If you think confirmation of name of the sender of the mail is enough to assure its genuineness, think again! spammers can now forge the “From” address on email messages to make messages appear to come from someone in your domain. This leads to reduction in the domain quality. People who get the forged emails can mark them as spam or junk, which can impact authentic messages sent from your domain.
Email exchanges, systems are vulnerable and less than 1% are correctly protected against phishing attacks or email spoofing. DMARC is a policy level change which is best way to authenticate mails and safekeep, however a government wide implementation is required.
What is DMARC and How Can it help State and Local Government entities?
DMARC, an industry standard, is an email authentication policy and reporting protocol that is designed to prevent email spoofing. An initiative of the Trusted Domain Project, DMARC was finalized in 2015 by contributors, including Google, Yahoo, Mail.Ru, JPMorgan Chase and Symantec.
How DMARC works
DMARC helps email senders and receivers verify messages. DMARC also defines the action to take on suspicious incoming messages. When an incoming message does not pass the DomainKeys Identified Mail (DKIM) check, DMARC defines what happens to these messages. There are three options:
- Take no action on the message.
- Mark the message as spam and hold it for more processing (quarantine).
- Cancel the message so that it is not sent to the recipient.
Set up DMARC after SPF and DKIM
Before you set up DMARC, we recommend setting up Sender Policy Framework (SPF) and DKIM. DMARC uses SPF and DKIM to verify messages are authentic. A message that does not pass SPF or DKIM checks triggers the DMARC policy.
DMARC “builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (From:) domain name, published policies for recipient handling of authentication failures and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email,” notes DMARC.org. As U.S. Department of Homeland Security says, setting a DMARC policy of “reject” gives agencies the “strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery.”
How Public-Sector Officials Can Enhance Email Security
Government runs critical infrastructure in any part of the world. Banking-Finance, Power and Energy, Transportation, Telecom, government bodies and multiple critical public sector companies run various tasks for a country. However, they are highly vulnerable to email spoofing and phishing.
DMARC has very low usage with governments, the main reason for low usage is lack of awareness and no strict policy mandate. There are also multiple domains owned by the government, central-state which needs to be checked. The best way is for the agency’s IT leaders to work with a variety of vendors to test whether their domains are covered by DMARC as well as how much of their email traffic is fraudulent. This can later help IT leaders prioritize which domains need to be locked down and secured first. The ones that deal with personally identifiable information typically comes first.
Once DMARC is deployed, it informs a gateway, anywhere in the world, that it should send a report back to the owner of the domain or anyone the owner authorizes. Those reports then show what is happening on the domain — that valid emails are getting through and malicious ones are being blocked, García-Tobar says.
Tips for using DMARC
Here are some tips for using DMARC:
- You can set up DMARC to send you a daily report from all participating email providers. The report shows:
- How often messages are authenticated
- How often invalid messages are seen
- DMARC policy actions that occur
- You can update your DMARC policy based on what you learn from the daily reports. For example, you can change your policy from monitor (“none”) to “quarantine” to “reject” if you see that valid messages are being authenticated.