A New Way For Emailers To Defend Themselves Against Email Fraud



Similar documents
Protect your brand from phishing s by implementing DMARC 1

Evaluating DMARC Effectiveness for the Financial Services Industry

An Delivery Report for 2012: Yahoo, Gmail, Hotmail & AOL

Curbing Threats & Spear Phishing The Promise & Results with DMARC

Deliverability Counts

SCORECARD MARKETING. Find Out How Much You Are Really Getting Out of Your Marketing

DMA s Authentication Requirement: FAQs and Best Practices

How To Ensure Your Is Delivered

For Interactive Marketing Professionals

Deliverability Best Practices by Tamara Gielen

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

Authentication Policy and Deployment Strategy for Financial Services Firms

Anti-Phishing Best Practices for ISPs and Mailbox Providers

This user guide provides guidelines and recommendations for setting up your business s domain authentication to improve your deliverability rating.

Blackbaud Communication Services Overview of Delivery and FAQs

THE DMARC GUIDE. Understanding DMARC for Securing

DST . Product FAQs. Thank you for using our products. DST UK

How s are sent from Xero

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

The What, Why, and How of Authentication

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

Smart E-Marketer s Guide

DomainKeys Identified Mail (DKIM) Murray Kucherawy The Trusted Domain Project

EXECUTIVE SUMMARY. For Interactive Marketing Professionals. Applications

FILTERING FAQ

Knowledge Guide: Deliverability. Your Reputation Holds the Key to Deliverability. virtualroi May by: Return Path

For ebusiness & Channel Strategy Professionals

Marketing 201. How a SPAM Filter Works. Craig Stouffer Pinpointe On-Demand cstouffer@pinpointe.com (408) x125

A White Paper. VerticalResponse, Delivery and You A Handy Guide. VerticalResponse,Inc nd Street, Suite 700 San Francisco, CA 94107

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Get to the Inbox Ten Top Tips to Maximize Your Deliverability

DMARC and your.bank Domain. September 2015 v

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

Who will win the battle - Spammers or Service Providers?

April 4, 2008 The Five Essential Metrics For Managing IT by Craig Symons with Alexander Peters, Alex Cullen, and Brandy Worthington

10 Ways to Improve B2B Deliverability:

Cloud Services. Anti-Spam. Admin Guide

WHITEPAPER. SendGrid Deliverability Guide V2. Everything You Need to Know About Delivering through Your Web Application

2015 Online Trust Audit & Honor Roll Practices Deep Dive July 7, All rights reserved. Online Trust Alliance (OTA) Slide 1

THE SECURITY EXECUTIVE S GUIDE TO A SECURE INBOX. How to create a thriving business through trust

Internet Standards. Sam Silberman, Constant Contact

Being labeled as a spammer will drive your customers way, ruin your business, and can even get you a big fine or a jail sentence!

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Correlation and Phishing

Reputation Monitor User Guide

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

Campaigner SMTP Relay

Marketing Workshop

INBOX. How to make sure more s reach your subscribers

Reputation Metrics Troubleshooter. Share it!

SIMPLE STEPS TO AVOID SPAM FILTERS DELIVERABILITY SUCCESS GUIDE

Quarantined Messages 5 What are quarantined messages? 5 What username and password do I use to access my quarantined messages? 5

October 27, 2009 Case Study: ING Delivers Personalized Product Offers Across Channels In Real Time

1. Introduction Deliverability-Benchmarks Working with Your Service Provider sent delivered...

Intercept Anti-Spam Quick Start Guide

5 tips to improve your database. An Experian Data Quality white paper

For Infrastructure & Operations Professionals

What Spammers Don t Want You To Know About Permanently Blocking Their Vicious s

eprism Security Suite

Phishing Activity Trends Report for the Month of December, 2007

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

CommuniGator. Avoiding spam filters

The Anti-Phishing/Anti-Spoofing Guide: What Every Marketer Should Know About Brand Protection and Securing the Channel GET MORE INFO

Marketing Deliverability: Getting into the Inboxes of Healthcare Professionals. A Primer On Healthcare Marketing Part I

USER GUIDE. Mailjet in webcrm

Executive Q&A: Learning Maps; Innovative Tools For Customer Experience Training

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

The top 10 reasons to use Constant Contact s Marketing Service

Spear Phishing Attacks Why They are Successful and How to Stop Them

Marketing Glossary of Terms

How To Use Proactive Notification For Business

Managing Junk Mail. About the Junk Mail Filter

Understand Communication Channel Needs To Craft Your Customer Service Strategy

The Anatomy of Delivery

Marketer s Field Guide to Gmail, Outlook.com, and Yahoo!

