Preventing email spoofing with a DMARC Policy
This post is over 2 years old and may no longer be up to date or accurate. You are welcome to point out issues by leaving a comment below. Thank you!
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.1
This post will not explain how to set up a DMARC policy on your domain. Google has a great guide to get you started. If you want to nerd out, RFC7489 has you covered.
Instead, I want to share my experience, which, hopefully, will convince you to roll out your own DMARC policy. Email spoofing is everywhere and unless you have the right DMARC policy in place, you can’t see and combat it.
I work for a small early-stage venture capital firm. We don’t get much media attention because we usually invest alongside larger funds and don’t write eye-popping checks. But we still manage quite a bit of money and handle sensitive and generally confidential information. Some of that information needs to be shared externally with our investors, lawyers, auditors, accountants, banks, etc., which happens over email 99% of the time. Hackers know this and will play the long game to steal large sums of money.
We rolled out SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) years ago. See this quick recap if you are unsure how they tie into DMARC.
Meanwhile, the quality of some of the spam and phishing we were receiving continued to improve, some of which was very well done and quite deceiving (fake capital call notices, fake shared folders, etc., with many pretending to come from our domain). Malicious actors were trying to leverage our brand/domain, likely to steal credentials or spread ransomware.
But you don’t have to be a financial institution to be a target. For example, eBay, Deliveroo and Netflix all have strict DMARC policies2. Hypothetically, a forged transactional email could lead to an account takeover for example. With the right DMARC policy in place, a forged email is less likely to get to the recipient’s inbox.
So we deployed a basic, report-only, DMARC policy and used Report URI to establish a baseline. A few weeks later, the stats showed dozens of unknown senders in odd countries. Then, we changed the policy to quarantine
and continued to monitor. Finally, we updated the policy to reject
100% of the messages that failed DMARC checks.
We’ve had this setup for over two years now. On average, we see 30-50 DMARC rejects a month from all over the world. For instance, last month’s unauthorized senders came from Morocco, Pakistan, Vietnam, Serbia, and Puerto Rico. These numbers would undoubtedly be orders of magnitude higher if we were a more prominent firm.
Go and get a robust DMARC policy set up!