Phishing has been widespread and evolving for several years. There are about 300 billion emails sent daily and despite phishing scams making up a small fraction of this volume, we still talk about millions and billions of phishing emails every single day.
So how do organizations tackle such a problem at scale? Some say DMARC has the answer.
DMARC defined
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It’s a set of related standards that offer a mechanism for email senders to protect their domains from being spoofed and lets recipients verify if an email does indeed originate from the domain it claims. While DMARC has been around since 2012, it rose to prominence before 2021, and the National Defense Authorization Act has explored mandating that all U.S.-based email providers implement DMARC.
Why the industry needs DMARC
Phishing has become a main vector of initial access – in fact, almost every company in the world has been adversely affected by phishing attacks. The volume alone stands as a major problem. According to one study, Q4 2022 witnessed a record-breaking 278 million unique phishing emails, a steep increase from the previous quarter’s total of 74 million. DMARC aims to reduce domain spoofing, one of the most common techniques used by threat actors to fake (spoof) email addresses and convince recipient-victims that the email originates from a trusted source.
How does DMARC work?
If an email sender enables DMARC on one or more domains, they have indicaed that they can verify legitimate messages originating from those protected domains.
This policy also tells the email receiver what they should do (for example, ignore, delete, accept or quarantine) if DMARC passes or fails the authentication checks. The receiving server can also choose to tag the email with “delivery failure” or similar. Emails that fail the DMARC test are supposed to get treated as riskier in comparison to those emails that pass the check.
As a set of related standards, DMARC absolutely depends on SPF (sender policy framework) and DKIM (domain keys identified mail). Both SPF and DKIM validate whether an email originated from an authorized domain.
The DKIM protocol helps validate the sender by matching or comparing the cryptographic keys available on a domain’s DNS record with the sender’s information. SPF verifies an email’s RFC 5321 email address and DKIM verifies an email’s 5322 email address.
For DMARC to work most efficiently, both sender and receive must enable it and have SPF and/or DKIM enabled. It's best to have both enabled, if possible.
DMARC also has “feedback reporting.” This lets senders receive feedback from receivers when an email gets sent from their domain. For example, a user sends an email as myURL.com to a Gmail recipient. Gmail would then issue a report to the sender whether the email claiming to be from the sender's protected domain is really from that domain. This helps senders learn about their legitimate and illegitimate sources of emails.
Can DMARC Act as a silver bullet against phishing?
Short answer: No.
So if spammers and phishers use a legitimate domain (even if it's a rogue domain like “g00gle.com”), the domain gets legally assigned to the attacker and they have the right DMARC rules enabled, their emails can pass all DMARC checks.
In other words, DMARC doesn't determine if an email contains a phish, it only verifies if the domain the email claims to originate from was really the domain the email was sent from.
There are also instances where legitimate domains will pass DMARC checks and are still used for malicious activities. These can include legitimate domains that are compromised and used for sending malicious emails, phishing emails sent from generic email providers like gmail.com, hotmail.com, and aol.com. Even legitimate emails can fail DMARC authorization checks. For instance, the sender makes mistakes in their DMARC configuration. Studies show that only 14% of domains have implemented DMARC correctly.
How DMARC mitigates phishing
DMARC can help security tools mitigate phishing. It’s not a silver bullet, but when used both on the sender’s and receiver’s side, it can prevent scammers from carrying out sophisticated brand and domain impersonations at scale and for that alone, DMARC can serve as a massive game changer.
Of course, organizations also need to address the blind spots that DMARC fails to cover, namely human errors. Organizations must teach their employees to develop a healthy form of online skepticism and not judge everything at face value. When they see a new email, they must pause, take their time, do their due diligence and check whether the email derives from a valid and trusted source. In case of suspicious looking emails or ones that involve a lot of money, it’s a good idea to choose an alternative method (such as a phone call) to confirm if all requests are indeed valid and authorized.
Following this simple two-pronged approach – DMARC and regular employee training – can take companies a long way toward reducing the organization’s susceptibility to phishing.
Stu Sjouwerman, founder and CEO, KnowBe4