THE DMARC GUIDE. Understanding DMARC for Securing Email



Similar documents
Curbing Threats & Spear Phishing The Promise & Results with DMARC

This user guide provides guidelines and recommendations for setting up your business s domain authentication to improve your deliverability rating.

Protect Outbound Mail with DMARC

Evaluating DMARC Effectiveness for the Financial Services Industry

Security - DMARC ed Encryption

Deliverability Counts

Protect your brand from phishing s by implementing DMARC 1

DMARC and your.bank Domain. September 2015 v

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

DMA s Authentication Requirement: FAQs and Best Practices

SCORECARD MARKETING. Find Out How Much You Are Really Getting Out of Your Marketing

A New Way For ers To Defend Themselves Against Fraud

Authentication Policy and Deployment Strategy for Financial Services Firms

The What, Why, and How of Authentication

Anti-Phishing Best Practices for ISPs and Mailbox Providers

THE SECURITY EXECUTIVE S GUIDE TO A SECURE INBOX. How to create a thriving business through trust

DST . Product FAQs. Thank you for using our products. DST UK

How s are sent from Xero

Migrating to.bank A step-by-step roadmap for migrating to.bank

How To Ensure Your Is Delivered

DMARC. How. is Saving . The New Authentication Standard Putting an End to Abuse

Marketing Workshop

Reputation Metrics Troubleshooter. Share it!

Sender Authentication Technology Deployment and Authentication Identifiers

Cloud Services. Anti-Spam. Admin Guide

Exchange Online Protection In-Depth

DomainKeys Identified Mail (DKIM) Murray Kucherawy The Trusted Domain Project

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

security

DomainKeys Identified Mail (DKIM): Introduction and Overview. Eric Allman Chief Science Officer Sendmail, Inc.

Internet Reputation Management Guide. Building a Roadmap for Continued Success

Trend Micro Hosted Security Stop Spam. Save Time.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Correlation and Phishing

Malicious Mitigation Strategy Guide

DomainKeys Identified Mail DKIM authenticates senders, message content

More Details About Your Spam Digest & Dashboard

TrustDefender Mobile Technical Brief

FILTERING FAQ

Internet Reputation Management Guidelines Building a Roadmap for Continued Success

WHITEPAPER. SendGrid Deliverability Guide V2. Everything You Need to Know About Delivering through Your Web Application

Trend Micro Hosted Security Stop Spam. Save Time.

Comprehensive Anti-Spam Service

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Quarantined Messages 5 What are quarantined messages? 5 What username and password do I use to access my quarantined messages? 5

Panda Cloud Protection

Post-Send Vetting Techniques... 6 Methodology... 6

Intercept Anti-Spam Quick Start Guide

2015 Online Trust Audit & Honor Roll Practices Deep Dive July 7, All rights reserved. Online Trust Alliance (OTA) Slide 1

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Anti Spam Best Practices

Why Spamhaus is Your Best Approach to Fighting Spam

WHITEPAPER. V12 Group West Front Street, Suite 410 Red Bank, NJ

Internet Standards. Sam Silberman, Constant Contact

Stop Spam. Save Time.

Top 10 Tips to Keep Your Small Business Safe

eprism Security Suite

Get to the Inbox Ten Top Tips to Maximize Your Deliverability

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

WHITE PAPER Moving Beyond the FFIEC Guidelines

Eloqua Enhanced Branding and Deliverability More s to the inbox means more opportunities and revenue.

