Implementing DMARC: why email security should be the No. 1 priority

Cyberattacks are a dime a dozen these days, with a new phishing or malware scam making headlines almost every week. The frequency at which these attacks are occurring is alarming to say the least, particularly when some of the seemingly most secure institutions in the world (like the White House, for example) are falling victim to hacks. If it took one prankster sending out a fake party e-invite impersonating Jared Kushner to trick Homeland Security Adviser Tom Bossert, what is going to stop an email hacker from obtaining any organization’s sensitive information?

The problem is hackers are becoming more and more advanced in their tactics, strategically targeting individuals with access to mission-critical data and impersonating their bosses to convince them to send that information along. The increased use of smartphones also exacerbates the problem. Smartphones typically only show the “display name” and not the email address, making it easy to look quickly at an email, read the display name and not realize the actual email address is from a fake account.

It’s a tactic that contributed to the 2,370 percent increase in identified exposed dollar losses in the U.S. between January 2015 and December 2016, according to the FBI. It’s not surprising then that LinkedIn’s “2017 Cybersecurity Trends Report” – which surveyed 1,900 cybersecurity professionals – found that phishing attacks are a top concern for 37 percent of respondents, ahead of insider threats (33 percent) and malware (32 percent).

With those alarming stats in mind, Congress has made combating email hackers a top priority. Oregon Senator Rob Wyden proposed a protocol earlier this summer requesting that all federal agencies implement stricter controls in order to prevent hackers from impersonating government officials via email. The protocol is called Domain-based Message Authentication Reporting and Conformance, or DMARC for short.

DMARC is an email authentication, policy and reporting protocol building on the popular Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols. It offers linkage to the author’s domain name, published policies for recipient handling of authentication failures and reporting from receivers to senders. The protocol helps remove the guesswork from the receiver’s handling of messages that fail to pass authentication, limiting or eliminating their exposure to potentially harmful phishing or spam tactics. Current mechanisms work in isolation from one another, making it difficult for receivers to make decisions about how to evaluate messages and preventing legitimate domain owners from getting any feedback.

While DMARC adoption is currently a major priority for government agencies and hospitals, the protocol can – and should be – used by every organization to help detect and prevent email spoofing. And yet, only one-third of organizations use DMARC protocol and less than 10 percent use the strongest available setting, according to the Federal Trade Commission. For the two-thirds of companies that have yet to implement DMARC, they may want to consider the benefits of having a system in place that helps employees at all levels identify fake emails and avoid potentially detrimental scams. LinkedIn’s 2017 study also found that two of the biggest obstacles to stronger cybersecurity are a lack of skilled employees (45 percent) and a lack of security awareness among employees (40 percent) – proof that having a backup system in place is all the more important.

Organizations interested in making email security a top priority should check out the process the DMARC coalition recommends in order to effectively implement the protocol. While the tips will vary depending on industry, company size and email/communications trends, all companies will want to:

• Correctly implement DKIM and SPF protocol.
• Create a DMARC record in DNS and start monitoring a domain to see where email traffic using that domain is coming from.
• Set mail receiver policy to “none” to receive DMARC data reports while ensuring messages are still being delivered.
• Analyze the breadth of data provided in the DMARC reports to make informed decisions about the organization’s communications system.
• And finally, as an organization gains experience with DMARC, they should consider modifying DMARC policy flags from “none” to “quarantine” or “reject”; this moves the system from monitoring mode to proactive protection.

Organizations should get both the IT department and security professionals on the same page to make this happen. If the process of implementing DMARC still feels daunting, they should consider using a third-party service with expertise in ensuring maximum security.

Whatever an organization decides to do, the best advice is to not wait. Hackers are evolving their tactics regularly and nobody wants to be their next target – especially if they’re unprepared.