Posts

Breaking Down DMARC Myths

For a lot of people, it’s not immediately clear what DMARC does or how it prevents domain spoofing, impersonation and fraud. This can lead to serious misconceptions about DMARC, how email authentication works, and why it’s good for you. But how do you know what’s right and what’s wrong? And how can you be sure you’re implementing it correctly? 

PowerDMARC is here to the rescue! To help you understand DMARC better, we’ve compiled this list of the top 6 most common misconceptions about DMARC.

Misconceptions about DMARC

1. DMARC is the same as a spam filter

This is one of the most common things people get wrong about DMARC. Spam filters block incoming emails that is delivered to your inbox. These can be suspicious emails sent from anyone’s domain, not just yours. DMARC, on the other hand, tells receiving email servers how to handle outgoing emails sent from your domain. Spam filters like Microsoft Office 365 ATP don’t protect against such cyberattacks. If your domain is DMARC-enforced and the email fails authentication, the receiving server rejects it.

2. Once you set up DMARC, your email is safe forever

DMARC is one of the most advanced email authentication protocols out there, but that doesn’t mean it’s completely self-sufficient. You need to regularly monitor your DMARC reports to make sure emails from authorized sources are not being rejected. Even more importantly, you need to check for unauthorized senders abusing your domain. When you see an IP address making repeated attempts to spoof your email, you need to take action immediately and have them blacklisted or taken down.

3. DMARC will reduce my email deliverability

When you set up DMARC, it’s important to first set your policy to p=none. This means that all your emails still get delivered, but you’ll receive DMARC reports on whether they passed or failed authentication. If during this monitoring period you see your own emails failing DMARC, you can take action to solve the issues. Once all your authorized emails are getting validated correctly, you can enforce DMARC with a policy of p=quarantine or p=reject.

4. I don’t need to enforce DMARC (p=none is enough)

When you set up DMARC without enforcing it (policy of p=none), all emails from your domain—including those that fail DMARC—get delivered. You’ll be receiving DMARC reports but not protecting your domain from any spoofing attempts. After the initial monitoring period (explained above), it’s absolutely necessary to set your policy to p=quarantine or p=reject and enforce DMARC.

5. Only big brands need DMARC

Many smaller organizations believe that it’s only the biggest, most recognizable brands that need DMARC protection. In reality, cybercriminals will use any business domain to launch a spoofing attack. Many smaller businesses typically don’t have dedicated cybersecurity teams, which makes it even easier for attackers to target small and medium-sized organizations. Remember, every organization that has a domain name needs DMARC protection!

6. DMARC Reports are easy to read

We see many organizations implementing DMARC and having the reports sent to their own email inboxes. The problem with this is that DMARC reports come in an XML file format, which can be very difficult to read if you’re not familiar with it. Using a dedicated DMARC platform can not only make your setup process much easier, but PowerDMARC can convert your complex XML files into easy-to-read reports with graphs, charts, and in-depth stats.

 

This article will explore how to stop email spoofing, in 5 ways. Imagine you get to work one day, settle down at your desk, and open up your computer to check the news. Then you see it. Your organization’s name is all over the headlines — and it’s not good news. Someone launched an email spoofing attack from your domain, sending phishing emails to people all over the world. And many of them fell for it. Your company just became the face of a huge phishing attack, and now no one trusts your security or your emails.

This is exactly the situation that employees of the World Health Organization (WHO) found themselves in during the Covid-19 pandemic in February 2020. Attackers were using the WHO’s actual domain name to send emails requesting people to donate to a coronavirus relief fund. This incident is hardly an isolated one, however. Countless organizations have fallen victim to very convincing phishing emails that innocuously ask for sensitive personal information, bank details, or even login credentials. These can even be in the form of emails from within the same organization, casually asking for access to a database or company files.

As much as 90% of all data loss incidents have involved some element of phishing. And yet, domain spoofing isn’t even particularly complex to pull off. So why is it able to do so much damage?

How Does Domain Spoofing Work?

Domain spoofing attacks are pretty simple to understand.

  • The attacker forges the email header to include your organization’s name and sends fake phishing emails out to someone, using your brand name so they trust you.
  • People click on malicious links or give away sensitive information thinking it’s your organization asking for them.
  • When they realize it’s a scam, your brand image takes a hit, and customers will lose trust in you

 

You’re exposing people outside (and inside) your organization to phishing emails. Even worse, malicious emails sent from your domain could really hurt your brand reputation in the eyes of customers.

So what can you do about this? How can you defend yourself and your brand against domain spoofing, and avert a PR disaster?

How to Stop Email Spoofing?

1. Modify Your SPF Record

One of the biggest mistakes with SPF is not keeping it concise. SPF records have a limit of 10 DNS Lookups to keep the cost of processing each email as low as possible. This means that simply including multiple IP addresses in your record could make you exceed your limit. If that happens, your SPF implementation becomes invalid and your email fails SPF and might not get delivered. Don’t let that happen: keep your SPF record short and sweet with auto SPF flattening.

2. Keep Your List of Approved IPs up-to-date

If your organization uses multiple third-party vendors approved to send email from your domain, this is for you. If you discontinue your services with one of them, you need to make sure you update your SPF record, too. If the vendor’s email system is compromised, someone might be able to use it to send ‘approved’ phishing emails from your domain! Always make sure only third-party vendors still working with you have their IPs on your SPF record.

3. Implement DKIM

DomainKeys Identified Mail, or DKIM, is a protocol that gives every email sent from your domain a digital signature. This allows the receiving email server to validate if the email is genuine and if it’s been modified during transit. If the email has been tampered with, the signature doesn’t get validated and the email fails DKIM. If you want to preserve the integrity of your data, get DKIM set up on your domain!

4. Set The Right DMARC Policy

Far too often, an organization implements DMARC but forgets the most important thing — actually enforcing it. DMARC policies can be set to one of three things: none, quarantine, and reject. When you set up DMARC, having your policy set to none means even an email that fails authentication gets delivered. Implementing DMARC is a good first step, but without enforcing it, the protocol is ineffective. Instead, you should preferably set your policy to reject, so emails that don’t pass DMARC are automatically blocked.

It’s important to note that email providers determine the reputation of a domain name when receiving an email. If your domain has a history of spoofing attacks associated with it, your reputation goes down. Consequently, your deliverability takes a hit too.

5. Upload Your Brand Logo To BIMI

Brand Indicators for Message Identification, or BIMI, is an email security standard that uses brand logos to authenticate email. BIMI attaches your logo as an icon next to all your emails, making it instantly recognizable in someone’s inbox. If an attacker were to send an email from your domain, their email wouldn’t have your logo next to it. So even if the email got delivered, the chances of your customers recognizing a fake email would be much higher. But BIMI’s advantage is twofold.

Every time someone receives an email from you, they see your logo and immediately associate you with the product or service your offer. So not only does it help your organization stop email spoofing, it actually boosts your brand recognition.

Sign up for your free DMARC analyzer today!