{"id":3373,"date":"2024-05-01T10:17:04","date_gmt":"2024-05-01T15:17:04","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-operations\/tech-tip-why-haven-t-you-set-up-dmarc-yet-"},"modified":"2024-05-01T10:17:04","modified_gmt":"2024-05-01T15:17:04","slug":"why-havent-you-set-up-dmarc-yet","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/01\/why-havent-you-set-up-dmarc-yet\/","title":{"rendered":"Why Haven’t You Set Up DMARC Yet?"},"content":{"rendered":"
<\/a><\/div>\n

For cybersecurity professionals in email security and anti-phishing, the beginning of 2024 marked the start of an evolution. <\/span><\/p>\n

In January, adoption of the email standard for protecting domains from spoofing by fraudsters \u2014 Domain-based Messaging Authentication, Reporting and Conformance, or DMARC \u2014 took off as companies prepared for the enforcement of mandates by email giants Google and Yahoo. DMARC uses a domain record and other email-focused security technologies to determine whether an email comes from a server authorized to send messages on behalf of a particular organization. <\/span><\/p>\n

Yet three months later, the increase in DMARC adoption is already starting to taper off, and many companies have completed only the most minimal configuration of their domains, such as setting DMARC to flag issues rather than quarantine or even reject messages. <\/span><\/p>\n

Unfortunately, many organizations remain concerned that DMARC is just another security control that, if done wrong, could break critical email services, says Rahul Powar, CEO of Red Sift, a threat intelligence provider.<\/span><\/p>\n

“Many organizations are rightly concerned that if they go and they do a DMARC policy and it’s not correct, that they could block something that’s really material to the business, such as a massive marketing campaign, or that the CEO’s email won’t land in the right inbox,” he says. “There’s a concern about getting it wrong.”<\/span><\/p>\n

\"Email<\/p>\n

As of the end of April, about 7.9 million domains have some sort of DMARC record (yellow), but only 32% are BIMI ready (green). Source: BIMIRadar.com<\/p>\n<\/div>\n

However, DMARC \u2014 and the underlying technologies of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) \u2014 are not difficult to set up for small or midsize businesses that have simple email infrastructure through a third-party service, such as Google Workspace or Microsoft 365. However, if there are older systems or some segmentation using subdomains, the configuration can get complex \u2014 fast, says Gerasim Hovhannisyan, co-founder and CEO at service provider EasyDMARC.<\/span><\/p>\n

“The problem comes when you have legacy systems and multiple sending sources and infrastructure,” he says. “Not only enterprises, but the midmarket can have huge problems during email authentication deployment. It’s straightforward or easy to first glance, but if you do something wrong, totally valid emails will be rejected.”<\/span><\/p>\n

1. SPF Alerts Recipients to Emails From Nonapproved Sources<\/h2>\n

The first DNS record that an organization needs to set up is SPF, a string that <\/span>lists the IP addresses and domain names<\/a><\/span> of the mail servers authorized to send email on behalf of the domain. This record is typically set up through your domain provider or email hosting provider. <\/span><\/p>\n

