Posts

Users of information systems in large organizations often have strong reactions to their experience with the system. The need to navigate an IT environment composed of a myriad of point solutions can be frustrating for end users. Consequently, many departments develop and rely on their own point solutions to overcome perceived limitations with a single organization-wide solution. This marked the origin of Shadow IT. A department that has shadow IT resources has more agility in its processes. Also, it avoids the alignment between departments, which is often impossible: which is the main benefit it revolves around. However, Shadow IT poses a colossal collection of security risks and challenges that completely nullifies its one benefit. These security risks can be resolved with DMARC

Let’s learn more about what Shadow IT is and how DMARC helps combat Shadow IT security risks with enhanced visibility.

What is Shadow IT?

Big companies often have large central IT departments to monitor networks, provide support, and manage the services used by the organization. However, it has been observed that a trend of shadow IT has started in recent years as employees often bypass the central authority and purchase their own technology to fulfil work-related goals. In an increasingly mobile world, employees prefer to bring their own devices to work because they already have them, they’re familiar with them, or they aren’t as bogged down by an IT department that requires complicated setups.  As cloud-based consumer applications gain traction, the adoption of shadow IT is increasing. RSA, the security division of EMC, reports that 35 percent of employees circumvent their company’s security policies to get their job done. 

Although it has been estimated that such a considerable population of employees belonging to other departments would use non-compliant methods to do their jobs, companies must keep in mind that uncontrolled use of Shadow IT could lead to losses in productivity and security.

Shadow IT Risks and Challenges for Organizations

According to a recent survey conducted by the Cloud Computing Association, over 30% of business’s run cloud applications that IT doesn’t know about. Many businesses face data breaches and failures due to their use of cloud applications. These cloud applications are typically already in use by employees, but aren’t being monitored by the IT department.

You never know when a non-IT department in your company is using Shadow IT to bypass organizational security, and sending out emails using cloud-based applications and services that are not authorized sending sources for your organization, using your identity. This can pave the way to unfiltered malicious activities, spam, and exchange of fraudulent messages that can potentially harm your company’s reputation and credibility. Shadow IT, as it’s called, can be vulnerable to data breaches and system failures if not monitored properly. This is exactly where DMARC steps in to resolve the shadow IT risks in security by authenticating sending sources even if they are successful in bypassing integrated security gateways to reach your client’s email server.

How Does DMARC Protect Against Risks Imposed by Shadow IT

The principal problem induced by Shadow IT is the lack of visibility on different departmental activities and their communication with external sources like clients and partners via third-party email-exchange services, without the knowledge of the IT department.  This increased and unauthorized usage of cloud-based applications for exchanging information and communication causes a major influx in email fraud, impersonation attacks and BEC. DMARC as the most recommended email authentication protocol in the industry helps organizations stay one step ahead of Shadow IT activities.

  • DMARC Aggregate reports provide visibility on sending sources and the IP addresses behind them, showing the IT department the exact origin of all unauthorized sending sources
  • With DMARC enforcement at your organization, emails originating from illegitimate sources are rejected by receiving MTAs before it lands into your client’s inbox
  • DMARC forensic reports elaborate in great detail, any attempts at domain spoofing, impersonation, BEC and other fraudulent activities
  • This helps put an end to Shadow IT practices by non-IT departments without approval from the IT department
  • This also helps in gaining visibility on all emails being sent to and from your domain by different departments at all times, what they entail, and the status of their authentication

Sign up today with DMARC analyzer and start your email authentication journey to curtail Shadow IT activities at your organization and maintain complete transparency across all departments.

Email authentication is a crucial aspect of an email provider’s job. Email authentication also known as SPF and DKIM checks the identity of an email provider. DMARC adds to the process of verifying an email by checking if an email has been sent from a legitimate domain through alignment, and specifying to receiving servers how to respond to messages failing authentication checks. Today we are going to discuss the various scenarios that would answer your query on why is DMARC failing.

DMARC is a key activity in your email authentication policy to help prevent forged “spoofed” emails from passing transactional spam filters. But, it’s just one pillar of an overall anti-spam program and not all DMARC reports are created equal. Some will tell you the exact action mail receivers took on each message, and others will only tell you if a message was successful or not. Understanding why a message failed is as important as knowing whether it did. The following article explains reasons for which messages fail DMARC authentication checks. These are the most common reasons (some of which can be easily fixed) for which messages can fail DMARC authentication checks.

