• Log In
  • Sign Up
  • Contact Us
PowerDMARC
  • Features
    • PowerDMARC
    • Hosted DKIM
    • PowerSPF
    • PowerBIMI
    • PowerMTA-STS
    • PowerTLS-RPT
    • PowerAlerts
  • Services
    • Deployment Services
    • Managed Services
    • Support Services
    • Service Benefits
  • Pricing
  • Power Toolbox
  • Partners
    • Reseller Program
    • MSSP Program
    • Technology Partners
    • Industry Partners
    • Find a partner
    • Become a Partner
  • Resources
    • DMARC: What is it and How does it Work?
    • Datasheets
    • Case Studies
    • DMARC in Your Country
    • DMARC by Industry
    • Support
    • Blog
    • DMARC Training
  • About
    • Our company
    • Clients
    • Contact us
    • Book a demo
    • Events
  • Menu Menu

How to Protect Small Businesses from BEC with Email Authentication?

Blogs
BEC blog

Business Email Compromise or BEC is a form of email security breach or impersonation attack that affects commercial, government, non-profit organizations, small businesses and startups as well as MNCs and enterprises to extract confidential data that can negatively influence the brand or organization. Spear phishing attacks, invoice scams and spoofing attacks are all examples of BEC.

Cybercriminals are expert schemers who intentionally target specific people within an organization, especially those in authoritarian positions like the CEO or someone similar, or even a trusted customer. The worldwide financial impact due to BEC is huge, especially in the US which has emerged as the prime hub. Read more about the global BEC scam volume. The solution? Switch to DMARC!

What is DMARC?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an industry-standard for email authentication. This authentication mechanism specifies to receiving servers how to respond to emails failing SPF and DKIM authentication checks. DMARC can minimize the chances of your brand falling prey BEC attacks by a substantial percentage, and help protect your brand’s reputation, confidential information and financial assets.

Note that before publishing a DMARC record, you need to implement SPF and DKIM for your domain since DMARC authentication makes use of these two standard authentication protocols for validating messages sent on behalf of your domain.

You can use our free SPF Record Generator and DKIM Record Generator to generate records to be published in your domain’s DNS.

How to Optimize Your DMARC Record to Protect Against BEC?

In order to protect your domain against Business Email Compromise, as well as enable an extensive reporting mechanism to monitor authentication results and gain complete visibility into your email ecosystem, we recommend you to publish the following DMARC record syntax in your domain’s DNS:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Understanding the tags used while generating a DMARC Record:

v (mandatory)This mechanism specifies the version of the protocol.
p (mandatory)This mechanism specifies the DMARC policy in use. You can set your DMARC policy to:

p=none (DMARC at monitoring only wherein emails failing authentication checks would still land into receivers’ inboxes). p=quarantine (DMARC at enforcement, wherein emails failing authentication checks will be quarantined or lodged into the spam folder).

p=reject (DMARC at maximum enforcement, wherein emails failing authentication checks will be discarded or not delivered at all).

For authentication novices, it is recommended to start out with your policy at monitoring only (p=none) and then slowly shift to enforcement.However, for the purpose of this blog if you want to safeguard your domain against BEC, p=reject is the recommended policy for you to ensure maximum protection.

sp (optional)This tag specifies the subdomains policy which can be set to sp=none/quarantine/reject requesting a policy for all subdomains wherein emails are failing DMARC authentication.

This tag is only useful if you desire to set a different policy for your main domain and subdomains. If not specified the same policy will be levied upon all your subdomains by default.

adkim (optional)This mechanism specifies the DKIM identifier alignment mode which can be set to s (strict) or r (relaxed).

Strict alignment specifies that the d=field in the DKIM signature of the email header must align and match exactly with the domain found in the from header.

However, for Relaxed alignment the two domains must share the same organizational domain only.

aspf (optional) This mechanism specifies the SPF identifier alignment mode which can be set to s (strict) or r (relaxed).