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

Trend Micro Hosted Security. Best Practice Guide

How to set up a multifunction device or application to send using Office 365

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

5 tips to improve your database. An Experian Data Quality white paper

FAQ (Frequently Asked Questions)

SMTP Settings. Magento Extension User Guide. Official extension page: SMTP Settings. User Guide: SMTP Settings

2014 Sender Score Benchmark Report

Marketing 201. How a SPAM Filter Works. Craig Stouffer Pinpointe On-Demand cstouffer@pinpointe.com (408) x125

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

WHITE PAPER. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks

Mailwall Remote Features Tour Datasheet

What is a Mail Gateway?... 1 Mail Gateway Setup Peering... 3 Domain Forwarding... 4 External Address Verification... 4

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

Transcription:

THE DMARC GUIDE Understanding DMARC for Securing Email

The History - Introduction Email despite its importance, ubiquity, and staying power has never been secure. Prior attempts at security have failed to solve email s fundamental flaw anyone can send email using someone else s identity. This flaw has put the power of the world s most admired brands in criminal hands through email, criminals can use almost any brand to send spam, fraud, phishing email and malware installs, inflicting direct losses to customers and eroding the brand equity companies have spent years building up. DMARC an open standard enabled on 70% of the world s inboxes and 85% of US inboxes and also by the most security-forward brands is the only solution that enables Internet-scale email protection and prevents fraudulent use of legitimate brands for email cyberattacks. Many of the most respected brands in the world, including Facebook, Apple, JPMorgan Chase and PayPal have adopted DMARC to protect their customers and their brand. Companies adopt DMARC for many reasons, chief among them are: Gain visibility into their email channel to determine the legitimate and fraudulent use of their domains. Stop brand & email abuse, to decrease reputational risk and preserve brand loyalty through email. Ensure legitimate email is getting delivered, while fraudulent email is not. Receive alerts when changes to email infrastructure may impact the delivery of legitimate messages. Identify sources and forms of threat so that companies are equipped to proactively prevent attacks. Using DMARC companies gain unprecedented visibility into the legitimate and fraudulent use of their domains, enabling them to protect their customers, employees, and brands from email-based cybercrime. The overall impact to companies that have adopted DMARC is preservation of brand equity, elimination of customer support costs related to email fraud, and renewed trust and engagement in the company s email channel. www.agari.com 2

The Basics - What Is DMARC? DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an open email standard published in 2012 by the industry consortium DMARC.org to protect the email channel. It extends two previously established authentication standards SPF and DKIM, and is the only way for email senders to tell email receivers that emails they are sending are truly from them. DMARC is currently an IETF-adopted RFC. It allows companies that send email to: 1 Authenticate all legitimate email messages and sources for their email-sending domains, including owned and third party domains. 2 Publish an explicit policy that instructs mailbox providers what to do with email messages that are determined not to be legitimate. These messages can either be sent to a junk folder or rejected outright, protecting unsuspecting recipients from exposure to attacks. 3 Gain intelligence on all use of their domains across the Internet. This domain-level data can help companies to not only identify threats against their customers, but also discover legitimate senders that they may not even be aware of. SSL changed the Internet by giving brands the ability to tell consumers that their websites were authentic. DMARC is doing the same for email. DMARC is endorsed by the following industry governance bodies: Businesses which fail to implement email authentication to its fullest potential not only place their brand reputation at risk, but open the debate on liability relating to the lack of consumer protection safeguards. The OTA 2014 Email Integrity Annual Audit Implementing DMARC stopped nearly 25 million attempted attacks on our customers during the 2013 holiday buying season alone. Not only is DMARC shutting down spoofed domain attacks, but it has also cut the overall volume of daily attacks in half since 2012. Trent Adams, Chair of DMARC.org & Senior Advisor on Email Security for PayPal and ebay Inc. www.agari.com 3

The Numbers - DMARC Adoption Worldwide 70% 60% 64% 60% DMARC Adoption By Industry 50% 40% 30% 20% 10% 50% 43% 29% 25% 21% 13% 13% 13% 0% Social Etailers Logistics Mega Banks Travel Large Banks EU Health Care Large Banks Retail Airlines DMARC ENABLED MAILBOXES IN THE US DOMAINS WITH DMARC REJECT DMARC ENABLED MAILBOXES GLOBALLY AFTER DMARC: DROP IN CONSUMER REPORTS OF BAD EMAIL 80,000 85% 70% 70% PayPal 50% Outlook.com Source: Facebook via Source: Google Source: DMARC.org Source: DMARC.org DMARC.org www.agari.com 4