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

How To Prevent Hacker Attacks With Network Behavior Analysis

Transcription:

June 27, 2012 Defining DMARC A New Way For Emailers To Defend Themselves Against Email Fraud by Shar VanBoskirk with Sarah Glass and Elizabeth Komar Why Read This Report Hundreds of brands are hijacked by phishing scams every month, costing companies and ultimately their end customers billions. And existing methods to fight phishing like email authentication standards aren t enough to stop the problem. This report introduces a new way marketers can defend themselves against email fraud: by applying Domain-based Message Authentication, Reporting, and Conformance (DMARC). Read this report to understand why existing anti-phishing standards have failed, what DMARC can and cannot do to address these failures, and what marketers need to do to get started with DMARC. Marketers need Better visibility into THE EMAIL CHANNEL Email data theft and the phishing scams that result cost billions and destroy customer relationships. 1 And despite more than a decade of developing ways to secure email data, email fraud is more common than ever. 2 Why? Spam filters aren t foolproof. Internet service providers (ISPs) spam filters analyze details like volume, complaints, bounce rates, and sender reputation to try to block unnecessary email volume and protect email users from spammers or fraudulent senders. But sometimes targeted phishing attacks best even the smartest ISP filters, while legitimate senders struggle to get emails out of spam folders. For example, 65% of the Internet Retail 500 implement anti-phishing tactics such as email authentication. Yet 9% of the email that comes from their domains is spoofed. 3 Emailers don t adopt authentication standards. Standards exist to help legitimate marketers identify genuine emails to ISPs (see Figure 1). 4 But in 2011, only 26% of organizations used one or more forms of email authentication. 5 Adoption is low because: 1) stakeholders don t want to take the time required to authenticate all of a company s outbound emails; 2) authentication doesn t guarantee delivery; senders must still pass spam filters; and 3) traditional ISP reporting around authenticated and unauthenticated email is unreliable. Authentication doesn t prevent fraud. Authentication confirms that a sent email comes from an identified sender. But it doesn t prove that the sender is reputable. And though some ISPs like Gmail can connect a company s reputation score with its authentication records, it doesn t necessarily prohibit the delivery of unauthenticated or spoofed emails. Headquarters Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA, 02140 USA Tel: +1 617.613.6000 Fax: +1 617.613.5000 www.forrester.com

Defining DMARC 2 Figure 1 Authentication Standards Aren t Enough To Stop Phishing 1-1 Email authentication confirms a sender by matching the from address to the sender s domain Verified authentication signature In this example of a properly authenticated email, the domain name matches a verified authentication signature Most emails do not include verified authentication signatures. So to an ISP, legitimate unauthenticated emails and domain-spoofed emails look identical. 1-2 Legitimate unauthenticated email and spoofed emails can be indistinguishable Good email Bad email Types of email Authenticated email Unauthenticated email Direct domain spoof Cousin spoofing Definition Contains verifiable information so that email receivers can automatically recognize senders. Lacks information to help an email box provider verify who sent the message. Sent by a malicious sender using a legitimate sender s domain. Looks authentic, but actually comes from an illicit domain. DMARC reports and forensic emails show senders the difference between good and bad unauthenticated email that appears to come from one domain. Once legitimate email streams from a domain are authenticated, marketers can select a DMARC enforcement policy quarantine or reject which will take action against unauthenticated email. 72561 Source: Forrester Research, Inc.