Common Reasons Why Messages Can Fail DMARC

Identifying why is DMARC failing can be complicated. However I will go over some typical reasons, the factors that contribute to them, so that you as the domain owner can work towards rectifying the problem more promptly.

DMARC Alignment Failures

DMARC makes use of domain alignment to authenticate your emails. This means that DMARC verifies whether the domain mentioned in the From address (in the visible header) is authentic by matching it against the domain mentioned in the hidden Return-path header (for SPF) and DKIM signature header (for DKIM). If either matches, the email passes DMARC, or else DMARC fails.

Hence, if your emails are failing DMARC it can be a case of domain misalignment. That is neither SPF nor DKIM identifiers are aligning and the email is appearing to be sent from an unauthorized source. This however is just one of the reasons why is DMARC failing.

DMARC Alignment Mode 

Your protocol alignment mode also plays a huge role in your messages passing or failing DMARC. You can choose from the following alignment modes for SPF authentication:

  • Relaxed: This signifies that if the domain in the Return-path header and the domain in the From header is simply an organizational match, even then SPF will pass.
  • Strict: This signifies that only if the domain in the Return-path header and the domain in the From header is an exact match, only then SPF will pass.

You can choose from the following alignment modes for DKIM authentication:

  • Relaxed: This signifies that if the domain in the DKIM signature  and the domain in the From header is simply an organizational match, even then DKIM will pass.
  • Strict: This signifies that only if the domain in the DKIM signature and the domain in the From header is an exact match, only then DKIM will pass.

Note that for emails to pass DMARC authentication, either SPF or DKIM need to align.  

Not Setting Up Your DKIM Signature 

A very common case in which your DMARC may be failing is that you haven’t specified a DKIM signature for your domain. In such cases, your email exchange service provider assigns a default DKIM signature to your outbound emails that doesn’t align with the domain in your From header. The receiving MTA fails to align the two domains, and hence, DKIM and DMARC fails for your message (if your messages are aligned against both SPF and DKIM).

Not Adding Sending Sources to Your DNS 

It is important to note that when you set up DMARC for your domain, receiving MTAs perform DNS queries to authorize your sending sources. This means that unless you have all your authorized sending sources listed in your domain’s DNS, your emails will fail DMARC for those sources that are not listed, since the receiver would not be able to find them in your DNS. Hence, to ensure that your legitimate emails are always delivered be sure to make entries on all your authorized third party email vendors that are authorized to send emails on behalf of your domain, in your DNS.

In Case of Email Forwarding

During email forwarding the email passes through an intermediary server before it ultimately gets delivered to the receiving server. During email forwarding SPF check fails since the IP address of the intermediary server doesn’t match that of the sending server, and this new IP address is usually not included within the original server’s SPF record. On the contrary, forwarding emails usually don’t impact DKIM email authentication, unless the intermediary server or the forwarding entity makes certain alterations in the content of the message.

As we know that SPF inevitably fails during email forwarding, if in case the sending source is DKIM neutral and solely relies on SPF for validation, the forwarded email will be rendered illegitimate during DMARC authentication. To resolve this issue, you should immediately opt for full DMARC compliance at your organization by aligning and authenticating all outgoing messages against both SPF and DKIM, as for an email to pass DMARC authentication, the email would be required to pass either SPF or DKIM authentication and alignment.

Your Domain is Being Spoofed

If you have your DMARC, SPF and DKIM protocols properly configured for your domain, with your policies at enforcement and valid error-free records, and the problem isn’t either of the above-mentioned cases, then the most probable reason why your emails are failing DMARC is that your domain is being spoofed or forged. This is when impersonators and threat actors try to send emails that appear to be coming from your domain using a malicious IP address.

Recent email fraud statistics have concluded that email spoofing cases are on the rise in recent times and are a very big threat to your organization’s reputation. In such cases if you have DMARC implemented on a reject policy, it will fail and the spoofed email will not be delivered to your recipient’s inbox. Hence domain spoofing can be the answer to why is DMARC failing in most cases.

We recommend that you sign up with our free DMARC Analyzer and start your journey of DMARC reporting and monitoring.

