THE DMARC GUIDE. Understanding DMARC for Securing

Transcription

1 THE DMARC GUIDE Understanding DMARC for Securing

2 The History - Introduction despite its importance, ubiquity, and staying power has never been secure. Prior attempts at security have failed to solve s fundamental flaw anyone can send using someone else s identity. This flaw has put the power of the world s most admired brands in criminal hands through , criminals can use almost any brand to send spam, fraud, phishing and malware installs, inflicting direct losses to customers and eroding the brand equity companies have spent years building up. DMARC an open standard enabled on 70% of the world s inboxes and 85% of US inboxes and also by the most security-forward brands is the only solution that enables Internet-scale protection and prevents fraudulent use of legitimate brands for cyberattacks. Many of the most respected brands in the world, including Facebook, Apple, JPMorgan Chase and PayPal have adopted DMARC to protect their customers and their brand. Companies adopt DMARC for many reasons, chief among them are: Gain visibility into their channel to determine the legitimate and fraudulent use of their domains. Stop brand & abuse, to decrease reputational risk and preserve brand loyalty through . Ensure legitimate is getting delivered, while fraudulent is not. Receive alerts when changes to infrastructure may impact the delivery of legitimate messages. Identify sources and forms of threat so that companies are equipped to proactively prevent attacks. Using DMARC companies gain unprecedented visibility into the legitimate and fraudulent use of their domains, enabling them to protect their customers, employees, and brands from -based cybercrime. The overall impact to companies that have adopted DMARC is preservation of brand equity, elimination of customer support costs related to fraud, and renewed trust and engagement in the company s channel. 2

3 The Basics - What Is DMARC? DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an open standard published in 2012 by the industry consortium DMARC.org to protect the channel. It extends two previously established authentication standards SPF and DKIM, and is the only way for senders to tell receivers that s they are sending are truly from them. DMARC is currently an IETF-adopted RFC. It allows companies that send to: 1 Authenticate all legitimate messages and sources for their -sending domains, including owned and third party domains. 2 Publish an explicit policy that instructs mailbox providers what to do with messages that are determined not to be legitimate. These messages can either be sent to a junk folder or rejected outright, protecting unsuspecting recipients from exposure to attacks. 3 Gain intelligence on all use of their domains across the Internet. This domain-level data can help companies to not only identify threats against their customers, but also discover legitimate senders that they may not even be aware of. SSL changed the Internet by giving brands the ability to tell consumers that their websites were authentic. DMARC is doing the same for . DMARC is endorsed by the following industry governance bodies: Businesses which fail to implement authentication to its fullest potential not only place their brand reputation at risk, but open the debate on liability relating to the lack of consumer protection safeguards. The OTA Integrity Annual Audit Implementing DMARC stopped nearly 25 million attempted attacks on our customers during the 2013 holiday buying season alone. Not only is DMARC shutting down spoofed domain attacks, but it has also cut the overall volume of daily attacks in half since Trent Adams, Chair of DMARC.org & Senior Advisor on Security for PayPal and ebay Inc. 3

4 The Numbers - DMARC Adoption Worldwide 70% 60% 64% 60% DMARC Adoption By Industry 50% 40% 30% 20% 10% 50% 43% 29% 25% 21% 13% 13% 13% 0% Social Etailers Logistics Mega Banks Travel Large Banks EU Health Care Large Banks Retail Airlines DMARC ENABLED MAILBOXES IN THE US DOMAINS WITH DMARC REJECT DMARC ENABLED MAILBOXES GLOBALLY AFTER DMARC: DROP IN CONSUMER REPORTS OF BAD 80,000 85% 70% 70% PayPal 50% Outlook.com Source: Facebook via Source: Google Source: DMARC.org Source: DMARC.org DMARC.org 4

5 The Believers - Early Adopters Pave the Path 2.5 Billion Mailboxes Worldwide are DMARC enabled DMARC SENDERS DMARC RECEIVERS Recreate logo Is there a way that companies can protect against the new Silicon Valley of attack capabilities? Yes. As Tom Kellerman, Chief Cybersecurity Officer at Trend Micro remarks, There are three different ways you can protect against this. Greater forms of user verification, greater forms of implementation of DMARC, and use of breach detection systems. 5

6 The Benefits Why You Should Care Brand Protection It is only a matter of time before a criminal will use your domain for his own benefit. Whether the criminal activity is phishing, malware distribution, or nuisance spam, it harms your brand to be associated with these attacks. Fewer Customer Service Calls Customers don t call or send to ask about phishing messages if they never receive those messages in the first place! One Agari customer was able to redeploy 60 staff members after publishing a reject policy on a highly phished domain. Reduced Account Takeovers By preventing delivery of phishing and malware-laden messages directed at your customers, a DMARC reject policy can reduce the number of account takeovers. This leads to a direct reduction in fraud losses. Less Server Load From Backscatter When criminals pretend to be you, they often send to non-existent addresses, full mailboxes, people who have a vacation responder, etc. The resulting bounce-back messages don t go to the criminal...they come to you. Increased Deliverability Visibility Into Cyberattack Risk Understanding the Threat Landscape Your Mom Will Thank You! Even legitimate messages may wind up in the spam folder if the receiver can t tell the good from the bad. By deploying DMARC, you can improve deliverability of your legitimate messages while eliminating the fraudulent. Do you know every 3rd party company sends on behalf of your company? While 3rd party senders are needed, each time you provide customer, employee, or partner details to a 3rd party, you increase the risk of cyberattacks. DMARC enables you to see every 3rd party sending on your behalf to ensure they comply with best practices. Are attacks against your customers common or rare? Are the attacks well crafted? Do criminals use malware or phishing URLs to gather credentials? These questions can be answered by publishing a DMARC monitor policy, which has no impact on your mail flow. The higher threat visibility, the better security you can implement, increasing your bottom line. Seriously. Because it s not cool for consumers to shoulder the burden of guessing which of your s are real and which are malicious. Do your mom a favor and deploy DMARC for your company we swear she ll thank you. 6

