Here is something you need to know.
DMARC, or Domain-based Message Authentication, Reporting & Conformance, is a new standard for email authentication. You will appreciate it for two reasons: it will protect your email and it will protect your brand.
DMARC does this by not only preventing phishing attacks from entering your organization but also defending other organizations against spoofed emails that appear to come from your company. Already 60% of the world’s mail boxes—nearly 2 billion accounts—is protected by DMARC.
According to the latest Phishing Activities Trends Report from the Anti-Phishing Work Group, there were 28,195 phishing attack campaigns in December of 2012 alone. That’s because, as unfathomable as it may seem to many of us, phishing attacks work. Even savvy users are sometimes caught off guard and tricked into giving up account, password, financial and other personal data.
Emails are also easy to spoof. Sometimes all it takes is inserting your company logo in an email to dupe recipients into thinking they’re dealing with your business. Not only does this reflect badly on your brand, it can disrupt legitimate communications due to customers who are now wary of any email that comes from you. But with DMARC, senders and receivers work together to protect both users and brands from harm.
How does DMARC work?
DMARC allows senders to indicate their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes—such as “junk” or “reject the message”. DMARC removes the guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to fraudulent messages. DMARC also allows email senders to request reports for messages that pass and/or fail DMARC evaluation.
For example, if user@yahoo.com gets a phishing message purporting to be
a bank account notification from account_alerts@toobigtofail.com, Yahoo! checks the bank’s DMARC policy to see whether the message should have been DKIM signed and, if so, verifies the signature, and/or checks SPF to make sure the sending system is listed in the bank’s SPF record. If any one of these checks fail, Yahoo! will obey the requests of the sender’s DMARC record which can request a failure report as well as specify the action to take (e.g., reject, quarantine, etc.).
This will require some rethinking in terms of how messages are sent by third parties such as Marketo and Salesforce, but with Sentrion, customers can “glue” together application email generated on-premises and in the cloud. This allows your messaging team to take over all email being sent by the organization to better control your brand.
Sentrion customers already get DMARC support for outbound email, which provides for specific policy handling from recipients for email that is not properly authenticated as long as DKIM and SPF are deployed. In the future, Sentrion will also support DMARC for inbound email, which will allow customers to apply policies requested by third parties to email entering their backbones that cannot be properly validated.
What do you think about DMARC? Have you already begun leveraging it in your organizations? Please weigh in below.
DMARC State of the Union: Thursday, May 30, 2013 10:00 AM – 10:45 AM PDT
Register here.
I am running DMARC since quite some time now, the key attention point which still is quite hard to handle are mailing lists as there is still not good implemented way for handling them, so basically when handling DMARC reports I first need to do a pass and extract what’s likely legitimate through mailing-lists, and then only I’ll get my list of people inpersonating me.