DMARC Process

What is DMARC?

Have you ever opened an email that looked normal but contained malware inside? You might want to check out DMARC, the email authentication protocol that helps keep your inbox risk-free.

We’ve all heard about super hackers gaining access to corporate networks and stealing valuable data. And, of course, we’re all aware of online heists that take place with the help of ransomware. These kinds of tactics have become infamous, and we’ve learned to overcome them. After all, we pay massive amounts for cybersecurity, so the chances of hackers penetrating our systems should be nil.

Cyber-attacks are a prominent element in the industry, which is why we’ve learned the tell-tale signs of one. Or at least, that’s what our software is here for. But what if criminals were to use something so simple and seemingly innocent that it slips right past our radars? What if they use a simple, generic-looking email to trick us? Well, that’s where DMARC comes into play.

DMARC Explained

If we’re talking about full forms, DMARC stands for domain-based message authentication, reporting, and conformance. Overall, it is an authentication protocol that protects you from spam, spoof, and phishing-related emails.

As you can tell by the lengthy name, the first part of the protocol involves domain authentication. This authentication process figures out and confirms where an incoming email came from. The protocol then checks the source’s background and verifies its reliability. The incoming mail is simply rejected if the protocol can’t recognize the source.

DMARC is a useful tool that protects your business and employees from email-related attacks. It provides an extra layer of security that can even prevent scams. It works by allowing companies or entities to set their own policy that determines whether or not a certain mail will go through or be ignored by the server if it fails authentication.

With DMARC, you can set your own email authentication process. By setting a custom standard of protocols, you can effectively filter out authentic emails from those which are spam or suspicious. What’s more, you can even set a particular course of action that will take place in case the incoming email does not match the standard you have set.

For example, you can set the verification process so that only emails from a particular server are allowed into your network. Anything else will automatically be deemed unsafe by the network and thrown in the trash.

Well, that’s DMARC in a nutshell. However, if you really want to know the core details of DMARC, how it functions, and its uses, we’ll have to dive much deeper into that. Starting with why we need it in the first place.

Why Do We Use DMARC?

To understand how using DMARC can benefit you, you must understand how fishing and spoofing work. These are techniques used by scammers looking to dupe you and your company out of thousands and sometimes even millions of dollars. And the worst part is that these scammers target the one aspect that we would rarely suspect.

Everyone is familiar with how malware and hacker attacks work. The most dangerous attacks are often made by penetrating your firewall, allowing attackers to gain unauthorized access to your company’s private network. From there, these hackers can steal important company data and leak that information for a price. All without a single trace.

But today, we won’t be talking about complicated hacker attacks requiring massive skill. Instead, we’ll talk about simple, clever methods that even an amateur scammer can use to dupe you out of millions. Unlike hackers, who manipulate a company’s network, spoofing and phishing attacks often work by manipulating you or your employees via a harmless email. That’s why it’s even more shocking when such an attack occurs.

The game isn’t about dealing with or bypassing your robust cybersecurity software but rather, tricking human beings into carrying out their dirty work. And nobody played the game better than Nigerian-born scammer Ramon Abbas, a.k.a; Hushpuppi.

How Did Hushpuppi Scam Companies?

If you work in an international conglomerate or an elite financial institution, you’re probably aware of how much money is exchanged daily. Corporations make massive transactions daily, often transferring and receiving millions in payments. Employees working in such companies typically follow the instructions of official company emails. If the mail tells them to make a certain payment to a certain account, it is the employee’s job to make the transaction.

But what if someone figures out a way to impersonate your company and send you an official-looking email filled with fraudulent instructions? You might think you’ll detect its deceitful quality; however, that’s easier said than done.

Employees must deal with massive workloads daily, leaving little time to double-check emails. Besides, it’s your natural instinct to trust any email from your company, so long as nothing seems off at first glance, you wouldn’t stop questioning anything before instinctively following the instructions mentioned. What’s more, scammers will use email addresses that look similar to your company’s address, at least at first glance. So being aware of fraud is beyond your capabilities in most cases.

Well, that’s what scammers like Hushpuppi would rely on during their spoofing attacks. All it took was one official-looking email, directing an employee to make a hefty transition to a particular account number, and voila, the heist was successful. And the worst part is the victim wouldn’t even realize that he was duped.

Could DMARC Have Stopped Hushpuppi Scams?

Throughout his entire career, the Nigerian scammer used business emails to dupe companies out of hundreds of millions. All this by using a simple bait and hook spoofing technique that fooled countless gullible employees from various companies. It raises the question, could Hushpuppi have scammed those companies if there was a proper DMARC structure in place? Probably not.

Situations like these are precisely what DMARC authentication protocols are for. With DMARC, scammers won’t be facing busy, overworked employees who don’t have the instinct to suspect company mail. Instead, they will be facing a computerized protocol that strictly follows a certain set of standards.

