your unauthenticated mail.

Why Does Forensic Report Data Matter?

While it might seem like forensic reports aren’t such a good idea after all, you’d be surprised at how useful they can be to help you figure out what’s going wrong with your emails. After all, the more data you have, the more accurately you’ll be able to diagnose the problem.

Forensic reports contain highly detailed information about the relevant email, including:

  • recipient email address
  • SPF and DKIM authentication results
  • time email was received
  • DKIM signature
  • email subject
  • email headers, including custom headers
  • host that sent the email
  • email message ID

All of these data points are like pieces of a puzzle, and by putting them together, you’ll be in a far better position to confidently determine the exact source of your email delivery issues. They offer an unprecedented amount of visibility into exactly who is threatening to compromise your domain, giving you a wealth of data to work with. The more data you have on your sending sources, especially malicious ones, the more capable your organization will be to take action against them by pinpointing the abusive IP and having it taken down or blacklisted.

PowerDMARC supports DMARC Forensic Reporting, as well as advanced privacy options like Forensic Report Encryption to keep any sensitive data completely safe.

Let’s talk about spoofing for a minute. When you hear words like ‘phishing’, ‘business email compromise’ or ‘cybercrime’, what’s the first that pops into your head? Most people would think about something on the lines of email security, and chances are, you did, too. And that’s absolutely right: each of the terms I just mentioned are forms of cyberattack, where a criminal uses social engineering and other techniques to gain access to sensitive information and money. Obviously that’s bad, and organizations should do everything they can to protect themselves against it.

But there’s another side to this, one that some organizations simply don’t consider, and it’s one that’s equally important to them. Phishing doesn’t just put you at a higher risk of losing data and money, but your brand stands an equally large chance of losing out, too. In fact, that chance is as high as 63%: that’s how many consumers are likely to stop shopping a brand after just a single unsatisfactory experience.

How Do Email Phishing Attacks Harm Your Brand?

Understanding how phishing can compromise your organization’s systems is fairly straightforward. But the long-term effects of a single cyberattack? Not so much.

Think about it this way. In most cases, a user checking their email is likely going to click on an email from a person or brand they know and trust. If the email looks realistic enough, they wouldn’t even notice the difference between one that’s fake and one that’s not. The email might even have a link leading to a page that looks exactly like your organization’s login portal, where they type in their username and password.

Later on, once they hear that their credit card details and address have been leaked to the public, there’s nowhere to turn to but your organization. After all, it was ‘your email’ that caused the disaster, your lack of security. When your own customers totally lose faith in your brand and its credibility, it can cause huge problems for the optics of your brand. You’re not just the company that got hacked, you’re the company that allowed their data to be stolen through an email you sent.

It’s not hard to see how this could seriously hurt your bottom line in the long run, especially when new, potential customers are turned off by the prospect of being another victim of your emails. Cybercriminals take the trust and loyalty that your customers have in your brand, and actively use it against you. And that’s what makes Business Email Compromise (BEC) so much more than a technical security issue.

What Are Some of the Worst-Hit Industries?

Pharmaceutical companies are some of the most frequently targeted businesses for phishing and cyberattacks. According to a study of Fortune 500 pharmaceutical companies, in just the last 3 months of 2018, each company faced on average 71 email fraud attacks. That’s because drug companies hold valuable intellectual property on new chemicals and pharmaceutical products. If an attacker can steal this information, they can sell them on the black market for a hefty profit.

Construction and real estate companies aren’t too far behind, either. Financial service companies and financial institutions in particular face the constant threat of having sensitive data or large sums of money stolen from them through carefully planned Business as well as Vendor Email Compromise (VEC) attacks. 

All these industries benefit greatly from customers trusting their brands, and their relationship with the brands directly influences their business with the companies. If a consumer were to feel like that company wasn’t capable of keeping their data, money or other assets safe, it would be detrimental to the brand, and sometimes, irreparably so.

Learn more about email security for your specific industry.

How Can You Save Your Brand?

Marketing is all about building your brand image into something that audiences won’t just remember, but associate with quality and reliability. And the first step towards that is by securing your domain.

Cybercriminals spoof your organization’s domain and impersonate your brand, so when they send an email to an unsuspecting user, it will appear like it’s coming from you. Rather than expecting users to identify which emails are real and which ones aren’t (which very often is almost impossible, particularly for the layman), you can instead prevent those emails from entering users’ inboxes entirely.

DMARC is an email authentication protocol that acts like an instruction manual for a receiving email server. Every time an email is sent from your domain, the receiver’s email server checks your DMARC records (published on your DNS), and validates the email. If the email is legitimate, it ‘passes’ DMARC authentication, and gets delivered to the user’s inbox.

