Business Email Compromise or BEC is a form of email security breach or impersonation attack that affects commercial, government, non-profit organizations, small businesses and startups as well as MNCs and enterprises to extract confidential data that can negatively influence the brand or organization. Spear phishing attacks, invoice scams and spoofing attacks are all examples of BEC.

Cybercriminals are expert schemers who intentionally target specific people within an organization, especially those in authoritarian positions like the CEO or someone similar, or even a trusted customer. The worldwide financial impact due to BEC is huge, especially in the US which has emerged as the prime hub. The solution? Switch to DMARC!

What is DMARC?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an industry standard for email authentication. This authentication mechanism specifies to receiving servers how to respond to emails failing SPF and DKIM authentication checks. DMARC can minimize the chances of your brand falling prey to BEC attacks by a substantial percentage, and help protect your brand’s reputation, confidential information and financial assets.

Note that before publishing a DMARC record, you need to implement SPF and DKIM for your domain since DMARC authentication makes use of these two standard authentication protocols for validating messages sent on behalf of your domain.

You can use our free SPF Record Generator and DKIM Record Generator to generate records to be published in your domain’s DNS.

How to Optimize Your DMARC Record to Protect Against BEC?

In order to protect your domain against Business Email Compromise, as well as enable an extensive reporting mechanism to monitor authentication results and gain complete visibility into your email ecosystem, we recommend you to publish the following DMARC record syntax in your domain’s DNS:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Understanding the tags used while generating a DMARC Record:

v (mandatory)This mechanism specifies the version of the protocol.
p (mandatory)This mechanism specifies the DMARC policy in use. You can set your DMARC policy to:

p=none (DMARC at monitoring only wherein emails failing authentication checks would still land into receivers’ inboxes). p=quarantine (DMARC at enforcement, wherein emails failing authentication checks will be quarantined or lodged into the spam folder).

p=reject (DMARC at maximum enforcement, wherein emails failing authentication checks will be discarded or not delivered at all).

For authentication novices, it is recommended to start out with your policy at monitoring only (p=none) and then slowly shift to enforcement.However, for the purpose of this blog if you want to safeguard your domain against BEC, p=reject is the recommended policy for you to ensure maximum protection.

sp (optional)This tag specifies the subdomains policy which can be set to sp=none/quarantine/reject requesting a policy for all subdomains wherein emails are failing DMARC authentication.

This tag is only useful if you desire to set a different policy for your main domain and subdomains. If not specified the same policy will be levied upon all your subdomains by default.

adkim (optional)This mechanism specifies the DKIM identifier alignment mode which can be set to s (strict) or r (relaxed).

Strict alignment specifies that the d=field in the DKIM signature of the email header must align and match exactly with the domain found in the from header.

However, for Relaxed alignment the two domains must share the same organizational domain only.

aspf (optional) This mechanism specifies the SPF identifier alignment mode which can be set to s (strict) or r (relaxed).

Strict alignment specifies that the domain in the “Return-path” header must align and match exactly with the domain found in the from header.

However, for Relaxed alignment the two domains must share the same organizational domain only.

rua (optional but recommended)This tag specifies the DMARC aggregate reports that are sent to the address specified after the mailto: field, providing insight on emails passing and failing DMARC.
ruf (optional but recommended)This tag specifies the DMARC forensic reports that are to be sent to the address specified after the mailto: field. Forensic reports are message-level reports that provide more detailed information on authentication failures. Since these reports may contain email content, encrypting them is the best practice.
pct (optional)This tag specifies the percentage of emails to which the DMARC policy is applicable. The default value is set to 100.
fo (optional but recommended)The forensic options for your DMARC record can be set to:

->DKIM and SPF don’t pass or align (0)

->DKIM or SPF don’t pass or align (1)

->DKIM doesn’t pass or align (d)

->SPF doesn’t pass or align (s)

The recommended mode is fo=1 specifying that forensic reports are to be generated and sent to your domain whenever emails fail either DKIM or SPF authentication checks.

You can generate your DMARC record with PowerDMARC’s free DMARC Record Generator wherein you can select the fields according to the level of enforcement you desire.

Note that only an enforcement policy of reject can minimize BEC, and protect your domain from spoofing and phishing attacks.

While DMARC can be an effective standard to protect your business against BEC, implementing DMARC correctly requires effort and resources. Whether you are an authentication novice or an authentication aficionado, as pioneers in email authentication, PowerDMARC is a single email authentication SaaS platform that combines all email authentication best practices such as DMARC, SPF, DKIM, BIMI, MTA-STS and TLS-RPT, under the same roof for you. We help you:

  • Shift from monitoring to enforcement in no time to keep BEC at bay
  • Our aggregate reports are generated in the form of simplified charts and tables to help you understand them easily without having to read complex XML files
  • We encrypt your forensic reports to safeguard the privacy of your information
  • View your authentication results in 7 different formats (per result, per sending source, per organization, per host, detailed stats, geo location reports, per country) on our user-friendly dashboard for optimal user-experience
  • Gain 100% DMARC compliance by aligning your emails against both SPF and DKIM so that emails failing either of the authentication checkpoints do not make it through to your receivers’ inboxes

How Does DMARC Protect Against BEC?

As soon as you set your DMARC policy to maximum enforcement (p=reject), DMARC protects your brand from email fraud by reducing the chance of impersonation attacks and domain abuse. All inbound messages are validated against SPF and DKIM email authentication checks to ensure that they arise from valid sources.

SPF is present in your DNS as a TXT record, displaying all the valid sources that are authorized to send emails from your domain. The receiver’s mail server validates the email against your SPF record to authenticate it. DKIM assigns a cryptographic signature, created using a private key, to validate emails in the receiving server, wherein the receiver can retrieve the public key from the sender’s DNS to authenticate the messages. With your policy at reject, emails are not delivered to your recipient’s mailbox at all when the authentication checks fail, indicating that your brand is being impersonated. This ultimately keeps BEC like spoofing and phishing attacks at bay.

PowerDMARC’s Basic Plan for Small Businesses

Our basic plan starts from only 8 USD per month, so small businesses and startups trying to adopt secure protocols like DMARC can easily avail of it. The advantages that you will have at your disposal with this plan are as follows:

Sign up with PowerDMARC today and protect your brand’s domain by minimizing the chances of Business Email Compromise and email fraud!