In defense of DMARC

The rapid growth of email authentication over the course of 2017 has led to a backlash in some quarters. When implemented correctly, email authentication stops the most pernicious email attack vector: exact name impersonation attacks. But that hasn’t stopped the criticism.

The leading email authentication standard is Domain-based Message Authentication, Reporting and Conformance. The number of DMARC-enabled domains has tripled in the past year -- 76 percent of email inboxes worldwide support DMARC, and billions of phishing attacks have been blocked.

Yet email authentication -- due to its unique approach, newness and occasional vendor overhyping -- remains a challenging topic. A number of recent arguments about DMARC reflect basic misunderstandings about how the email authentication ecosystem actually works, so it's important to lay out some facts about what DMARC can and can’t do.

Let’s start with a basic observation: Most enterprise email is no longer sent from company- or organization-owned mail servers. Instead, the vast majority of email is sent from webmail providers like Gmail/G Suite, cloud providers like Microsoft Office 365, marketing companies like Marketo or Mailchimp, and so on. The average firm has a dozen or more vendors who send email on its behalf.

In this world, the weakest point — the point attackers concentrate on — is the organization's identity itself.

Identity: the weakest link

Organizations in both the public and private sectors are already entrusting their identity to multiple service providers in the cloud. Thanks to the way email works, it’s trivially easy for these providers to assume the identity of their customers, as needed: They simply put the customer’s email address in the “From” field and use the organization’s email template, logo and so forth.

Unfortunately, it’s just as easy for hackers in Russia, Korea, China, Brazil, or anywhere else in the world to do the same thing.

Posing as your agency or company is the quickest route to compromise for a variety of attacks:

• Spear phishing your employees (pretending to be the CEO in an email to the CFO, asking for an urgent wire transfer)
• Phishing your customers (with a fake security warning asking them to login to “confirm” their government account details)
• Spamming random lists of Internet users (counting on the fact that enough of them will trust your brand enough to click on a link or open an attachment).

Indeed, multiple sources estimate that email messages are involved in over 90 percent of successful cyber attacks. Email fraud is, by far, the top cyber attack vector.

However, research by the email security firm GreatHorn found that organizations with a complete DMARC configuration received just 23 percent of the threats that organizations without DMARC do. That’s a 76 percent reduction in cyber attacks!

Just the facts, please

Other misperceptions simply reflect a lack of research. For instance, reporters and commentators sometimes note “confusion” about how widespread DMARC usage is. In fact, DMARC records are publicly accessible in the Domain Name System (DNS), so it’s a simple matter to query the domains for any group of companies to find out how many of them have DMARC records. (When we analyzed the Fortune 500, we found 34.1 percent used DMARC.)

Sometimes people bring up a vulnerability called Mailsploit as an objection to DMARC. However, a closer reading of the Mailsploit website itself reveals that most of the email clients which were vulnerable to the text encoding issue it relies on have since fixed the problem.

Another supposed weakness sometimes cited has to do with the “reliability” of DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) -- two older, widely deployed standards that DMARC relies on. However, with these standards, most companies run into configuration problems, not reliability issues: When configured correctly, both DKIM and SPF are quite effective.

Finally, there’s a particularly common mistake: Many people believe that most phishing attacks use random domains or throwaway webmail accounts.

It is true that DMARC does not protect against phishers using random domains. Media coverage focuses on this type of attack, because it’s the easiest to detect. But in reality, studies by Proofpoint, Verizon, and others show that exact-domain impersonation is by far the most common phishing technique.

And why not? In a world where 97 percent of the top million domains are completely unprotected by DMARC, impersonating a domain is the easiest and most effective way to slip through most companies’ defenses.

The Best Defense Is a Layered Defense

Is DMARC the be-all and end-all of email security? Of course not. That’s why the most effective defense is a layered one, where email authentication is combined with content filtering, secure email gateways aimed at stopping malware, and employee training.

DMARC is not just a theory: It’s a proven, effective means for assuring the identity of email senders and blocking unauthorized senders.

That’s why the Department of Homeland Security issued a directive last year telling federal agencies to include DMARC as a critical step toward shoring up their digital defenses. It’s why the Federal Trade Commission has recommended that businesses deploy DMARC. And it’s why the Online Trust Alliance includes DMARC in its evaluations of companies’ cyber security practices.

DMARC works. To pretend otherwise is simply to ignore the facts.