  • With a none policy you can monitor your domain with DMARC (RUA) Aggregate Reports and keep a close eye on your inbound and outbound emails, this will help you respond to any unwanted delivery issues
  • After that we help you shift to an enforced policy that would ultimately aid you in gaining immunity against domain spoofing and phishing attacks
  • You can take down malicious IP addresses and report them directly from the PowerDMARC platform to evade future impersonation attacks, with the help of our Threat Intelligence engine
  • PowerDMARC’s DMARC (RUF) Forensic reports help you gain detailed information about cases where your emails have failed DMARC so that you can get to the root of the problem and fix it

Prevent domain spoofing and monitor your email flow with PowerDMARC, today!

As a domain owner you always need to look out for threat actors launching domain spoofing attacks and phishing attacks to use your domain or brand name for carrying out malicious activities. No matter what email exchange solution you use, protecting your domain from spoofing and impersonation is imperative to ensure brand credibility and maintain trust among your esteemed customer-base. This blog will take you through the process of setting up your DMARC record for Office 365 users.

In recent times, a majority of businesses have made a shift towards using effective and robust cloud-based platforms and hosted email exchange solutions such as Office 365. Subsequently, cybercriminals have also upgraded their malicious techniques to conduct email fraud by outmanoeuvring the security solutions that are integrated into the platform. This is why Microsoft has extended support towards email authentication protocols like DMARC across all of its email platforms. But you should know how to correctly implement DMARC for Office 365, in order to fully utilize its benefits.

Why DMARC?

The first question that might arise is that, with anti-spam solutions and email security gateways already integrated into the Office 365 suite to block fake emails, why would you require DMARC for authentication? This is because while these solutions specifically protect against inbound phishing emails sent to your domain, DMARC authentication protocol gives domain owners the power to specify to receiving email servers how to respond to emails sent from your domain that fail authentication checks.

DMARC makes use of two standard authentication practices, namely SPF and DKIM to validate emails for authenticity. With a policy set to enforcement, DMARC can offer a high level of protection against impersonation attacks and direct-domain spoofing.

Do you really need DMARC while using Office 365?

There’s a common misconception among businesses, that having an Office 365 solution ensures safety from spam and phishing attacks. However, in May 2020, a series of phishing attacks on several Middle Eastern insurance firms using Office 365 caused significant data loss and an unprecedented amount of security breach. This is why simply relying on Microsoft’s integrated security solutions and not implementing external efforts for protecting your domain can be a huge mistake!

While Office 365’s integrated security solutions can offer protection against inbound security threats and phishing attempts, you still need to ensure that outbound messages sent from your own domain are authenticated effectively before landing into the inboxes of your customers and partners. This is where DMARC steps in.

Securing Office 365 against Spoofing and Impersonation with DMARC

Security solutions that come with the Office 365 suite act as spam filters that cannot secure your domain from impersonation, highlighting the need for DMARC. DMARC exists as a DNS TXT record in your domain’s DNS. For configuring DMARC for your domain, you need to:

Step 1: Identify valid email sources for your domain
Step 2: Set up SPF for your domain
Step 3: Set up DKIM for your domain
Step 4: Publish a DMARC TXT record in your domain’s DNS

You can use PowerDMARC’s free DMARC record generator to generate a record instantly with the correct syntax to publish in your DNS and configure DMARC for your domain. However, note that only an enforcement policy of reject can effectively help you mitigate impersonation attacks and domain abuse.

But is publishing a DMARC record enough? The answer is no. This takes us to our last and final segment which is DMARC reporting and monitoring.

5 Reasons Why You need PowerDMARC while Using Microsoft Office365

Microsoft Office 365 provides users with a host of cloud-based services and solutions along with integrated anti-spam filters. However despite of the various advantages, these are the drawbacks you might face while using it from a security perspective:

  • No solution for validating outbound messages sent from your domain
  • No reporting mechanism for emails failing authentication checks
  • No visibility into your email ecosystem
  • No dashboard to manage and monitor your inbound and outbound email flow
  • No mechanism to ensure your SPF record is always under 10 lookup limit

DMARC Reporting and Monitoring with PowerDMARC

PowerDMARC seamlessly integrates with Office 365 to empower domain owners with advanced authentication solutions that protects against sophisticated social engineering attacks like BEC and direct-domain spoofing. When you sign up with PowerDMARC you are signing up for a multi-tenant SaaS platform that not only assembles all email authentication best practices (SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI), but also provides an extensive and in-depth dmarc reporting mechanism, that offers complete visibility into your email ecosystem. DMARC reports on the PowerDMARC dashboard are generated in two formats:

  • Aggregate Reports
  • Forensic reports

We have strived to make the authentication experience better for you by solving various industry problems. We ensure encryption of your DMARC forensic reports as well as display aggregate reports in 7 different views for enhanced user-experience and clarity. PowerDMARC helps you monitor email flow and authentication failures, and blacklist malicious IP addresses from all over the world. Our DMARC analyzer tool aids you in configuring DMARC correctly for your domain, and shifting from monitoring to enforcement in no time!

