For some years, phishing has been rampant and developing. Despite the fact that phishing scams account for a small portion of this volume, we are still talking about millions and billions of phishing emails every single day.
So how do organizations tackle such a problem at scale ? Some say DMARC has the answer.
DMARC Defined
Domain-based Message Authentication, Reporting, and Conformance is abbreviated as DMARC. It is a group of related standards that provide a means for email senders to secure their domains against spoofing and allows receivers to verify if an email truly originated from the domain it claims.
Why does the industry need DMARC ?
Phishing has been a common method of gaining initial access; in fact, practically every firm in the world has been harmed by phishing attempts. The loudness alone is a significant issue. According to one analysis, 278 million unique phishing emails were sent in Q4 2022, a significant rise over the previous quarter's total of 74 million. DMARC attempts to eliminate domain spoofing, which is one of the most prevalent strategies used by threat actors to forge (spoof) email addresses and persuade recipient-victims that the email is from a trusted source.
How does DMARC work ?
If an email sender enables DMARC on one or more domains, they have indicated that they can verify legitimate messages originating from those protected domains.
This policy also tells the email receiver what they should do (for example, ignore, delete, accept or quarantine) if DMARC passes or fails the authentication checks. The receiving server can also choose to tag the email with “delivery failure” or similar. Emails that fail the DMARC test are supposed to get treated as riskier in comparison to those emails that pass the check.
As a set of related standards, DMARC absolutely depends on SPF (sender policy framework) and DKIM (domain keys identified mail). Both SPF and DKIM validate whether an email originated from an authorized domain.
The DKIM protocol helps validate the sender by matching or comparing the cryptographic keys available on a domain’s DNS record with the sender’s information. SPF verifies an email’s RFC 5321 email address and DKIM verifies an email’s 5322 email address.
For DMARC to work most efficiently, both sender and receive must enable it and have SPF and/or DKIM enabled. It's best to have both enabled, if possible.
DMARC also has “feedback reporting.” This lets senders receive feedback from receivers when an email gets sent from their domain. For example, a user sends an email as myURL.com to a Gmail recipient. Gmail would then issue a report to the sender whether the email claiming to be from the sender's protected domain is really from that domain. This helps senders learn about their legitimate and illegitimate sources of emails.
Can DMARC Act as a silver bullet against phishing?
So, if spammers and phishers use a legitimate domain (even if it's a rogue domain like "g00gle.com"), the domain is legally assigned to the attacker, and the attacker has the appropriate DMARC rules enabled, their emails will pass all DMARC checks.
In other words, DMARC does not evaluate if an email includes a phish; rather, it checks whether the domain the email purports to come from was indeed the domain from which the email was sent.
In some cases, valid domains will pass DMARC checks while still being utilized for malevolent purposes. These can include legitimate domains that have been compromised and are being used to send malicious emails, as well as phishing emails sent from generic email providers such as gmail.com, hotmail.com, and aol.com. Even legal emails can fail DMARC permission tests. For example, the sender makes faults in their DMARC settings. According to studies, just 14% of domains have correctly deployed DMARC.
How does DMARC mitigate phishing ?
DMARC can assist security technologies in mitigating phishing. It is not a solution, but when implemented on both the sender and recipient sides, it may prevent sophisticated brand and domain impersonations at scale, and for that alone, DMARC can be a game changer.
Of course, companies must also address the gaps that DMARC misses, especially human mistakes. Companies must encourage their staff to be cautious online and to not take anything at its value. When they get a new email, they must halt, take their time, conduct their due diligence, and determine whether the email is from a legitimate and reputable source.
In the event of suspicious-looking emails or those involving large sums of money, it's a good idea to use an alternate means (such as a phone call) to ensure that all requests are real and allowed.
Following this simple two-pronged approach - DMARC and regular employee training - can help companies go a long way towards reducing their organization's susceptibility to phishing.