Email fraud is the most effective way for attackers to initiate a data breach. An attacker uses misleading sender information to a targeted victim and tricks the recipient into either installing malicious content or divulging sensitive information. The result can be devastating for an organization that falls victim to these attacks, and it costs businesses millions in revenue loss, lawsuits, and brand name damage. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the security standard for email security to protect against email fraud, but many organizations are either unaware of its existence or confused at how DMARC stops attacks.
Anatomy of a Spoofed Email Message
Before understanding DMARC, it’s important to understand how email fraud works. An attacker first goes through the reconnaissance phase of an attack, which means the attacker performs a search and review of company employees. LinkedIn is the perfect tool for reconnaissance because employees are all linked together under one organization. The attacker can get information about the organization and find targeted users with escalated privileges.
After the attacker gets a list of targeted users, the next step is to “spoof” email messages. A spoofed email message in one in which the sender’s address looks like an official email address, but it’s really faked by the attacker.
Most users are familiar with email client software that automatically adds a sender address based on software configurations. The email client sends a message and uses the configured email account for the sender address. Outgoing email servers run services that capture an email’s sender address, recipient address, subject, and body and send it to the recipient’s email server. This service runs publicly on an email server, and it can be abused by attackers if no authentication is required.
Publicly accessible email servers with no authentication requirement are used by attackers to send spoofed messages. An attacker sends these servers an email message using a sender address familiar to the targeted user, which could be someone else within the organization or a third-party vendor. Without email security, the message is sent to the user with the fraudulent sender address, and if the attacker is successful, the recipient could be tricked into sending private data or download malware that gives the attacker access to the local computer.
How DMARC Works
DMARC is a set of security rules set up to validate a legitimate email address and quarantine messages that do not pass validation. It’s configured on an organization’s email server using two security standards. Sender Policy Framework (SPF) verifies the sender IP address, and DomainKeys Identified Mail (DKIM) uses encrypted digital signatures to verify the sender’s domain.
The first component of DMARC security is SPF entries on the sender’s DNS servers. Although attackers can fake a sender address, they can’t fake the IP address from the original sender machine. For each server hop in an email message path to the recipient’s server, the IP is logged in message headers. Users aren’t able to read email headers to determine a spoofed message, so they need email security applications that do it for them. SPF filters email based on the sender’s IP address.
When an organization decides to implement DMARC, it must add approved IP addresses on DNS servers. Published SPF records on the sender’s DNS server provide a list of authorized IP addresses for the organization’s email servers. Only authorized IP address will pass DMARC security rules. When a DMARC-enabled email server receives a message, it performs as SPF entry lookup to verify that the IP address in email headers is authorized. If it isn’t, the message is quarantined.
DKIM is the second component of DMARC security. DKIM uses asymmetric encryption and digital signatures. To understand DKIM, you must understand the way public and private key encryption work. Private keys are used to sign messages that only the organization’s public key can decrypt. Private keys should never be shared or published, but the organization’s public key is published as TXT records on the DNS server.
When a DMARC-enabled email server sends a message, it uses its private key to create a digital signature in the form of a hash. The digital signature is appended to email headers and sent to the recipient email server. When the recipient’s email server gets a message, it retrieves the public key stored on the sender’s DNS server and decrypts the digital signature. It then computes a newly encrypted signature using the sender’s public key. If the value in the digital signature matches the newly computed one, then the email is considered valid, and it passes to the recipient’s inbox. If values don’t match, the message is quarantined.
Several other attributes can be set in the DKIM header data, but the digital signature is the most critical for email security. DMARC security settings are also determined by IT administrators and business rules, but if either DKIM or SPF validation fails, the message will be quarantined.
Some email administrators configure the server to drop emails that don’t pass DMARC validation, but they can also be quarantined. Quarantined messages are sent to a security, sandboxed environment where an administrator can review messages. Quarantine and review of messages fix issues with false positives, which occasionally happens with some email security applications. If an administrator determines that an email message was filtered by mistake, it can be forwarded to the recipient’s inbox.
A good example of DMARC and email fraud detection is Google Gmail’s quarantine methods. Messages that do not originate from the specified recipient are sent to Gmail’s spam inbox. Open one of these messages, and a red label at the top tells the reader that the message did not originate from the specified sender. This is Gmail’s version of a quarantine, but in enterprise environments, quarantined email is sent to a sandbox where users cannot access it.
Configuring DMARC on your email server greatly reduces phishing and email fraud. It’s the most reputable form of email security on the market, and it’s quickly becoming a standard for all email servers. Enterprise email applications support it, and users that work through host providers can configure it for better protection.
