momius - Fotolia

Dmarc email validation – we're doing it all wrong

Dmarc is a hugely important way to reduce email fraud – just ask HMRC – but it also makes email marketing campaigns far more effective

The Dmarc email validation system has been around for a long time – I was speaking about its virtues at conferences over four years ago as a means to combat the scourge of fraudulent email.

Phishing has been around for longer than most people in security care to remember, and all the time we had an opportunity to make a serious dent into it, and start to reclaim email as an effective communication channel.

For those who don’t know, Dmarc (domain-based message authentication, reporting and conformance) is an email validation approach designed to detect and prevent email spoofing. It provides a robust mechanism through which to authenticate legitimate emails and also allows senders to instruct receiving email providers how to handle unauthenticated emails.

Those instructions come in three guises; monitor, quarantine and reject. In the latter case that means to reject the email rather than delivering to the recipient’s mailbox.

Dmarc works by combining Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) with some add-ons thrown in. In essence, a domain owner publishes a policy defining the email authentication practices for the domain. That will be a combination of the IP addresses that are permitted to send emails on behalf of the domain in question (SPF), an encryption key and signature to ensure the email has not been altered or faked (DKIM), and an instruction on how to handle any emails which fail these checks.

A receiving mail server, upon receiving an email notionally from a domain, uses DNS lookup to check for the authentication practices for that domain and checks the key factors therein. Did the message come from an IP address on the permitted list? Does the signature validate? Is there proper domain alignment in the headers?

If the email passes, it is deemed legitimate and thus delivered. If it fails all of the checks then it is deemed illegitimate and the receiver follows the sender’s instruction as to how to handle the failure – monitor, quarantine or reject.

Dmarc really works

The best thing about Dmarc is that it really works. HM Revenue & Customs (HMRC) managed to implement Dmarc on one of the most abused domains on the planet – HMRC.gov.uk. The result was simply staggering – a reduction of fraudulent emails attempting to spoof that domain by half a billion. Yes, you read that right – half a billion fake emails eliminated.

But criminals are not dumb. Well, some are. The way Dmarc works is through published policies, and if they are published anyone can view them, including criminals. Most cyber criminals will check for Dmarc records and recognise there is little point in spoofing the domain for phishing as emails have an almost zero chance of being delivered.

HMRC saw a reduction of fraudulent emails attempting to spoof its domain by half a billion. Yes, you read that right - half a billion fake emails eliminated
Ed Tucker

This simple solution forces criminals to change their behaviour, which in turn forces them to use more spurious domains, giving your customers a greater chance of spotting the fake – or the fraudsters move on to a different domain or organisation altogether. Make no bones, phishing is still not going away – it’s a lucrative business – but through Dmarc we can make things hard in terms of return on investment (ROI) for the criminals.

The UK’s National Cyber Security Centre is spearheading the adoption of Dmarc across the UK government and public sector through the Active Cyber Defence programme, which is awesome. The Government Digital Service wrote an email blueprint designed to help public sector organisations, and others, implement Dmarc. And more recently the US Department of Homeland Security mandated the same approach.

Who cares?

All of this is brilliant – but there’s one problem. Outside of those organisations that are heavily spoofed and that also feel the material impact of customer compromise – in other words, fraud – very few organisations care.

That might sound harsh, but sadly it’s true. In an altruistic world we'd all take duty of care to our customers seriously, and that includes preventing the spoofing of our domains for the purpose of phishing. Reality is something different.

Sadly a lot of organisations either don’t know about Dmarc or don’t see the value in protecting their domains, making them an ideal conduit for phishing and customer compromise. It doesn’t even have to be your customers – your domain is the just the mechanism through which criminals can send a legitimate-looking email to dupe an unsuspecting member of the public, or your organisation, leading to compromise. Don’t get me wrong, it is getting better, and Dmarc adoption is growing, but it is a slow burner.

So what is the solution? Well, Dmarc has two facets. It prevents spoofing of your domain, which is great – the way it does this is the other facet, in that it authenticates your legitimate emails and ensures their prioritised delivery into the recipients’ inbox. So, if you implement Dmarc you can ensure your genuine emails are delivered, and into the inbox as well.

The ROI of Dmarc

Dmarc is generally sold by security experts into their organisation as it is a good security thing to do. Phishing is bad and preventing phishing is good. But when you don't feel the impact of customer compromise, do you care? Do you even see the problem? Do you realise that you are part of the problem? And of course, making a difference – by implementing Dmarc – costs.

If nothing else it is time and effort, but for what gain? In the myriad of decisions faced by a business in how to spend their money for best gain, this is a hard sell. If you are not monitoring the abuse of your domain – which happens outside of your organisation – then you don’t know if there is a problem or not, which leaves the poor security professional with the age-old issue of trying to prove a negative in order to get investment.

What you need to do is focus on the positive – the ROI. What ROI? Bringing back to the ability to authenticate your genuine email and ensure its delivery into the recipients’ inbox. HMRC was able to reduce spoofing by half a billion emails, which is fantastic. But we also improved delivery rates of genuine emails from 18% to 98%, all through the implementation of Dmarc. Nothing extra – the very same thing that reduced the spoofing also increased the delivery of genuine emails.

Just think about that – delivery of genuine emails increased from 18% to 98%. The results of implementing Dmarc were staggering.

Read more about Dmarc and email security

  • About 200 billion emails are sent every day, but because of its importance email is constantly exploited by attackers, and yet is often overlooked in cyber security strategies.
  • HMRC was department to implement Dmarc technology to block phishing emails as part of UK government’s active cyber defence programme and self-testing strategy.
  • Return to sender: Improving security with Dmarc email authentication.

The way to build Dmarc adoption is to focus on the genuine email aspect. What marketing executive doesn’t want a guaranteed delivery rate of 98%? Put simply, Dmarc is a marketing dream come true.

If marketing emails are delivered they stand a far greater chance of being read and a better chance of drawing interest. But if they are not delivered...

The implementation of Dmarc can make marketing campaigns and genuine email far more effective, and that means a greater ROI. You can make email an effective communication channel again, because at the moment it is not.

A marriage made in cyber heaven

So here’s the crux. If you want to implement Dmarc in your organisation, and I highly recommend that you do – go and talk to marketing. Not to the IT security chief, or the CIO or whoever. Go to marketing. Tell them Dmarc is an enabler to effective communication. Marketing wants effective communication – it is a marriage made in cyber heaven. There’s your business case right there.

If you focus on the business benefit, the positive outcome, then most organisations will back you. You can demonstrate how a technological change can bring greater ROI to the business. We all look for that panacea of security as an enabler; well here it is – use it.

But tell the enablement story, not prevention. Prevention is a hard sell – ROI isn’t. Go and sing from the rooftops how Dmarc can help in delivering effective communications to your customers – and it does some security stuff too. Once you’ve shown worth here, the next time you come forward with an idea or proposal, people are far more likely to listen. Now go and have that conversation.

Read more on Hackers and cybercrime prevention