For example, let’s say you’re an accountant at Orange Pixels, and you get your daily emails from sales@orangepixels.net. Scammers would instead send you an email from something like sales@orangepixles.net. Notice the minor spelling difference?

The human eye can overlook these kinds of distinctions, but it is impossible for the DMARC protocol to miss them. The system would immediately detect the difference in the email ID. Moreover, it would also figure out that the email was sent from an outside server and hence, would be deemed risky. Depending on your settings, the email would be trashed or reported to the company.

Is It Beneficial To Use DMARC?

Yes, it is absolutely beneficial to use DMARC, especially with the increasing cases of fraud and phishing-related scams in 2022. With the massive amounts of emails being exchanged daily, it’s difficult to tell the real ones from the fakes. That’s why DMARC is quite essential to any business, especially a company that makes gigantic amounts of transactions every day.

How Does DMARC Work?

Although DMARC is widely known as an individual system with its own characteristics, the protocol actually uses SPF and DKIM methods to verify authenticity. Let us go through both elements and understand how they help make DMARC better.

Sender Policy Framework (SPF)

SPF is a technique to authenticate and verify emails and prevent spammers or scammers from using your domain to trick you. It allows a company or entity to set factors for what will be considered authorized.

It works by inserting an SPF record into your domain’s DNS zone, which allows you to decide which email servers can send emails using your domain. You can add specific hostnames or IP addresses and ensure that only they are allowed to send emails from your selected domain.

When you send emails using SPF, the receiver can use the envelope form address to verify whether the sender’s IP address has the required authentication. On the other hand, if the sender’s IP address isn’t included in your list of added domains, the mail will be marked as risky or suspicious.

Domain Keys Identified Mail (DKIM)

This authentication method lets the email receiver verify if the domain owner sent the mail or if the sender is a suspicious entity. The protocol was created to root out any fake or forged email addresses, something which scammers love to employ.

DKIM applies a digital signature to the email, which acts as a header included in the message. Your email server will then read the signature and determine its validity. The email and its contents will be considered safe if the signature is authentic. If not, the server will reject the incoming mail.

How does DMARC combine SPF and DKIM?

The DMARC protocol bases itself on SPF and DKIM results and only activates if one or both are valid. To set up your DMARC protocol, you must publish your DMARC record into your server’s DNS. The DMARC record will now exist within your server’s DNS record and help the server to recognize authentic emails.

When you receive an email, it will have to pass either SPF or DKIM checks or both. The authentication process will be done by DMARC itself and will determine whether the email has passed SPF, DKIM, or both. This process is referred to as identifier alignment or DMARC alignment.

Furthermore, DMARC records notify email servers to dispatch XML reports to the listed reporting address. The reports will often track your email along each step and make you aware of whatever is being sent through your domain.

What Happens To Emails That Fail DMARC’s Validation Checks?

The course of action taken in case of a failure in the validation check depends on the current p=polices. These are basically three choices that you, the domain owner, can specify.

The first choice is ‘none,’ which means that the server will take no action in case of authentication failure. We don’t recommend picking this choice because doing so will treat the mail as if there was no active DMARC system in the first place. It means that dangerous and potentially fraudulent emails will have no issues popping up in your email. The system will notify you of the email’s potential risk, and you can delete it from your inbox. However, it’s still an unsafe choice in the long run.

The second choice is ‘quarantine,’ which means accepting the mail but storing it in the spam folder or a specific folder of your choice. It is a reasonable measure and is less risky than the first choice, which stores the email in your inbox. With quarantine, you can safely separate suspicious emails and keep them away from sight. While storing it in the spam folder is careful enough, we recommend deleting the email or emptying the spam folder altogether.

The third choice is ‘reject,’ which outright rejects the incoming email if it hasn’t passed the DMARC protocol. It is the safest option as it prevents the email from being stored in your inbox or spam folder. The mail cannot penetrate your server and is cast away before it can do any damage.

Remember that the option you choose cannot be forced upon the software. There might be situations when you have chosen to quarantine an incoming mail, but the DMARC system rejects it altogether. This kind of override occurs when the system deems the incoming mail too corrupt or dangerous to be allowed into your server. In such situations, the DMARC system might delete the incoming mail, despite you choosing a different course of action.

How Does DMARC Protect My Business?

DMARC is the ultimate security measure you can take as a business owner. The protocol ensures that every email sent to your business goes through a rigid verification process. The foolproof authentication channel verifies sender authenticity and ensures no fraudulent emails are coming your way.

Scammers and fraudsters hate coming across DMARC systems because it takes away their one advantage. These scammers often use cleverly placed spelling changes to dupe the receivers into trusting their unauthorized emails.

Without DMARC, scammers would easily be able to send you and your employees any kind of email without anything to stop them. Although the chances of anyone being fooled by these fake emails are low, it does happen from time to time. And when it does, the scammers manipulate such employees into carrying out tasks that are detrimental to the company.

