Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Connect Directly
E-Mail vvv

How To Reduce Spam & Phishing With DMARC

Providers of more than 3 billion email boxes have taken up a new Internet protocol to help put trust back into electronic messaging.

While email is a mission-critical communication channel for most companies, it has also become an untrusted one. Thanks to spam and phishing scams, users are taught to be wary of incoming messages. This lack of trust impacts a company’s ability to effectively communicate, market, and sell to customers via email. DMARC (Domain Message Authentication Reporting and Conformance) stands to change all that.

Providers of more than 3 billion email boxes have taken up DMARC to help put trust back into email. DMARC is an Internet protocol specification that is going through the IETF standardization process. It provides visibility into email flows, and can tell receiving servers to delete spoofed messages immediately upon receipt, thus ensuring that only legitimate emails are delivered to inboxes.

Nearly every company with a domain name should consider leveraging DMARC to help reduce spam and prevent phishing attacks. Here’s how.

Getting started with DMARC is easy. Any email sender and receiver can use the DMARC rails provided by the global community. Free use of the rails provides access to the critical, raw reporting data that helps you see who is sending email and who is spoofing your brand.

To start, we recommend deploying DMARC in monitoring mode. This is how nearly 100 percent of DMARC deployments on the sender side begin. As an email sender in monitoring mode, you advertise to the Internet that you want all DMARC-compliant email receivers (such as Google, Yahoo, Hotmail, and thousands more) to send you reports on who is sending email reportedly from your domain. That’s all there is to it. No emails are flagged, blocked, rejected, or quarantined.

After you are comfortable with the data collected in monitoring mode and you know that legitimate traffic is passing authentication checks, we recommend that you change your policy to quarantine mode. In quarantine mode, suspicious messages are put aside for review. This allows you to identify all internal and authorized email servers and ensure they are configured properly.

Once you have confidence that no legitimate email is mistakenly quarantined, then you can move to a reject policy. In reject mode, spam and phishing messages are deleted before they reach their destination. It is impossible for spoofed email to be delivered to DMARC-protected email servers. This solidifies the trust relationship between domain-based email sent by you and received by DMARC-protected mailboxes.

As a final step, DMARC should be leveraged as part of a greater threat detection and mitigation strategy. DMARC provides valuable reporting information about the amount and structure of phishing attacks against a customer population. This data can be used to improve visibility into attacks, decrease takedown times and reduce losses related to account takeover. As a result, DMARC helps improve fraud intelligence around targeted attacks on your brand.

Daniel Ingevaldson has a 15-year+ career including early infosec innovators like Internet Security Systems (ISS), where he was a member of the famed "X-Force" threat and vulnerability research group, and continued on in various research leadership, engineering, consulting, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/1/2016 | 5:24:29 AM
Create DAMRC record to stop phishing
DMARC is a great way to prevent spammers from using your domain to send email without your permission. It improves mail authentication infrastructure. DMARC allows setting rules to reject or quarantine (SPAM/junk folder) emails from sources you don't know. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/3/2015 | 10:15:07 AM
Re: DMARC is not going to stop phishing
Attackers will adapt to any countermeasure, but they will have to absorb new costs, take on new risks and settle for smaller returns.

That sounds like an effective countermeasure for the defenders, to me. Anything that makes it harder for attackers is a step in the right direction. 
User Rank: Apprentice
3/1/2015 | 3:17:48 PM
Re: DMARC is not going to stop phishing
@MrSmith01--that may be the case because Target has published a DMARC policy.  As more and more brands do so, and move that policy from monitor mode to reject, more and more attackers will be forced to use sister/cousin domains to launch attacks. I argue in the article that this is a good thing. DMARC must be used in conjunction with domain monitoring, internet-wide brand monitoring and proactive phishing detection. When implemented correctly, the combination of these technologies decreases the life-span of attacks, decreases the odds of credential theft and in the end makes attacks less profitable.