7 The Standards A Closer Look SPF DKIM DMARC About (aka Sender Policy Framework) SPF is an authentication standard that allows domain owners to specify which servers are authorized to send with their domain in the Mail From: address. SPF allows receivers to query DNS to retrieve the list of authorized servers for a given domain. If an message arrives via an authorized server, the receiver can consider the authentic. (aka DomainKeys Identified Mail) DKIM is an authentication standard that cryptographically associates a domain name with an message. Senders insert cryptographic signatures into messages that receivers can verify by using DNShosted public keys. When verification is successful, DKIM provides a reliable domainlevel identifier that can survive forwarding (unlike SPF). (aka Domain-based Message Authentication, Reporting, & Conformance) DMARC is an authentication standard that works in conjunction with SPF & DKIM bringing long-missing features to enabling senders to gain visibility into how their domains are used and abused, describing how to combine existing authentication technologies to create secure channels, and providing receivers with clear directives on how to safely dispose of unauthorized all at Internet scale. Example DNS Record example.net. IN TXT v=spf1 a mx -all selector._domainkey.example.net IN TXT v=dkim1; k=rsa; p=public key data dmarc.domain.com. IN TXT v=dmarc1; p=reject; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; Weakness SPF is not ideal for all use cases and can fail if a message is forwarded. The Mail From domain authenticated by SPF is not easily visible by an recipient. DKIM is generally more complex to set up than SPF, requiring a cryptographic signature on each message sent. DKIM will fail when content is modified in transit, like messages sent through a mailing list. Adoption! Get on board your mom will thank you! For More Info

8 The Mechanics - How DMARC Works The DMARC model uses DNS as the mechanism for policy publication. DMARC records are hosted as TXT DNS records in a DMARC specific namespace. The DMARC namespace is created by prepending _dmarc. to the domain that is to become DMARC compliant. For example, if the domain example.com publishes a DMARC record, issuing a DNS query for the TXT record at _ dmarc.example.com will retrieve the DMARC record. The DMARC specification allows senders to publish policy records containing parameters that receivers use to inform the processing of s that purport to come from the sender s domain. The features that DMARC enables are: Flexible policies. The DMARC model allows senders to specify one of three policies to be applied against that fails underlying authentication checks: p=none no policy should be applied, also often referred to as monitor. This option is used when senders simply want to collect feedback from receivers. p=quarantine that fails authentication checks should be treated with suspicion. Most receiving mail systems will deliver these messages to an end user s spam-folder. It could mean increased anti-spam scrutiny or flagging as suspicious to end-users in some other way. p=reject that fails authentication checks should be rejected at the receiving mail server. These messages should never reach the end user s mailbox and feedback will be sent to the party specified in the policy. Sub-domain-specific policies. DMARC records can specify different policies for top-level domains vs. sub-domains (using the p= and sp= tags). Phased rollout of policy. DMARC records can include a percentage tag ( pct= ) to specifies how much of an stream should be affected by DMARC policy. Using this feature, senders can experiment with progressively stronger policies until enough operational experience is gained to move to 100% coverage. Identifier Alignment flexibility. The DMARC specification allows domain owners to control the semantics of Identifier Alignment. For both SPF and DKIM generated authenticated domain identifiers, domain owners can specify if strict domain matching is required or if parent and/or sub- domains can be considered to match. Feedback controls. DMARC records include parameters that specify where, how-often, and in which format feedback should be sent to the domain owner. 8

9 The Big Picture It s Worth A Thousand Words Before DMARC Without DMARC, brands have limited visibility into how domains are being used to send YOUR BRAND 3 rd PARTY After DMARC DMARC provides visibility into all traffic and then instructs receivers how to handle unauthenticated s, all outside of the mail flow Massive DMARC dataset provides visibility into sources Data analysis & threat forensics shared with brand to increase intelligence & security Infrastructure & threat alerts triggered YOUR BRAND 3 rd PARTY Data sent from receivers to DMARC provider REJECTED BY DMARC 9

10 The Next Steps - Putting DMARC Into Practice Domain owners that wish to become DMARC-compliant need to perform 3 activities: 1 Publish a DMARC record. To begin collecting feedback from receivers, publish a DMARC record as a TXT record with a domain name of _dmarc.<your-domain.com> : v=dmarc1; p=none; rua=mailto:dmarc-feedback@<your-domain.com>; Doing so will cause DMARC-compliant receivers to generate and send aggregate feedback to dmarc-feedback@<your-domain.com>. The p=none tag lets receivers know that the domain owner is only interested in collecting feedback. 2 Deploy authentication SPF and DKIM: Deployment of SPF involves creating and publishing an SPF record that describes all of the servers authorized to send on behalf of an domain. Small organizations usually have simple SPF records, where complex organizations often maintain SPF records that authorize a variety of data-centers, partners, and 3rd-party senders. DMARC-supplied aggregate feedback can help identify legitimate servers while bootstrapping an SPF record. Deployment of DKIM requires domain owners to configure servers to insert DKIM-Signatures into and to publish public keys in the DNS. DKIM is widely available and supported by all major vendors. DMARC-supplied aggregate feedback can help identify servers that emit without DKIM signatures. 3 Ensure that Identifier Alignment is met. DMARC-supplied aggregate feedback can be used to identify where underlying authentication technologies are generating authenticated domain identifiers that do not align with the Domain. Correction can be rapidly made once misalignment is identified. By taking these steps, domain owners can effectively monitor and make informed security decisions. Get Started! Share this book 10

11 Agari.com 11