Defining DMARC 3 Introducing A New Approach To FIGHT Email fraud Enter DMARC: A new way for any email sender to affordably manage phishing attacks. What exactly is DMARC? A collaboration... DMARC started with a partnership between PayPal and Yahoo in 2007 and then with Google in 2008 to protect consumers from popular phishing scams. 6 PayPal wanted a way for these ISPs to block spoofed messages coming from its domain. The DMARC collaborative (DMARC.org) was officially chartered in 2011 to combat fraudulent email at scale. Today it includes its founding members as well as some of the biggest consumer ISPs and email senders like AOL, Hotmail, Comcast, Facebook, Bank of America, and American Greetings. 7... and a specification... Members of the DMARC.org created a specification to combat spoofed mail. It enables senders to tell emailbox providers how to treat unauthenticated mail: deliver, quarantine, or reject it. It also helps emailbox providers with a way to report information back to senders about failed authentication, domain spoof attempts, and where unauthenticated email is coming from within a sender s organization.... which leverages existing authentication standards. DMARC is not another authentication standard. It allows senders who use existing authentication standards sender policy framework (SPF) and domainkeys identified mail (DKIM) to receive reports about what email is authenticated and what isn t and to take action against unauthenticated mail. 8 Participating emailbox providers have agreed on a consistent way to report on email authentication, which helps improve marketer deliverability. When Intercontinental Hotels Group (IHG) worked with Return Path to beta test DMARC, it increased its deliverability rates by 32%. 9 DMARC Illuminates Authentication And Phishing Problems The value of joining the DMARC organization and participating in its process is that it allows marketers: Visibility into email authentication history. DMARC authentication reports and forensic emails copies of every email that originates from your domain will reveal what groups within an organization fail to authenticate. This capability eliminates the need to investigate every department or manually monitor email practices. 10 And rather than discovering fraud post-facto, senders can review reports for evidence of domain spoofing. This gives marketers a head start to take down fraudulent URLs or prepare for backlash from scams committed in their names. Ways to halt delivery of unauthenticated email. In addition to receiving authentication reports, senders can also set their DMARC preferences which are applied to the domain name system (DNS) records to tell ISPs to monitor, quarantine, or reject unauthenticated email. Monitor tells the ISP to take no action against unauthenticated mail. Quarantine allows marketers

Defining DMARC 4 to scrutinize, flag, or direct suspicious emails to a spam folder. And reject permanently terminates delivery of the selected messages. By implementing a termination policy, PayPal reduced the percentage of unauthenticated emails delivered likely domain spoofs from phishers from 4% of its entire email stream to 0%. 11 But DMARC Is No Panacea DMARC alone won t stop phishing, fraud, or email data theft. Marketers getting familiar with DMARC should understand that it is not: An automatic entry into the inbox. Authenticated emails resplendent with their DMARC records still have to pass through spam filters (see Figure 2). In the future ISPs may give extra credit to senders using DMARC. But even so, email marketers should still apply other deliverability best practices in order to increase user engagement and minimize complaints. 12 For example, IHG increased its deliverability rates by 32% by improving its authentication and adhering to the best practices required to get accredited as a good sender by email reputation vendor Return Path. A replacement for email authentication. DMARC reports simplify the process of identifying authenticated versus unauthenticated email. Michael Adkins, a DMARC engineer for Facebook explains, Without [DMARC], it is expensive and time-consuming to monitor your system for authentication issues. 13 But DMARC doesn t automatically authenticate a sender s email stream. To consistently authenticate, make email authentication a mandatory part of your company s data security policies. Then use DMARC reports to track down noncompliant business units. Michael Hammer, head of web operations security at American Greetings, finds that, Using DMARC is an opportunity to improve [authentication] practices across the board. Reliable for B2B emailers today. To date, only major consumer ISPs have agreed to implement DMARC. 14 More common B2B inboxes like Microsoft s Outlook and Lotus Notes and filtering systems like Postini, Barracuda, and Symantec have yet to accept this new process. Quinn Jalli, Epsilon s senior vice president of marketing technologies expects that B2B partners will be on board soon, they are just on a slower curve. We agree. Look for Microsoft and Google founding members of DMARC to get their Outlook and Postini properties on board within the next two years. 15