What DMARC will do is remove the attacker's option of launching attacks that are highly effective (will fool a substantial amount of recipients) and very inexpensive (email spoofing). It is useful to view this problem through an economic lens, because in the end, it is the most relevent view. Attackers will adapt to any countermeasure, but they will have to absorb new costs, take on new risks and settle for smaller returns.
User Rank: Apprentice
2/27/2015 | 11:51:52 PM
Re: DMARC is not going to stop phishing
Except what if the email is from [email protected] or one of a hundred other variations an attacker could set up?  Heck, I just saw a legitimate email for Target that used the domain mail-target.com.  You see, domain names don't mean jack to typical users and are even non-trivial to sort out for more technical users.  So, authenticating the domain in the from address is far less useful than you might think.  Also, many of the phishing messages I see already don't get fancy with the from address, because they don't need to.  This does make phishing a little harder, so it's good.  I do not expect it to reduce phishing in any meaningful way though, because the same douchebags that were sending messages with spoofed from addresses last week, will simply send the same exact message without spoofing the from address this week.
User Rank: Ninja
2/27/2015 | 1:47:36 PM
Re: DMARC is not going to stop phishing
Not sure I get what you mean. If someone using [email protected] and asking person to give me their logon credentials so I can troubleshoot something, seems like this would work fine.

If your point is someone will just hack into my computer and use my email to send this, then I get your point not much help. But I suspect more people are spoofing from other mail domains than actually hacking and remote controlling a machine inside mail domain.

I do agree with your conclusion the bad guys will adjust, they always seem to. But at least we would raise the bar a little, assuming cost of this new DMARC is neglible.
User Rank: Ninja
2/27/2015 | 12:26:56 PM
Interesting but...
Sounds interesting and will be something I bring up with my bosses next time we have a chat about email security. However I wonder if it's not quite the holy grail it's being made out to be? I'm sure that a few changes of techniques could easily circumvent some aspects of this. 
User Rank: Apprentice
2/27/2015 | 12:21:37 PM
Re: DMARC is not going to stop phishing
@MrSmith01--you bring up two points that I will address separately:

1. That DMARC is not going to stop phishing.

This is absolutely true and something that I say frequently. As an anti-fraud company, it is dangerous to say that any control will stop any threat because any measure is met with a countermeasure by attackers. The point I was making in the article is that it in the email sender's best interest for numerous reasons to deploy DMARC policies on their domains to permantely remove the possibility of specific types of spoofed email from being delivered the majority of global mailboxes. This will not stop phishing, but it will do more than any other technique to stop the most effective types of phishing attacks.

2. That many or most phishers don't bother to spoof the sender's domain.

This is more or less true, but I have a different view on this.  Most of the phishing attacks that my company detects and takes down are from hacked wordpress servers.  Most of these phishing attacks are poorly constructed and easy to identify.  More of the attacks are automatically generated and run by phishkits.  This is a high-volume game where attackers make a small but reliable return on their investment. However, the most effective phishing attacks (in terms of successful account takeover) are more effective, more targeted, better constructed. These attacks do often rely on domain spoofing or use of similar domains because victims still rely on the domainname displayed in their email client as a psuedo-authentication factor, even though it was never designed as such.

One point that will try to make and one that I have made in other articles about DMARC, is that online fraud mitigation and programtic risk reduction some something as complex as a massive, distributed end-user population is a long-game, it's a game of inches. Positioning DMARC as a tool to leverage against adversaries is not overselling, it is simple pragmatism. Closing the front door to attackers thereby forcing them to try to get in through the window is a "win" in this context. Anytime we can force our attackers to consume complexity that we force upon them, then we are moving in the right direction.  For all of these reasons, DMARC is one of the best tools available to move things forward, and I didn't even get a chance to discuss the huge benefit from DMARC reporting!  
User Rank: Apprentice
2/26/2015 | 8:06:19 PM
DMARC is not going to stop phishing
"...thus ensuring that only legitimate emails are delivered to inboxes."

DMARC does not ensure that only legitimate emails are delivered, and it does little to reduce phishing attacks generally. It forces perpetrators to change their tactics, which has value for sure, but let's not over sell it. Many, perhaps most, of the spam and phishing attacks I see personally and professionally don't even bother spoofing the sender addresses.  Just take a look at your own Junk folder.
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-02
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
PUBLISHED: 2020-12-02
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in ...
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...