Scammers usually convince duped employees to transfer huge sums of company money into fake bank accounts, which soon go off the grid, becoming forever untraceable. This way, they can dupe companies out of millions of dollars yearly, with figures steadily rising.

DMARC prevents this ordeal by establishing a proper security protocol so your company’s email server can differentiate between real and fake emails. There is no way to trick the authentication process, making it impossible for scammers to prey on unassuming victims. The DMARC protocol promptly detects any distinctions in minor details such as the ID name, address, server validity, etc. This allows the protocol to only let through emails from verified sources and servers.

DMARC Encryption

DMARC works via asymmetric public-private encryption, which serves as the basis for their security checks. The system uses a universal private key to cross-check and verify the details of any incoming emails. On the other hand, the emails come attached with a public key encrypted in the message. The receiver can access this public key without opening the mail, which makes it easy for the DMARC system to cross-check it with the private key. If everything works out, the email goes through; otherwise, it is halted.

Due to the effectiveness of DMARC’s encryption, and security protocol, we recommend having the system turned on permanently. Without it, scammers, hackers, and other cyber attackers can impersonate your domain and server to send out fraudulent mail. Moreover, it will also leave you defenseless against such attacks, as you will have no technical way of determining what is safe and what isn’t.

Naturally, running a business without DMARC can be a risky affair. It’s like walking through a bad neighborhood with a hundred-dollar bill stuck on your face. So don’t go at it alone; always have DMARC to cover your back.

Does DMARC Cost Anything?

Absolutely not. DMARC, or domain-based message authentication reporting and conformance, is completely free to use. It was designed as an open technical specification that companies can use to safeguard their domain. It also solves the countless cases of spoof, spam, and fraudulent emails being used to dupe companies.

But of course, while the protocol itself is free, whether you pay for it or not depends on the situation. It could be that the implementation was recommended by a consultant, who will probably charge you for their assistance.

On the other hand, you will have to pay any IT technician or personnel you have hired to run and maintain the system on your domain. It might be so that you’re aware of the protocol but haven’t figured out how to use it yet. In that case, you will have to hire a technician who is an expert on the matter. This isn’t a bad deal either, as you’re getting the full benefit of the protocol and the technician’s skills.

What Is DMARC Reporting?

When you have the DMARC reporting on your domain, you will be receiving generated DMARC reports. These are done via the inbound mail servers and are a part of the entire validation process. This automatic generation of reports via the inbound servers is known as DMARC reporting. These are especially helpful for testing your implementation of DMARC.

DMARC reports can come in two formats, as stated below.

Aggregate DMARC Reports

Aggregate DMARC reports are typically generated as XML documents and can be read by machines as well. The report mostly contains data such as statistics regarding incoming messages. The objective of the report is to note down where the sender claims to be from and verify information against the actual domain.

The reports also contain reports of all the authentication results, whether they were a success or failure. It also contains information regarding message disposition, such as message ID, delivery status, and so on.

Forensic DMARC Reports

Forensic DMARC reports contain copies of all the messages that have failed to pass the authentication check. The copies are stored in AFRF format and can be used to identify any harmful domains, sources, or websites enclosed within the messages. Moreover, you can also use it to troubleshoot your domain’s authentication.

What Does a DMARC Record Look Like?

Below is a sample DMARC record which we will break down.

v=DMARC1; p=quarantine; fo=1; rua=mailto:info@business.com; ruf=mailto:info@business.com

v=DMARC1 – This is the version tag that identifies the record as a DMARC record. It must be listed first in the DMARC record and the value must be DMARC1

p=quarantine – This tag indicates the policy you want mail servers to apply when email fails DMARC authentication and alignment checks. In this case, quarantine is chosen. Other options are none and reject.

fo=1 – This tag tells mail servers you want message samples of emails that failed either SPF and/or DKIM. There are four value options available. 1 generates a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) produced something other than an aligned “pass” result which is the recommended option.

rua – This tag lets mail servers know where you want aggregate reports to be sent.

ruf – This tag lets mail servers know where you want forensic reports to be sent.

How To Check/Analyze your DMARC Report?

Checking your DMARC reports is generally easy, although there are some websites and software which help parse and analyze the reports you receive. There are also many online tools for checking DMARC records and only require you to create a login for the site to analyze and check your records. What’s more, these tools can also verify the record’s validity and confirm its authenticity. One such tool is called the DMARC record check.

Just enter the domain name on which you want to run the DMARC check. The record checker will then process the current record and show you all its details. This way, you can take your time and figure out all your possible options and check the ones you already used.

DMARC Conclusion

Whether you own a small business or fortune 500 company, you should be implementing DMARC to help protect your business and employees from phishing, spoofed, and spam emails. It’s easy to implement and can save your business money from scammers. It can also help protect your business’ reputation by preventing scammers from impersonating your company email and trying to send email to your customers.

If you are ready to implement DMARC or need assistance implementing it, please contact us for a free quote.