The Believers - Early Adopters Pave the Path 2.5 Billion Mailboxes Worldwide are DMARC enabled DMARC SENDERS DMARC RECEIVERS Recreate logo Is there a way that companies can protect against the new Silicon Valley of attack capabilities? Yes. As Tom Kellerman, Chief Cybersecurity Officer at Trend Micro remarks, There are three different ways you can protect against this. Greater forms of user verification, greater forms of implementation of DMARC, and use of breach detection systems. www.agari.com 5

The Benefits Why You Should Care Brand Protection It is only a matter of time before a criminal will use your domain for his own benefit. Whether the criminal activity is phishing, malware distribution, or nuisance spam, it harms your brand to be associated with these attacks. Fewer Customer Service Calls Customers don t call or send email to ask about phishing messages if they never receive those messages in the first place! One Agari customer was able to redeploy 60 staff members after publishing a reject policy on a highly phished domain. Reduced Account Takeovers By preventing delivery of phishing and malware-laden messages directed at your customers, a DMARC reject policy can reduce the number of account takeovers. This leads to a direct reduction in fraud losses. Less Server Load From Backscatter When criminals pretend to be you, they often send email to non-existent email addresses, full mailboxes, people who have a vacation responder, etc. The resulting bounce-back messages don t go to the criminal...they come to you. Increased Email Deliverability Visibility Into Cyberattack Risk Understanding the Threat Landscape Your Mom Will Thank You! Even legitimate messages may wind up in the spam folder if the receiver can t tell the good from the bad. By deploying DMARC, you can improve deliverability of your legitimate messages while eliminating the fraudulent. Do you know every 3rd party company sends email on behalf of your company? While 3rd party senders are needed, each time you provide customer, employee, or partner details to a 3rd party, you increase the risk of cyberattacks. DMARC enables you to see every 3rd party sending on your behalf to ensure they comply with email best practices. Are email attacks against your customers common or rare? Are the attacks well crafted? Do criminals use malware or phishing URLs to gather credentials? These questions can be answered by publishing a DMARC monitor policy, which has no impact on your mail flow. The higher threat visibility, the better security you can implement, increasing your bottom line. Seriously. Because it s not cool for consumers to shoulder the burden of guessing which of your emails are real and which are malicious. Do your mom a favor and deploy DMARC for your company we swear she ll thank you. www.agari.com 6

The Standards A Closer Look SPF DKIM DMARC About (aka Sender Policy Framework) SPF is an email authentication standard that allows domain owners to specify which servers are authorized to send email with their domain in the Mail From: email address. SPF allows receivers to query DNS to retrieve the list of authorized servers for a given domain. If an email message arrives via an authorized server, the receiver can consider the email authentic. (aka DomainKeys Identified Mail) DKIM is an email authentication standard that cryptographically associates a domain name with an email message. Senders insert cryptographic signatures into email messages that receivers can verify by using DNShosted public keys. When verification is successful, DKIM provides a reliable domainlevel identifier that can survive forwarding (unlike SPF). (aka Domain-based Message Authentication, Reporting, & Conformance) DMARC is an email authentication standard that works in conjunction with SPF & DKIM bringing long-missing features to email enabling senders to gain visibility into how their email domains are used and abused, describing how to combine existing authentication technologies to create secure email channels, and providing receivers with clear directives on how to safely dispose of unauthorized email all at Internet scale. Example DNS Record example.net. IN TXT v=spf1 a mx -all selector._domainkey.example.net IN TXT v=dkim1; k=rsa; p=public key data dmarc.domain.com. IN TXT v=dmarc1; p=reject; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; Weakness SPF is not ideal for all email use cases and can fail if a message is forwarded. The Mail From domain authenticated by SPF is not easily visible by an email recipient. DKIM is generally more complex to set up than SPF, requiring a cryptographic signature on each message sent. DKIM will fail when content is modified in transit, like messages sent through a mailing list. Adoption! Get on board your mom will thank you! For More Info www.openspf.net www.dkim.org www.dmarc.org www.agari.com 7

