In the world of email and cyber security DMARC is a hot topic.  But what exactly is it, and what does it do for your business? Pro Drive’s Technical Director Matt attempts to demystify it for you.

What does DMARC do?

In an industry full of acronyms, at Pro Drive we do our best to avoid them. There are however a plethora in the world of email security – and DMARC is an important one.

DMARC stands for Domain-based Message Authentication Reporting and Conformance – which is a bit of a mouthful, so we’ll stick with DMARC. As the name suggests, it’s a mechanism that does several things, ultimately to keep your business safe from cyber criminals. Let’s look at each in turn.

Domain-based

  • This simply means it works on a per domain basis. A domain is the part at the end of your email address – so Pro Drive’s domain is prodriveit.co.uk.

Message

  • The refers to the fact that DMARC works on email

Authentication

  • This is checking that a message is coming from a valid source. It builds on previous protocols like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)

Reporting

  • This is a mechanism to report when emails are received from invalid sources so the owner of a domain can do something about it

Conformance

  • Ensuring that the rules set out in this and the other protocols it builds on are followed.

How does DMARC protect you?

A very simple explanation of what DMARC does is that it helps to prevent criminals from sending emails that look like they are from genuine email addresses but are not (a process known as spoofing) by preventing the message from being delivered.

Email spoofing attacks are often used to trick the person receiving the email into disclosing valuable details such as bank or credit card information to cyber criminals, or to deceive them into paying money into criminal bank accounts. This can be a particular problem for big brands and ecommerce platforms, but is also critical for legal and accountancy firms where reputation is everything.

To help protect you, DMARC also provides a reporting mechanism to tell you about it when it stops a ‘spoofed’ email. It’s protecting the reputation of your business by ensuring that only genuine emails you send get through, not emails from cyber criminals.

Unfortunately, you cannot just ‘switch on’ DMARC overnight.  There is a significant period of time from when you decide to implement DMARC to when it can start protecting you. The aim of the game here is to get to a “reject” status where you are telling recipients to block any emails that are definitely not from you.

What happens once DMARC is switched on?

Let’s use an example to illustrate this:

  • You are the business owner of a company called WidgetTech with the domain widgettech.com, and being a proactive company WidgetTech has got everything in place and configured a “reject” DMARC policy.
  • Another company called GadgetTech receives an email that appears on the face of it to be from widgettech.com, but actually it isn’t. The email is a nasty one, asking them to log in to a portal to pay one of your invoices but the portal is not a real payment portal, it’s going to grab their username and password and try to log on with it.Bypassing MFA - how it happens and other tools to consider for cyber security
  • When the GadgetTech email servers receive the malicious email they check (using SPF and DKIM) and find that it hasn’t actually come from WidgetTech. They check WidgetTech.com’s DMARC policy and as instructed, the email is dropped and never reaches the recipient – this is win #1.
  • Finally GadgetTech’s email server sends a useful report to WidgetTech’s email server telling them “we received this message pretending to be from you at this time on this day, from this source”. This is win #2 because now you can check the report and work out if you need to do anything about it.

The reports that come back are not easily readable by humans so you need a system that can do it for you and alert on it when it happens. Most businesses also forget all the systems they signed up to that send emails on their behalf (for example marketing software, survey systems and other business applications) so you start off with a “none” policy that isn’t telling recipients to reject email but still means you receive the reports. This gives you an opportunity to address the problems before moving to the full “reject” status.

Ongoing you should monitor your DMARC reports regularly to ensure that there isn’t a disruption to your legitimate email. A common issue here is that someone in the business signs up to a new service that will be sending emails but forgets to tell IT. If you’re reviewing the reports then you’ll know about the emails being rejected and you can arrange for the problem to be resolved.

Getting started with DMARC

If this sounds too complicated, then you will be pleased to know that your IT support company should be able to do this for you. Pro Drive now has a service to setup, configure and manage DMARC on your behalf.  Call us on 0330 124 3599 or fill in the form below to find out more.