Strict alignment specifies that the domain in the “Return-path” header must align and match exactly with the domain found in the from header.

However, for Relaxed alignment the two domains must share the same organizational domain only.

rua (optional but recommended)This tag specifies the DMARC aggregate reports that are sent to the address specified after the mailto: field, providing insight on emails passing and failing DMARC.
ruf (optional but recommended)This tag specifies the DMARC forensic reports that are to be sent to the address specified after the mailto: field. Forensic reports are message-level reports that provide more detailed information on authentication failures. Since these reports may contain email content, encrypting them is the best practice.
pct (optional)This tag specifies the percentage of emails to which the DMARC policy is applicable. The default value is set to 100.
fo (optional but recommended)The forensic options for your DMARC record can be set to:

->DKIM and SPF don’t pass or align (0)

->DKIM or SPF don’t pass or align (1)

->DKIM doesn’t pass or align (d)

->SPF doesn’t pass or align (s)

The recommended mode is fo=1 specifying that forensic reports are to be generated and sent to your domain whenever emails fail either DKIM or SPF authentication checks.

You can generate your DMARC record with PowerDMARC’s free DMARC Record Generator wherein you can select the fields according to the level of enforcement you desire.

BEC

Note that only an enforcement policy of reject can minimize BEC, and protect your domain from spoofing and phishing attacks.

While DMARC can be an effective standard to protect your business against BEC, implementing DMARC correctly requires effort and resources. Whether you are an authentication novice or an authentication aficionado, as pioneers in email authentication, PowerDMARC is a single email authentication SaaS platform that combines all email authentication best practices such as DMARC, SPF, DKIM, BIMI, MTA-STS and TLS-RPT, under the same roof for you. We help you:

  • Shift from monitoring to enforcement in no time to keep BEC at bay
  • Our aggregate reports are generated in the form of simplified charts and tables to help you understand them easily without having to read complex XML files
  • We encrypt your forensic reports to safeguard the privacy of your information
  • View your authentication results in 7 different formats (per result, per sending source, per organization, per host, detailed stats, geolocation reports, per country) on our user-friendly dashboard for optimal user-experience
  • Gain 100% DMARC compliance by aligning your emails against both SPF and DKIM so that emails failing either of the authentication checkpoints do not make it through to your receivers’ inboxes

How Does DMARC Protect Against BEC?

As soon as you set your DMARC policy to maximum enforcement (p=reject), DMARC protects your brand from email fraud by reducing the chance of impersonation attacks and domain abuse. All inbound messages are validated against SPF and DKIM email authentication checks to ensure that they arise from valid sources.

SPF is present in your DNS as a TXT record, displaying all the valid sources that are authorized to send emails from your domain. The receiver’s mail server validates the email against your SPF record to authenticate it. DKIM assigns a cryptographic signature, created using a private key, to validate emails in the receiving server, wherein the receiver can retrieve the public key from the sender’s DNS to authenticate the messages.

With your policy at reject, emails are not delivered to your recipient’s mailbox at all when the authentication checks fail, indicating that your brand is being impersonated. This ultimately keeps BEC like spoofing and phishing attacks at bay.

PowerDMARC’s Basic Plan for Small Businesses

Our basic plan starts from only 8 USD per month, so small businesses and startups trying to adopt secure protocols like DMARC can easily avail of it. The advantages that you will have at your disposal with this plan are as follows:

  • Save 20% on your annual plan
  • Up to 2,000,000 DMARC compliant emails
  • Up to 5 domains
  • 1-year data history
  • 2 Platform Users
  • Hosted BIMI
  • Hosted MTA-STS
  • TLS-RPT

Sign up with PowerDMARC today and protect your brand’s domain by minimizing the chances of Business Email Compromise and email fraud!

