Protecting Your Domain Reputation with DMARC

Written by Jonathan Torres

Categories: Best Practices | Security

4 minute read time

As someone who works in this wonderful world of email, I can tell you there are a few things that just make life miserable for everyone: spammers and phishers. The interwebz is still the preferred platform for business and social interactions, so of course there’s more incentive for bad actors to target users for their own financial gain. Let’s look at the stupid easy ways bad actors can lure us into a trap, and how we can stop getting pwned by spammers.

You’ve been spoofed

One of the easiest ways for bad actors to infiltrate our lives is to use our trusting – and often lax – attitude towards established senders. Email spoofing tests our trust and exploits it, using it against us to see if we’ll take the bait if it looks like a message is coming from someone we know. You can be on the receiving end and not know the difference because bad actors will mimic email headers to look legitimate (unless you’re this guy).

More sophisticated spoofing attacks will often include company logos, be well written, and have links to websites that also look legitimate, making it really hard for a user to tell that they are being phished before it’s too late. But if you take a closer look at the full details of your email header, you can catch the weird things like IP addresses that you didn’t authorize to send on your behalf. Basically, it’s all too easy to replicate an email header and put your domain reputation at risk.

Phishing Email - Nailed it!

You’ve gone deep sea ‘phishing’

An unprotected domain is bad news for your reputation with ISPs. Your own domain users are left vulnerable to phishing attacks where bad actors will trick recipients with personalized messages. These messages can attempt to gain passwords, payment information, or confidential company information that you would not normally share. So, if you can’t function without binge watching Futurama, and Netflix is threatening to cancel your account because of a problem with your billing information…I’d say

  1. You’re all of us, and
  2. You might not question the legitimacy of this email:

Netflix Phishing Email scam

And that’s just the small stuff. Big ol’ whaling attacks are just a security disaster waiting to happen because of how far they reach. They can hit your organization in the form of a message sent from a senior executive or a high-profile contact and are made to look like official correspondence. It’s pretty much a message you would reasonably expect like a legal subpoena, customer complaint, or a message from the CEO. If you’re being asked to provide confidential information or direct payment to an obscure source…flag it immediately.

How DMARC protects your reputation

Any domain is only as protected as a domain owner makes it. While DKIM and SPF are great for indicating where messages should be coming from, not very many ISPs filter email using these alone. Both DKIM and SPF provide the mechanics to filter out messages that fail their checks, but most providers will still allow message to go through. This is because it’s really hard to tell how many legitimate emails are being sent that don’t authenticate – especially if the sender isn’t getting any feedback. Enter DMARC.

DMARC (Domain-based Message Authentication, Reporting & Conformance) uses both the SPF and DKIM records together to better identify who sent the message. It can tell you if they were allowed to do so and identify themselves as the domain in the “From” fields of your email header. Adding DMARC as a protection to your domain will help reduce the possibility of a bad actor using your domain name to send emails from a random location that you did not designate with SPF. It can also tell you if the message doesn’t have proper DKIM signing. SPF is controlled at the DNS level. It’s where you can say which servers can send on your behalf, and lets you reference whether the originating IP matches the list on your DNS. That’s how the recipient server knows the message is coming from an authorized sender for your domain. DKIM signs your messages to show that it is coming from the server that created the message, and not from an imposter that processed the message and inserted something into the message body itself.

To pass DMARC checks, SPF or DKIM must meet the requirements of both alignment and authentication. There has to be alignment between the domain in the “from” address, and the domain identified in the return path or “d=” portion of the DKIM signature. At Mailgun, when adding a domain to your account you are required to add DKIM and SPF records – both of which help to indicate where the domain is allowed to send email from. And by enabling DMARC, you have the added benefit of selecting a return address for reports of your domains sending activity to email hosting providers. The DMARC site provides suggestions for aggregation services that take that return data and display it for you in a nice way that humans can read. Because who doesn’t like a solid feedback loop that helps to improve email deliverability?

Conclusions

DMARC is by no means a magic wand that will eliminate spoofing of your domain, but it can deter a spammer or phisher from using your domain name itself while trying to do one of these attacks. And of course, it can also help protect your domain reputation from being the domain perceived as the culprit behind an attack that is trying to use your domain name. To protect your own users from spoofing attacks, remember that DMARC is part of the tool set that you will need to help accomplish this, but user education is always key. For assistance on setting up a DMARC record, check out dmarc.org and get the word directly from the authority.

Oh! And if you’d like to see how else you can protect your reputation, join us for an upcoming webinar on all things dedicated IP and learn when to use them for email.

 

Tags: | | |

Modified on: September 5, 2018

Stay up-to-date with our blog & new email resources

We'll let you know when we add new email resources and blog posts. We promise not to spam you.