Defining DMARC 5 Figure 2 The Authentication And DMARC Process Map Steps to DMARC Sender activities Domain-spoofer activities Step 1 Author publishes her DNS record to DMARC Hacker gains access to a legitimate sender s domain ISP activities Details Step 2 Mail is authenticated with SPF or DKIM Step 3 Email is sent to ISPs Email is sent to ISPs Step 4 Standard validation tests are applied Filter To screen out bad actors, ISPs apply tests like volume limits and lists of past offenders to block that authenticated email must pass Step 5 Authentication protocols are retrieved DKIM The ISP compares the sender s domain with verified DKIM domains SPF The ISP retrieves the SPF authentication signatures Step 6 Step 7 Authenticated emails are delivered Emails are blocked Appropriate DMARC policy is applied to unauthenticated mail Authenticated email is delivered. Unauthenticated email is blocked. Monitor sender receives regular reporting but all mail is delivered Quarantine Unauthenticated mail is delivered to consumers junk mail Reject Delivery of the unauthenticated mail is permanently blocked Consumer receives legitimate email 72561 Source: Forrester Research, Inc.

Defining DMARC 6 Recommendations consider DMARC Part Of Treatment NOT A Cure Participating in the DMARC organization and process is a no-brainer even though it is not a complete cure for all email woes. It is free and provides better visibility into email authentication than anything else to date. And you can begin with DMARC just by publishing your DNS record. Don t worry; if you don t know how to do this, your IT team, email service provider (ESP), or reputation management vendor does. In fact Epsilon, ExactTarget, Agari, and Return Path already implement DMARC on behalf of their clients. 16 To best leverage DMARC: Create a take-down plan for domain-spoofed emails. After publishing your DNS record you will receive authentication reports to a specified email address almost immediately. This is when the real work begins. DMARC will illuminate potential email fraud. But you need your own action plan for what to do when you see trouble. Michael Hammer uses these reports as alerts to take down spoofed messages or block violating URLs before customers alert him of the problem. Vendors like VeriSign, Netcraft, MarkMonitor, and FraudWatch International can offload the hard work here by managing take-down procedures or place URLs into browser block feeds. 17 Prioritize email data security. Email hackers take advantage of soft spots in email data security practices. 18 So make sure you don t have any. 19 Tools like Forrester s Email Security Review will help email marketers learn how to stop security gaps and provide a template for working with security officers that are part of IT and less familiar with marketing requirements. Stay tuned to the DMARC conversation. DMARC is in its infancy. We anticipate improved benefits to develop from DMARC like building reputation scores based on domains instead of IP addresses as more marketers and ISPs use it. Keep abreast of DMARC developments by tapping resources like the Anti-Phishing Working Group, DMARC.org, Online Trust Alliance, and of course your ESP. Supplemental MATERIAL Companies Interviewed For This Report Agari American Greetings Epsilon Microsoft Hotmail PayPal Return Path ExactTarget

Defining DMARC 7 Endnotes 1 Phishing is when hackers spoof a company s domains in order to rip-off its customers. For more information about the gravity of this sort of electronic fraud to email marketers, see the August 5, 2011, How To Protect Your Email Data report. 2 Direct domain-spoofed phishing emails are usually the result of a data breach. The RSA the Security Division of EMC tracks data about the security breaches due to cyber attacks. Their research shows that not only are attacks on companies increasing but cyber criminals are becoming ever more sophisticated. Source: RSA Online Fraud Resource Center (http://www.emc.com/emc-plus/rsa-thought-leadership/ online-fraud/index.htm). To see the latest trends in phishing specifically, check out APWG s Phishing Attacks Trends Report 1H 2011. Source: Phishing Attacks Trends Report 1H 2011, APWG, December 23, 2011 (http://www. antiphishing.org/phishreportsarchive.html). 3 The Online Trust Alliance monitors rates of spoofing and found that as much as 90% of some senders email is spoofed. For more information about these statistics check out the following report. Source: 2011 Online Trust Scorecard & Honor Roll, Online Trust Alliance, May 2011 (https://otalliance.org/ resources/2011honorroll/2011_otaonlinetrustscorecard.pdf). 4 To learn more about the two most common standards SPF and DKIM visit their web pages: SPF (http://www.openspf.org/introduction) and DKIM.org (http://www.dkim.org/). 5 The Online Trust Alliance also found that only 26% of senders use authentication methods like DKIM and SPF. For more information about these statistics see their website. Source: 2011 Online Trust Scorecard & Honor Roll, Online Trust Alliance, May 2011 (https://otalliance.org/resources/2011honorroll/2011_ OTAOnlineTrustScorecard.pdf). 6 To read more about the history of DMARC, see the blog post from Sam Masiello, the GM/chief security officer for Return Path, announcing their support of DMARC. Source: Sam Masiello, DMARC.org: A Giant Step Forward in the Fight Against Phishing, In The Know Blog, January 30, 2012 (http://www. returnpath.net/blog/intheknow/2012/01/dmarc-org-a-giant-step-forward-in-the-fight-against-phishing/). 7 To see all the founding contributors to DMARC check out their website. Source: DMARC.org (http://dmarc. org/about.html). 8 The two authentication standards include: 1) sender policy framework (SPF), an email validation system designed to prevent spam by matching an email sender s IP address against a preregistered address, and 2) domainkeys identified mail (DKIM), a cryptographic-based protocol that places a unique signature in each message, which the ISP confirms upon delivery. 9 When IHG decided to update its email program, it made the security and protection of its brand from spoofing or phishing a high priority. Read more about this case study in the following blog post. Source: George Bilbrey, Case Study: IHG Optimizes and Secures Email Channel with Return Path, In the Know Blog, March 13, 2012 (http://www.returnpath.net/blog/intheknow/2012/03/case-study-ihg-optimizes-andsecures-email-channel-with-return-path/).