The Mechanics - How DMARC Works The DMARC model uses DNS as the mechanism for policy publication. DMARC records are hosted as TXT DNS records in a DMARC specific namespace. The DMARC namespace is created by prepending _dmarc. to the email domain that is to become DMARC compliant. For example, if the email domain example.com publishes a DMARC record, issuing a DNS query for the TXT record at _ dmarc.example.com will retrieve the DMARC record. The DMARC specification allows senders to publish policy records containing parameters that receivers use to inform the processing of emails that purport to come from the sender s email domain. The features that DMARC enables are: Flexible policies. The DMARC model allows email senders to specify one of three policies to be applied against email that fails underlying authentication checks: p=none no policy should be applied, also often referred to as monitor. This option is used when senders simply want to collect feedback from receivers. p=quarantine email that fails authentication checks should be treated with suspicion. Most receiving mail systems will deliver these messages to an end user s spam-folder. It could mean increased anti-spam scrutiny or flagging as suspicious to end-users in some other way. p=reject email that fails authentication checks should be rejected at the receiving mail server. These messages should never reach the end user s mailbox and feedback will be sent to the party specified in the policy. Sub-domain-specific policies. DMARC records can specify different policies for top-level domains vs. sub-domains (using the p= and sp= tags). Phased rollout of policy. DMARC records can include a percentage tag ( pct= ) to specifies how much of an email stream should be affected by DMARC policy. Using this feature, senders can experiment with progressively stronger policies until enough operational experience is gained to move to 100% coverage. Identifier Alignment flexibility. The DMARC specification allows domain owners to control the semantics of Identifier Alignment. For both SPF and DKIM generated authenticated domain identifiers, domain owners can specify if strict domain matching is required or if parent and/or sub- domains can be considered to match. Feedback controls. DMARC records include parameters that specify where, how-often, and in which format feedback should be sent to the email domain owner. www.agari.com 8

The Big Picture It s Worth A Thousand Words Email Before DMARC Without DMARC, brands have limited visibility into how domains are being used to send email YOUR BRAND 3 rd PARTY EMAIL Email After DMARC DMARC provides visibility into all email traffic and then instructs receivers how to handle unauthenticated emails, all outside of the mail flow Massive DMARC dataset provides visibility into email sources Data analysis & threat forensics shared with brand to increase intelligence & security Infrastructure & threat alerts triggered YOUR BRAND 3 rd PARTY EMAIL Data sent from receivers to DMARC provider REJECTED BY DMARC www.agari.com 9

The Next Steps - Putting DMARC Into Practice Domain owners that wish to become DMARC-compliant need to perform 3 activities: 1 Publish a DMARC record. To begin collecting feedback from receivers, publish a DMARC record as a TXT record with a domain name of _dmarc.<your-domain.com> : v=dmarc1; p=none; rua=mailto:dmarc-feedback@<your-domain.com>; Doing so will cause DMARC-compliant receivers to generate and send aggregate feedback to dmarc-feedback@<your-domain.com>. The p=none tag lets receivers know that the domain owner is only interested in collecting feedback. 2 Deploy email authentication SPF and DKIM: Deployment of SPF involves creating and publishing an SPF record that describes all of the servers authorized to send on behalf of an email domain. Small organizations usually have simple SPF records, where complex organizations often maintain SPF records that authorize a variety of data-centers, partners, and 3rd-party senders. DMARC-supplied aggregate feedback can help identify legitimate servers while bootstrapping an SPF record. Deployment of DKIM requires domain owners to configure email servers to insert DKIM-Signatures into email and to publish public keys in the DNS. DKIM is widely available and supported by all major email vendors. DMARC-supplied aggregate feedback can help identify servers that emit email without DKIM signatures. 3 Ensure that Identifier Alignment is met. DMARC-supplied aggregate feedback can be used to identify where underlying authentication technologies are generating authenticated domain identifiers that do not align with the Email Domain. Correction can be rapidly made once misalignment is identified. By taking these steps, domain owners can effectively monitor email and make informed security decisions. Get Started! Share this book www.agari.com 10

Agari.com www.agari.com 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information