A typical SPF record is a DNS TXT record and looks like:<\/span><\/p>\n

v=spf1 ip4:192.168.1.1 ip4:192.168.2.1 include:example.com -all<\/span><\/pre>\n
The “v=spf1” designates the string as an SPF record and is required for all SPF records. The “ip4” fields list the IP addresses that are allowed to send email on behalf of the domain and can include network addresses using the slash notation. The “include” tag lists the third-party domains that are authorized to send email for the domain, while the “-all” flag specifies that every other domain is not allowed. Other variants, such as “~all,” are possible and specify that mail from other domains are allowed but marked insecure, while “+all” allows any server to send email on behalf of the domain.<\/span><\/p>\n
While the SPF record is a good first step, <\/span>spammers could exploit<\/a><\/span> the fact that other organizations using a common third-party server, such as Google’s, would be authorized to send email on behalf of every other organization using that server.<\/span><\/p>\n
2. DKIM Uses PKI to Verify Email Messages<\/h2>\n
DomainKeys Identified Mail, or DKIM, solves the problem of multiple tenants on the same email server and adds email verification as well. The DKIM selector and key is <\/span>generated by your email provider<\/a><\/span> and then registered as a TXT record in your DNS service provider. <\/span><\/p>\n
A typical DKIM record is a DNS TXT record with a selector \u2014 a name \u2014 such as ‘[third party]._domainkey’ and a value of:<\/span><\/p>\n
v=DKIM1; k=rsa; p={public key string}<\/span><\/pre>\n
The ‘v=DKIM1’ designates the TXT string as a DKIM record and is required for all DKIM records. The ‘k=rsa’ designates the type of encryption used for the public-key data, with RSA as the default and other values, such as Edwards-curve Digital Signature Algorithm (EdDSA), allowed as well. The ‘p=’ tag contains the public-key data generated by the email service provider. <\/span><\/p>\n
Like with any public-key encryption infrastructure, organizations should make sure to regularly rotate the keys for their domain infrastructure, says EasyDMARC’s Hovannisyan. <\/span><\/p>\n
“We have password management systems or rotating password for other [types of] keys, but we don’t do that with DKIM keys,” he says. “This is something that should be in place and each time something can be broken, you need to have alerting.”<\/span><\/p>\n
3. DMARC Establishes Policies for Email Recipients<\/h2>\n
Domain-based Messaging Authentication, Reporting and Conformance \u2014 or DMARC \u2014 uses the already-established controls of SPF and DKIM and specifies an organization’s email policy \u2014 not for emails coming into the organization, but for emails claiming to be sent on behalf of the organization. Organizations that <\/span>specify a DMARC record gain two benefits<\/a><\/span>: They can tell a receiving server what to do with an email that fails authentication \u2014 such as allow delivery, quarantine the message, or reject it \u2014 and they direct the receiving server to generate reports about any messages sent to the domain. <\/span><\/p>\n
The result is that an organization using DMARC gains visibility into how their domain name and brand is being used by unauthorized parties. <\/span><\/p>\n
A typical DMARC record is a DNS TXT record with a ‘_DMARC’ and a value that is a string with a number of fields, such as:<\/span><\/p>\n
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:[email protected]<\/a><\/span><\/pre>\n
In this example, the ‘v=DMARC1’ is the required identifier, the authentication policies for both SPF and DKIM at set to strict \u2014 as designated by the ‘aspf=s’ and ‘adkim=s’ tags \u2014 and the DMARC reports are sent to an organization-specific email at a third-party provider. In this case, the policy is set to reject, but companies can start with a policy of ‘none’ to gain access to the reporting and move to a policy of ‘quarantine’.<\/span><\/p>\n
4. Check Your DMARC Reports Regularly and Maintain Records<\/h2>\n
Establishing a DMARC policy is fairly simple, but using the added information as part of an email-security and brand-protection program requires an alerting mechanism and regular oversight. Often companies will just insert a valid DMARC record in their DNS with a policy of ‘none’ and then forget about the added threat intelligence, says EasyDMARC’s Hovannisyan.<\/span><\/p>\n
“One of the biggest mistakes with DMARCs is [company’s saying] that once it’s done, I don’t need to do anything more,” he says. <\/span><\/p>\n
Instead, companies should advanced through the different policies, starting with ‘none,’ but quickly moving to ‘quarantine’ and then finally ‘strict.”‘<\/span><\/p>\n
While DMARC can be easy to manage for small companies, large enterprises will likely want to adopt a service to manage the configuration of its email infrastructure and make use of the added capabilities.<\/span><\/p>\n
“For a small deployment, where you basically just have, a Google or an Office 365 on your domain, it’s pretty straightforward,” says Red Sift’s Powar. “I mean, the spec is quite simple, but as soon as you add a little bit of complexity \u2014 once you start including a marketing department, an HR department, or maybe a procurement department \u2014 you’re going to find a lot of senders suddenly start to appear out of your infrastructure.”<\/span><\/p>\n
5. Consider BIMI to Increase Trust<\/h2>\n
Finally, companies have a fourth standard that can help add more trust to their email messages. The Brand Indicators for Message Identification \u2014 or BIMI \u2014 standard allows companies to register their logo for use in email clients, but only after they have adopted the maximum level of strictness for their DMARC policy. <\/span><\/p>\n
While almost <\/span>three-quarters of large organizations (73%)<\/a><\/span> have adopted the most basic version of DMARC, the share of those organizations that would pass the most stringent standards vary significantly by nation: 77% of companies in the United States have a strict policy, while only 40% in Germany and 15% in Japan do, according to <\/span>data from threat-intelligence provider Red Sift<\/a><\/span>. Of all domains, only 3% are considered ready for BIMI, but 32% of the 7.9 million DMARC-enabled domains have strict enough policies to adopt BIMI, <\/span>according to the BIMIRadar tracking site<\/a><\/span>.<\/span><\/p>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
For cybersecurity professionals in email security and anti-phishing, the beginning<\/p>\n","protected":false},"author":12,"featured_media":3374,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3373","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?fit=1600%2C900&ssl=1",1600,900,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?fit=1600%2C900&ssl=1",1600,900,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/why-havent-you-set-up-dmarc-yet.jpg?fit=1600%2C900&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3373"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3373\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3374"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}