Discovering and Defeating Email Fraud with DMARC

DMARC for the win

​Email is critical for business operations. If your emails don’t land reliably in peoples’ inboxes, business can grind to a halt.

In 1972 email was originally designed to enable communication. It has ever since. Communication – not security – was the focus when it was designed. That is why I can install a simple, free mail server software on any computer and start sending messages, claiming they’re from anyone I want – even you. Spoofing is the act of masquerading as another, and with email it’s incredibly easy if protections aren’t activated. In its various forms, spoofing fuels phishing and other fraud. Spoofing preys upon the legitimate reputation of an organization, and that organization gets the reputational “credit” for anything done in its name. Your business could be “sending” spam campaigns right now.

What if I told you there was a three-step method to:

• Protect your company's digital reputation and decrease the likelihood of your emails being marked as spam;
• Show how many unauthorized emails are being fraudulently sent "from" [email protected];
• Tell recipients what to do with messages that don’t actually come from your business?

What if I sent you an email about it? From yourself. Sometimes that’s what it takes for my message to land impactfully in the mental inbox of some managers. Whenever I have the opportunity while conducting vulnerability assessments, I make sure to send myself a noteworthy email from an executive within the organization. I do this without ever touching their equipment, or logging into their systems simply because I can – anyone can. That’s my point.

Security as an afterthought is almost always clumsy and usually requires manual
configuration. Here’s why I even have this job: security is rarely included in project/product
design phases and IT guys rarely turn on the security options available.

So, what’s the fix? My three-step plan?
I stumbled upon it while researching email authentication. There are three public DNS records you should publish for each domain you own: SPF (Sender Policy Framework), DKIM (Domain-Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

Here’s the short version: SPF specifies which IP addresses can send mail as @yourbusiness.com; DKIM adds a unique digital signature to prove the message came from you (and is unmolested); and DMARC is twofold: it adds reporting and defines an action policy for unauthenticated messages.

DMARC is where email security gets traction. Without it, email could be reasonably
secure (tip: it usually isn’t), but previously there was no way to know whether your domain is
being misused. The Reporting component is revolutionary, making it now possible to discover 
how many emails are being sent on your behalf and where from, even from systems you don’t own or control.

DMARC has been mainstream-usable since early 2015, but for lack of awareness most
businesses have not yet begun using it. I have spoken at regional information security conferences on it and I find a majority of IT professionals are unaware of or don’t yet understand DMARC. On that note, a word of caution: DMARC is powerful and can block all the fraudulent emails, but can also block the good ones. A careful plan is essential.

I have deployed DMARC for more than 40 domains. One of those domains was sending more than two million fraudulent emails per month. The client indicated that domain should not be  sending any email, so a quick forensic investigation into the content of the messages yielded evidence of phishing campaigns, links to hacked websites, myriad erectile dysfunction ads, and so on. This company was getting the reputational credit for having sent these emails. I published a DMARC policy to reject any mail from that domain, and now 99.9991% of those messages being blocked. At one point, the volume spiked to greater than 5.9 million in a month. All blocked!

Another client’s members recently received a fraudulent message “from” a staff member requesting donations for another real member’s fake sick child on a GoFundMe site, complete with sad pictures and fake quotes from other members. I connected with their IT service provider to assist with damage control and remediation.

So how long does it take; how much does it cost?
The answer is, “it depends.”
Simple environments can be done in less than a month with little capital outlay. Complex environments can take months and cost thousands.
In my experience, most SMBs are relatively simple environments.

Secure your email.
You’re likely in the majority who aren’t being actively impersonated, but if you were, wouldn’t you like to know? And wouldn’t you like to properly configure things so it can’t happen?