Domain-based message authentication, reporting and conformance (DMARC) provides domain owners reports on how domains are performing. This tool provides feedback about the email itself, including SPF and/or DKIM alignment. It also tells email receivers how to handle messages that fail to align with those protocols.
Lately, we have seen an increase in reported phishing emails. Some of these messages appear to have a valid sender’s domain, but closer inspection of the header reveals the sender’s domain was spoofed. For example, sender appears as superintendent@yourdomain.k12.mo.us, but the message header shows authenticated sender as scammer@scam.com. We suspect some emails were delivered to the recipient’s inbox as email providers are constantly changing the parameters they use to determine phish.
Frequently, when we run the phish through header analyzers and domain checkers, SPF and DKIM pass but DMARC is set to p=none. The caution message is: Your domain has a valid DMARC record but the DMARC policy does not prevent abuse of your domain by phishers and spammers. Moving to p=quarantine or p=reject is the next step in mitigating phishing emails. To determine what is configured for your domain, please use the demarcian.com domain checker.
There are three main policies: p=none, p=quarantine and p=reject. When should you move from none to quarantine or reject? Let’s look at the three options in detail.
p=none: Allows you to monitor, but no action is automatically taken.
p=quarantine: This setting diverts the email into a spam or junk folder.
p=reject: The emails never make it to the user’s inbox. The emails are immediately rejected.
If you are new to this process, starting with p=none allows you to monitor the incoming email and learn how your current authentication process is configured.
When you configure a DMARC record, you will provide an email address to receive the reports. It is recommended you configure a separate, dedicated email address for these records as they can be high volume. Once you are receiving consistent and comprehensive DMARC reports and can reliably see which emails are passing and failing authentication checks, you can change to p=quarantine in your DNS record. Communicate this change with staff and all third parties who send email on your behalf. Monitor your reporting and ensure email is classified correctly. Eliminate false positives by making changes to your email authentication settings. Once you are confident in your process you can move to p=reject.
p=reject will reduce the risk of phishing attacks and email spoofing that can compromise your organization. Review your DMARC reports regularly and make any necessary changes. Once again, communicate changes with everyone involved.
To request changes to your DNS record, identify who is authoritative for your domain. To determine who that is, go to DNS Checker, enter your domain and choose “Authoritative DNS” in the DNS Server field.
Moving to quarantine and reject will provide greater security for your staff and reduce phishing emails. Your DNS records should be checked periodically for updates.
To train your staff on BEC and phishing awareness, please add these Infosec IQ training modules to your campaigns!
Need to Know: Business Email Compromise (BEC)
Role Based Training: Phishing for Education
If you have any questions, please contact security@more.net.
Resources
Google Instructions on a DMARC Rollout