 

All right, you’ve just gone through the whole process of setting up DMARC for your domain. You published your SPF, DKIM and DMARC records, you analysed all your reports, fixed delivery issues, bumped up your enforcement level from p=none to quarantine and finally to reject. You’re officially 100% DMARC-enforced. Congratulations! Now only your emails reach people’s inboxes. No one’s going to impersonate your brand if you can help it.

So that’s it, right? Your domain’s secured and we can all go home happy, knowing your emails are going to be safe. Right…?

Well, not exactly. DMARC is kind of like exercise and diet: you do it for a while and lose a bunch of weight and get some sick abs, and everything’s going great. But if you stop, all those gains you just made are slowly going to diminish, and the risk of spoofing starts creeping back in. But don’t freak out! Just like with diet and exercise, getting fit (ie. getting to 100% enforcement) is the hardest part. Once you’ve done that, you just need to maintain it on that same level, which is much easier.

Okay, enough with the analogies, let’s get down to business. If you’ve just implemented and enforced DMARC on your domain, what’s the next step? How do you continue keeping your domain and email channels secure?

What to Do After Achieving DMARC Enforcement

The #1 reason that email security doesn’t simply end after you reach 100% enforcement is that attack patterns, phishing scams, and sending sources are always changing. A popular trend in email scams often doesn’t even last longer than a couple of months. Think of the WannaCry ransomware attacks in 2018, or even something as recent as the WHO Coronavirus phishing scams in early 2020. You don’t see much of those in the wild right now, do you?

Cybercriminals are constantly changing their tactics, and malicious sending sources are always changing and multiplying, and there’s not much you can do about it. What you can do is prepare your brand for any possible cyberattack that could come at you. And the way to do that is through DMARC monitoring & visibility .

Even after you’re enforced, you still need to be in total control of your email channels. That means you have to know which IP addresses are sending emails through your domain, where you’re having issues with email delivery or authentication, and identify and respond to any potential spoofing attempt or malicious server carrying a phishing campaign on your behalf. The more you monitor your domain, the better you’ll come to understand it. And consequently, the better you’ll be able to secure your emails, your data and your brand.

Why DMARC Monitoring is So Important

Identifying new mail sources
When you monitor your email channels, you’re not just checking to see if everything’s going okay. You’re also going to be looking for new IPs sending emails from your domain. Your organization might change its partners or third party vendors every so often, which means their IPs might become authorized to send emails on your behalf. Is that new sending source just one of your new vendors, or is it someone trying to impersonate your brand? If you analyse your reports regularly, you’ll have a definite answer to that.

PowerDMARC lets you view your DMARC reports according to every sending source for your domain.

Understanding new trends of domain abuse
As I mentioned earlier, attackers are always finding new ways to impersonate brands and trick people into giving them data and money. But if you only ever look at your DMARC reports once every couple of months, you’re not going to notice any telltale signs of spoofing. Unless you regularly monitor the email traffic in your domain, you won’t notice trends or patterns in suspicious activity, and when you are hit with a spoofing attack, you’ll be just as clueless as the people targeted by the email. And trust me, that’s never a good look for your brand.

Find and blacklist malicious IPs
It’s not enough just to find who exactly is trying to abuse your domain, you need to shut them down ASAP. When you’re aware of your sending sources, it’s much easier to pinpoint an offending IP, and once you’ve found it, you can report that IP to their hosting provider and have them blacklisted. This way, you permanently eliminate that specific threat and avoid a spoofing attack.

With Power Take Down, you find the location of a malicious IP, their history of abuse, and have them taken down.