Defining DMARC 8 10 The basic xlm reports you will be emailed are free but vendors such as Agari, e Online Trust Alliance, or Return Path also offer additional services like providing a visually appealing report, recommendations for authentication improvements, and alerts if problems occur. 11 Despite aggressively using email authentication and private channels with ISPs, still 4% of their email stream was unauthenticated. These unauthenticated emails were typically domain-spoofed emails. By implementing a termination policy, Return Path was able to reduce their unauthenticated email delivery rates from 4% to 0%. 12 To learn more about email best practices that lead to good delivery rates, see the July 7, 2008, The Secret To Email Delivery report. 13 See Michael s full DMARC announcement on Facebook. Source: Facebook (https://www. facebook.com/notes/facebook-engineering/dmarc-building-open-source-email-authenticationtechnologies/10150524975728920). 14 At the time of this report, only Gmail was implementing DMARC but the other founding ISPs were in process of setting up the necessary standards. Source: DMARC.org (http://www.dmarc.org/resources.html). 15 Currently Gmail is the only ISP that is returning DMARC records but Yahoo and Hotmail have agreed to implement the standard reporting criteria in Q1 2012 and start testing reports by Q2 2012. Source: DMARC.org (http://www.dmarc.org/resources.html). 16 Senders can implement DMARC on their own, but if you want help understanding the reports and making business decisions based on them an ESP or a reputation management company will help. They can make sense of the DMARC reports by uploading them into a more visually appealing platform, make recommendations for email authentication improvements, and alert you if domain spoofing occurs. 17 The Anti-Phishing Working Group lists several recommended vendors for these services. Source: APWG (http://www.antiphishing.org/solutions.html). 18 In our first report on email security, we found the value of email data has four components: 1) consumers want their email addresses kept secure; 2) email data lost can cost companies millions; 3) email addresses enable further data theft; and 4) cybercrimes are a growing concern. To read more about why email data is valuable and how to protect it see the August 5, 2011, How To Protect Your Email Data report. 19 Cisco a software company that develops security programs for consumers and businesses saw a recent shift from high-volume attacks to low-volume and targeted attacks on organizations. Source: Email Attacks: This Time It s Personal, Cisco, June 2011 (http://www.cisco.com/en/us/prod/collateral/vpndevc/ ps10128/ps10339/ps10354/targeted_attacks.pdf). Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology. Forrester works with professionals in 19 key roles at major companies providing proprietary research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 27 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com. 2012 Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective owners. Reproduction or sharing of this content in any form without prior written permission is strictly prohibited. To purchase reprints of this document, please email clientsupport@forrester.com. For additional reproduction and usage information, see Forrester s Citation Policy located at www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. 72561

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information