In a world with fewer absolutes, DMARC enforcement provides absolute answers
It’s been a decade since Domain-based Message Authentication Reporting and Conformance (DMARC) arrived on the cybersecurity scene, and in that time, it’s become a widely adopted email authentication policy. Over 60% of Fortune 100 companies have deployed DMARC, and 74% of federal government domains have DMARC policies.
Sounds great, right? But even with increasing DMARC adoption rates, too many companies are still leaving themselves open to attack. Why? Because only 14% of DMARC deployments are complete (at enforcement). And DMARC is an authentication standard and therefore binary: you’re either at enforcement or not. And the results are the email passes authentication or fails. No ambiguity at all. Like buying a lock for your door but then not locking the door, DMARC without enforcement doesn’t provide protection. Simply adding a DMARC record without getting to an enforcement policy like p=quarantine/reject means that unauthenticated email still gets through.
It’s like a bouncer at a club who checks IDs but lets everyone in regardless of their birthdate. Why go through the charade of verifying age if everyone can enter? And word gets out quickly, too. It doesn’t take long for criminals to realize they don’t need to bother with fake IDs if they know they’ll get past the guardian at the gate — no questions asked.
Yet I come back to the fact that only about 14% of DMARC policyholders are at enforcement. What does that mean for the other 86%? They may have invested tens of thousands of dollars and hours into implementing a DMARC policy but still leave themselves vulnerable to cyberattacks launched via phishing emails. DMARC is binary. You’re at enforcement, or you’re not. There is no “sort of” enforcement.
Because DMARC is a complex standard, it typically requires accurate and specific configuration and maintenance to ensure enforcement. Since this is DNS work, type just one letter wrong, and the configuration fails. Even if you get syntax 100% right, a policy that isn’t 100% right will either block good email or let authenticated email through. In some cases, we’ve talked to IT/Infosec teams that think they’re safe, protected and at full enforcement, but they’re not. Even if the domain owner has done everything else correctly, cybercriminals can find and take advantage of the weakness.5 Points To Know
Here are five of the most common misconceptions and mistakes companies make on their path to DMARC enforcement, leaving domains vulnerable to attack.
- Misconfigured SPF records compromise cybersecurity.
Published in the Domain Name System (DNS), Sender Policy Framework (SPF) records include:
● A list of IP addresses of permitted senders.
● Directives referencing other domains’ SPF records.
● Rules pointing to other DNS record types.
The most common SPF record misconfiguration happens when someone builds a record requiring a receiving domain to conduct over ten domain lookups for every message that arrives. When overtaxed by too many lookups, a domain’s SPF record may not successfully authenticate all the mail from the domain. Too many lookups can also block valid emails from being sent.
To avoid this limitation, domain owners pull all approved sending services’ IP addresses into the primary SPF record. This “flattened” SPF record will list IP addresses but not include equivalent DNS lookups. But a new problem arises — someone must continuously update the flattened list of IP addresses because email sending services frequently add or delete IP addresses. When single IP addresses change, the flattening approach becomes ineffective, with “good” emails blocked and “bad” emails delivered.
- Mismanaged DomainKeys Identified Mail (DKIM) keys make it easier to steal information.
DKIM signs email messages via public/private key cryptography. This approach validates the email’s legitimacy — that it came from the domain with which the DKIM key is associated — and wasn’t tampered with during its trip through cyberspace.
Because they’re long strings of what appear to be random data, DKIM keys are easy to get wrong in DNS. Even copying and pasting can cause an issue if a number is missed and cause errors. And if a legitimate message fails DKIM, it won’t reach its intended recipient.
Many organizations lack a specific process to manage and rotate keys. Still, experts suggest rotating DKIM keys every six months to reduce the possibility of a cybercriminal stealing or compromising them. It’s also good to use different DKIM keys for each email service because all services become vulnerable to exploitation if one key becomes compromised.
- Neglecting subdomains opens a back door to attack.
The subdomain’s default setting is to obey the main policy (e.g., p=reject). But when domain owners work on achieving DMARC enforcement, they focus on bringing their main domain to enforcement. Then, they kick the can down the road for what’s needed to bring subdomains into enforcement at the same time.
But setting a subdomain policy of “sp=none” leaves the subdomains open to attack and spoofing. Indeed, phishing emails sent from [email protected] won’t get through — but [email protected] will. For true enforcement, all subdomains require protection, too.
4. Out-of-order records create a recipe for disaster.
When records don’t use correct DMARC syntax or the tags are out of order, DMARC authentication can fail or result in email gateways skipping the DMARC check completely. For example, a DMARC record placing p=reject behind a statement other than the v=DMARC1 statement will hamper authentication.
5. Omitting a reporting address yields incomplete data.
One of DMARC’s benefits is the feedback it provides domain owners about email authentication. Suppose you neglect to add a reporting address (via rua=tag). In that case, you miss out on aggregate data reports detailing passes and failures and lose important insight into authentication failures and potential spoofing (domain impersonation) attacks. Including a reporting address enables the DMARC record to specify how best to report these failures.
Automation is Key to Achieving Full DMARC Enforcement
People make mistakes. Machines do too. But an automated approach that’s been proven to work minimizes errors. At the same time, a comprehensive understanding of how to configure 3rd party senders ensures good email gets through and the rest is blocked effectively. If you want to ensure you’re at DMARC enforcement, think of DMARC as your home’s deadbolted front door and everything else — DKIM, SPF, protected subdomains, properly ordered records and full reporting — as the security cameras, locked windows and floodlights. They’re all practical security measures for protection, but if the door remains wide open (or lacks a deadbolt), a thief can waltz right into your home and take whatever he (or she) likes.
Domain owners must think the same way about protecting their companies. DMARC at enforcement with an accurate and maintained policy is highly effective at absolutely stopping unauthenticated email - no if, and, nor buts.
About the author: Alexander García-Tobar is the CEO at Valimail and co-founder.
A serial entrepreneur and global executive, Alexander has been CEO at two previous firms and has run global sales teams for three companies that went IPO. He held analyst and executive positions at leading research companies such as The Boston Consulting Group and Forrester Research along with Silicon Valley startups such as ValiCert, Sygate, and SyncTV.