Control over deliverability
Even if you were careful to bring DMARC up to 100% enforcement without affecting your email delivery rates, it’s important to continuously ensure consistently high deliverability. After all, what’s the use of all that email security if none of the emails are making it to their destination? By monitoring your email reports, you can see which ones passed, failed or didn’t align with DMARC, and discover the source of the problem. Without monitoring, it would be impossible to know if your emails are being delivered, let alone fix the issue.

PowerDMARC gives you the option of viewing reports based on their DMARC status so you can instantly identify which ones didn’t make it through.

 

Our cutting-edge platform offers 24×7 domain monitoring and even gives you a dedicated security response team that can manage a security breach for you. Learn more about PowerDMARC extended support.

At first glance, Microsoft’s Office 365 suite seems to be pretty…sweet, right? Not only do you get a whole host of productivity apps, cloud storage, and an email service, but you’re also protected from spam with Microsoft’s own email security solutions. No wonder it’s the most widely adopted enterprise email solution available, with a 54% market share and over 155 million active users. You’re probably one of them, too.

But if a cybersecurity company’s writing a blog about Office 365, there’s got to be something more to it, right? Well, yeah. There is. So let’s talk about what exactly the issue is with Office 365’s security options, and why you really need to know about this.

What Microsoft Office 365 Security is Good At

Before we talk about the problems with it, let’s first quickly get this out of the way: Microsoft Office 365 Advanced Threat Protection (what a mouthful) is quite effective at basic email security. It will be able to stop spam emails, malware, and viruses from making their way into you inbox.

This is good enough if you’re only looking for some basic anti-spam protection. But that’s the problem: low-level spam like this usually doesn’t pose the biggest threat. Most email providers offer some form of basic protection by blocking email from suspicious sources. The real threat—the kind that can make your organization lose money, data and brand integrity—are emails carefully engineered so you don’t realize that they’re fake.

This is when you get into serious cybercrime territory.

What Microsoft Office 365 Can’t Protect You From

Microsoft Office 365’s security solution works like an anti-spam filter, using algorithms to determine if an email is similar to other spam or phishing emails. But what happens when you’re hit with a far more sophisticated attack using social engineering, or targeted at a specific employee or group of employees?

These aren’t your run-of-the-mill spam emails sent out to tens of thousands of people at once. Business Email Compromise (BEC) and Vendor Email Compromise (VEC) are examples of how attackers carefully select a target, learn more information about their organization by spying on their emails, and at a strategic point, send a fake invoice or request via email, asking for money to be transferred or data to be shared.

This tactic, broadly known as spear phishing, makes it appear that email is coming from someone within your own organization, or a trusted partner or vendor. Even under careful inspection, these emails can look very realistic and are nearly impossible to detect, even for seasoned cybersecurity experts.

If an attacker pretends to be your boss or the CEO of your organization and sends you an email, it’s unlikely that you’ll check to see if the email looks genuine or not. This is exactly what makes BEC and CEO fraud so dangerous. Office 365 will not be able to protect you against this sort of attack because these are ostensibly coming from a real person, and the algorithms will not consider it to be a spam email.

How Can You Secure Office 365 Against BEC and Spear Phishing?

Domain-based Message Authentication, Reporting & Conformance, or DMARC, is an email security protocol that uses information provided by the domain owner to protect receivers from spoofed email. When you implement DMARC on your organization’s domain, receiving servers will check each and every email coming from your domain against the DNS records you published.

But if Office 365 ATP couldn’t prevent targeted spoofing attacks, how does DMARC do it?

Well, DMARC functions very differently than an anti-spam filter. While spam filters check incoming email entering your inbox, DMARC authenticates outgoing email sent by your organization’s domain. What this means is that if someone is trying to impersonate your organization and send you phishing emails, as long as you’re DMARC-enforced, those emails will be dumped in the spam folder or blocked entirely.

And get this — it also means that if a cybercriminal was using your trusted brand to send phishing emails, even your customers wouldn’t have to deal with them, either. DMARC actually helps protect your business, too.

But there’s more: Office 365 doesn’t actually give your organization any visibility on a phishing attack, it just blocks spam email. But if you want to properly secure your domain, you need to know exactly who or what is trying to impersonate your brand, and take immediate action. DMARC provides this data, including the IP addresses of abusive sending sources, as well as the number of emails they send. PowerDMARC takes this to the next level with advanced DMARC analytics right on your dashboard.

Learn more about what PowerDMARC can do for your brand.