If the email is from an unauthorized sender, depending on your DMARC policy, the email can be either sent directly to spam, or even blocked outright.

Learn more about how DMARC works here.

DMARC can almost completely eliminate all spam emails that originate from your domain, because instead of blocking fake emails as they leave your domain, it instead checks for authenticity as the email arrives in the receiver’s server.

If you’ve already implemented DMARC and are looking for ways to take your brand security even further, there’s Brand Indicators for Message Identification (BIMI). This new email security standard affixes your brand’s logo next to every email from your domain that’s been authenticated by DMARC.

Now, when your customers see an email you’ve sent, they’ll associate your logo with your brand, improving brand recall. And when they see your logo, they’ll learn to only trust emails that have your logo next to them.

Learn more about BIMI here. 

At first glance, Microsoft’s Office 365 suite seems to be pretty…sweet, right? Not only do you get a whole host of productivity apps, cloud storage, and an email service, but you’re also protected from spam with Microsoft’s own email security solutions. No wonder it’s the most widely adopted enterprise email solution available, with a 54% market share and over 155 million active users. You’re probably one of them, too.

But if a cybersecurity company’s writing a blog about Office 365, there’s got to be something more to it, right? Well, yeah. There is. So let’s talk about what exactly the issue is with Office 365’s security options, and why you really need to know about this.

What Microsoft Office 365 Security is Good At

Before we talk about the problems with it, let’s first quickly get this out of the way: Microsoft Office 365 Advanced Threat Protection (what a mouthful) is quite effective at basic email security. It will be able to stop spam emails, malware, and viruses from making their way into you inbox.

This is good enough if you’re only looking for some basic anti-spam protection. But that’s the problem: low-level spam like this usually doesn’t pose the biggest threat. Most email providers offer some form of basic protection by blocking email from suspicious sources. The real threat—the kind that can make your organization lose money, data and brand integrity—are emails carefully engineered so you don’t realize that they’re fake.

This is when you get into serious cybercrime territory.

What Microsoft Office 365 Can’t Protect You From

Microsoft Office 365’s security solution works like an anti-spam filter, using algorithms to determine if an email is similar to other spam or phishing emails. But what happens when you’re hit with a far more sophisticated attack using social engineering, or targeted at a specific employee or group of employees?

These aren’t your run-of-the-mill spam emails sent out to tens of thousands of people at once. Business Email Compromise (BEC) and Vendor Email Compromise (VEC) are examples of how attackers carefully select a target, learn more information about their organization by spying on their emails, and at a strategic point, send a fake invoice or request via email, asking for money to be transferred or data to be shared.

This tactic, broadly known as spear phishing, makes it appear that email is coming from someone within your own organization, or a trusted partner or vendor. Even under careful inspection, these emails can look very realistic and are nearly impossible to detect, even for seasoned cybersecurity experts.

If an attacker pretends to be your boss or the CEO of your organization and sends you an email, it’s unlikely that you’ll check to see if the email looks genuine or not. This is exactly what makes BEC and CEO fraud so dangerous. Office 365 will not be able to protect you against this sort of attack because these are ostensibly coming from a real person, and the algorithms will not consider it to be a spam email.

How Can You Secure Office 365 Against BEC and Spear Phishing?

Domain-based Message Authentication, Reporting & Conformance, or DMARC, is an email security protocol that uses information provided by the domain owner to protect receivers from spoofed email. When you implement DMARC on your organization’s domain, receiving servers will check each and every email coming from your domain against the DNS records you published.

But if Office 365 ATP couldn’t prevent targeted spoofing attacks, how does DMARC do it?

Well, DMARC functions very differently than an anti-spam filter. While spam filters check incoming email entering your inbox, DMARC authenticates outgoing email sent by your organization’s domain. What this means is that if someone is trying to impersonate your organization and send you phishing emails, as long as you’re DMARC-enforced, those emails will be dumped in the spam folder or blocked entirely.

And get this — it also means that if a cybercriminal was using your trusted brand to send phishing emails, even your customers wouldn’t have to deal with them, either. DMARC actually helps protect your business, too.

But there’s more: Office 365 doesn’t actually give your organization any visibility on a phishing attack, it just blocks spam email. But if you want to properly secure your domain, you need to know exactly who or what is trying to impersonate your brand, and take immediate action. DMARC provides this data, including the IP addresses of abusive sending sources, as well as the number of emails they send. PowerDMARC takes this to the next level with advanced DMARC analytics right on your dashboard.

Learn more about what PowerDMARC can do for your brand.