BEC

  • About
  • Latest Posts
Ahona Rudra
Digital Marketing & Content Writer Manager at PowerDMARC
Ahona works as a Digital Marketing and Content Writer Manager at PowerDMARC. She is a passionate writer, blogger, and marketing specialist in cybersecurity and information technology.
Latest posts by Ahona Rudra (see all)
  • Methods To Protect Yourself From Identity Theft - September 29, 2023
  • The Role of DNS in Email Security - September 29, 2023
  • New Age Phishing Threats and How to Plan Ahead - September 29, 2023
January 28, 2021/by Ahona Rudra
Tags: BEC, DMARC, DMARC record, Email authentication, optimize your DMARC record
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail
You might also like
powerdmarc csa blogPowerDMARC announces new partnership with Cloud Security Alliance
insuranceHow Phishing Scams Are Using Office 365 to Target Insurance Firms
email bounce rate blogLower Your Email Bounce Rates with DMARC
powerdmarc config blog postPowerDMARC partnership with Config
powerdmarc disti blog postPowerDMARC Signs on Disti360 as Value-Added Distributor
protect from spoofing blogHow to Select the Best DMARC Software Solution to Protect Your Business from Email Spoofing?

Secure Your Email

Stop Email Spoofing and Improve Email Deliverability

15-day Free trial!


Categories

  • Blogs
  • News
  • Press Releases

Latest Blogs

  • Methods To Protect Yourself From Identity Theft
    Methods To Protect Yourself From Identity TheftSeptember 29, 2023 - 12:11 pm
  • The Role of DNS in Email Security
    The Role of DNS in Email SecuritySeptember 29, 2023 - 12:08 pm
  • New Age Phishing Threats and How To Plan Ahead
    New Age Phishing Threats and How to Plan AheadSeptember 29, 2023 - 12:06 pm
  • How to View and Analyze Message Headers Online
    How to View and Analyze Message Headers Online?September 26, 2023 - 12:59 pm
logo footer powerdmarc
SOC2 GDPR PowerDMARC GDPR comliant crown commercial service
global cyber alliance certified powerdmarc csa

Knowledge

What is Email Authentication?
What is DMARC?
What is DMARC Policy?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
What is RUA?
What is RUF?
AntiSpam vs DMARC
DMARC Alignment
DMARC Compliance
DMARC Enforcement
BIMI Implementation Guide
Permerror
MTA-STS & TLS-RPT Implementation Guide

Tools

Free DMARC Record Generator
Free DMARC Record Checker
Free SPF Record Generator
Free SPF Record Lookup
Free DKIM Record Generator
Free DKIM Record Lookup
Free BIMI Record Generator
Free BIMI Record Lookup
Free FCrDNS Record Lookup
Free TLS-RPT Record Checker
Free MTA-STS Record Checker
Free TLS-RPT Record Generator

Product

Product Tour
Features
PowerSPF
PowerBIMI
PowerMTA-STS
PowerTLS-RPT
PowerAlerts
API Documentation
Managed Services
Email Spoofing Protection
Brand Protection
Anti Phishing
DMARC for Office365
DMARC for Google Mail GSuite
DMARC for Zimbra
Free DMARC Training

Try Us

Contact Us
Free Trial
Book Demo
Partnership
Pricing
FAQ
Support
Blog
Events
Feature Request
Change Log
System Status

  • Français
  • Dansk
  • Nederlands
  • Deutsch
  • Русский
  • Polski
  • Español
  • Italiano
  • 日本語
  • 中文 (简体)
  • Português
  • Norsk
  • Svenska
  • 한국어
© PowerDMARC is a registered trademark.
  • Twitter
  • Youtube
  • LinkedIn
  • Facebook
  • Instagram
  • Contact us
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Security Policy
  • Compliance
  • GDPR Notice
  • Sitemap
Enhancing Email Security with MTA-STS and SMTP TLS Reportingmta sts blogblog email deliverablitiyHow Can Email Authentication Help You Improve Email Deliverability? 
Scroll to top