Deliverability

Protecting your domain reputation with DMARC

Any domain is only as protected as a domain owner makes it. Protect your domain reputation by implementing DMARC. Read more...

PUBLISHED ON

PUBLISHED ON

As someone who works in this wonderful world of email, I can tell you there are a few things that just make life miserable for everyone: spammers and phishers. The interwebz is still the preferred platform for business and social interactions, so of course, there’s more incentive for bad actors to target users for their own financial gain. Let’s look at the stupid easy ways bad actors can lure us into a trap, and how we can stop getting pwned by spammers.

You’ve been spoofed

One of the easiest ways for bad actors to infiltrate our lives is to use our trusting – and often lax – attitude towards established senders. Email spoofing tests our trust and exploits it, using it against us to see if we’ll take the bait if it looks like a message is coming from someone we know. You can be on the receiving end and not know the difference because bad actors will mimic email headers to look legitimate (unless you’re this guy).

More sophisticated spoofing attacks will often include company logos, be well written, and have links to websites that also look legitimate, making it really hard for a user to tell that they are being phished before it’s too late. But if you take a closer look at the full details of your email header, you can catch the weird things like IP addresses that you didn’t authorize to send on your behalf. Basically, it’s all too easy to replicate an email header and put your domain reputation at risk.

You’ve gone deep sea ‘phishing’

An unprotected domain is bad news for your reputation with ISPs. Your own domain users are left vulnerable to phishing attacks where bad actors will trick recipients with personalized messages. These messages can attempt to gain passwords, payment information, or confidential company information that you would not normally share. So, if you can’t function without binge watching Futurama, and Netflix is threatening to cancel your account because of a problem with your billing information…I’d say

  1. You’re all of us, and

  2. You might not question the legitimacy of this email:

Phishing email that appears to be from Netflix

And that’s just the small stuff. Big ol’ whaling attacks are just a security disaster waiting to happen because of how far they reach. They can hit your organization in the form of a message sent from a senior executive or a high-profile contact and are made to look like official correspondence. It’s pretty much a message you would reasonably expect like a legal subpoena, customer complaint, or a message from the CEO. If you’re being asked to provide confidential information or direct payment to an obscure source…flag it immediately.

How DMARC protects your reputation

Any domain is only as protected as a domain owner makes it. While DKIM and SPF are great for indicating where messages should be coming from, not very many ISPs filter email using these alone. Both DKIM and SPF provide the mechanics to filter out messages that fail their checks, but most providers will still allow message to go through. This is because it’s really hard to tell how many legitimate emails are being sent that don’t authenticate – especially if the sender isn’t getting any feedback. Enter DMARC.

DMARC (Domain-based Message Authentication, Reporting & Conformance) uses both the SPF and DKIM records together to better identify who sent the message. It can tell you if they were allowed to do so and identify themselves as the domain in the “From” fields of your email header. Adding DMARC as a protection to your domain will help reduce the possibility of a bad actor using your domain name to send emails from a random location that you did not designate with SPF.

It can also tell you if the message doesn’t have proper DKIM signing. SPF is controlled at the DNS level. It’s where you can say which servers can send on your behalf, and lets you reference whether the originating IP matches the list on your DNS. That’s how the recipient server knows the message is coming from an authorized sender for your domain. DKIM signs your messages to show that it is coming from the server that created the message, and not from an imposter that processed the message and inserted something into the message body itself.

To pass DMARC checks, SPF or DKIM must meet the requirements of both alignment and authentication. There has to be alignment between the domain in the “from” address, and the domain identified in the return path or “d=” portion of the DKIM signature. At Mailgun, when adding a domain to your account you are required to add DKIM and SPF records – both of which help to indicate where the domain is allowed to send email from. And by enabling DMARC, you have the added benefit of selecting a return address for reports of your domains sending activity to email hosting providers.

The DMARC site provides suggestions for aggregation services that take that return data and display it for you in a nice way that humans can read. Because who doesn’t like a solid feedback loop that helps to improve email deliverability?

Conclusions

DMARC is by no means a magic wand that will eliminate spoofing of your domain, but it can deter a spammer or phisher from using your domain name itself while trying to do one of these attacks. And of course, it can also help protect your domain reputation from being the domain perceived as the culprit behind an attack that is trying to use your domain name.

To protect your own users from spoofing attacks, remember that DMARC is part of the toolset that you will need to help accomplish this, but user education is always key. For assistance on setting up a DMARC record, check out dmarc.org and get the word directly from the authority.

Oh! And if you’d like to see how else you can protect your reputation, review our webinar on all things dedicated IP and learn when to use them for email.

Related readings

10 ways to improve and protect your sender reputation

What’s sender reputation? Glad you asked. In this article, we define what sender reputation is and its components, we’ll cover our top tips, and some of the most common mistakes...

Read more

Domain warm-up and reputation: Stretch before you send

So, you wanted to send out a lot of emails but found that when you did, a lot of them either ended up undelivered or in the spam folder. Think of it like this: When you start working...

Read more

Learning to improve Gmail deliverability

The inbox is a crowded arena, but you can’t compete if you don’t even make the cut. Any email sender will tell you email deliverability is a key success indicator and a surefire...

Read more

Popular posts

Mailgun iconSee what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon Mailgun Icon