Preventing spam and phishing with DMARC

Steve Jones, executive director of DMARC.org, bluntly observed in 2015 that “spam and phishing are the new normal.” He’s right. Steve’s perspective squares with the experiences of people like us here at Lightspeed and anyone else who manage the front-lines of defense at ISPs and corporate email hosts, as well as the findings of email industry organizations like M3AAWG.

m3aawg-spamchart
Source: M3AAWG Email Metrics Report

In 2015, 28 billion spam messages were being sent every day. By some estimates, phishing is a $3.7-million annual cost for the average large enterprise. And for publicly-traded companies, a disclosure of phishing leads to a loss of stock value of $411 million or more. As Steve put it, costs like these are fraudulent email’s “hit to reputation and brand, made tangible. And there’s no bottom to what bad actors will do to get your money.”

So, spam and phishing really are the new normal. Companies must incorporate a security posture that takes into account email as a major attack vector that’s exploitable through phishing, malware, and socially engineered content designed to defraud recipients of sensitive information and to steal credentials that grant access to systems.

And this new normal is why DMARC.org does its work. DMARC, or “Domain-based Message Authentication, Reporting & Conformance,” is a technical specification that builds on earlier SPF and DKIM email authentication mechanisms. In his talk at Insight, Steve presented an overview of the current landscape of email authentication, including why DMARC is important, how it works, and recent developments.

ISPs are moving to an authentication-only world. So should you.

authenticate dmarc

The biggest consumer mailbox providers prefer authenticated email. But that preference may be changing to a mandate.

In 2015, Yahoo took the plunge and published a “p=Reject” DMARC record. By doing so, Yahoo essentially told receivers, “if you can’t verify an email came from Yahoo, throw it away. No exceptions.” (Of course Yahoo also didn’t do a great job protecting people’s passwords, but that’s a separate security issue).

In the Asia Pacific region, service providers like Lightspeed have taken the lead in the Asia-Pacific region and published both “p=reject” and “sp=reject” records for a large percentage of their customers (it’s easier on a new domain as there are fewer bad habits).

There have been issues with this “strict” posture—in some cases, legitimate email has suffered because of this spam counter-measure. But, I remind you that false positives are nothing new. It’s frankly just a cost of doing business for senders (and a much smaller cost than those that result from successful phishing attacks). Legitimate senders long have been operating in the shadow of compromised hosts, spam, phishing and other abusive digital communications, and incurring short-term inconveniences to stem that tide is worth the effort. Truth be told, what disturbs me more is the fact that everyone hasn’t yet adopted SPF, DKIM and DMARC as a means of combating spam and protecting their own reputations!

It’s time to splice email authentication into corporate DNA.

The watch guards of enterprise security (especially CISOs) often talk about a company’s “security posture,” the plan and cultural shift that a business puts into place to protect its employees, customers, intellectual property, and systems from attack, both cyber and physical. We’re likely all familiar with defenses like firewalls, multi-factor authentication mechanisms, access and password policies, and more.

But what about email? It’s the lifeblood of every company doing business on the internet today. But at too many businesses, email security is limited to spam filters or malware scans. Those are fine front-line tools to help protect against brute force bad guys, but they do little for phishing (and spear-phishing) attacks.

The simple power of email is its ability to connect people and businesses the world over. But the simplicity and ubiquity that makes email the Internet’s “connective tissue” also allows the spread of viruses, fraud, phishing, and compromises to accelerate to pandemic speed as they move from one email box to another.

Every company that works with customer data, financials, or has a broad national or global presence is nothing short of a flame in the night that draws all sorts of malicious attacks. In the digital marketing industry, ESPs, marketing automation companies, anyone who purports to be a marketing system of record… are just some of the inevitable targets for phishing attacks.

Here’s a sample DMARC report for ourselves here at Lightspeed – after a few months, the bad guys practically stop trying to send emails out as you – this lets the people both within the company as well as all your correspondents know that email from your domain is really from somebody within your company.

As an interim step to authenticating the person, this at least ensures that deploying DMARC provides a way for receivers on any responsible corporate email service provider (Hint: check their domain’s DMARC record here by typing it into the box like this:

Lightspeed’s DMARC is on public record as well. Click here to view. Also, if you’re interested, here are how Singapore ISPs stand on this – SingNetM1 and StarHub – all don’t have records at the time this article was written (here’s hoping they fix it soon). Just one of the many reasons why Lightspeed should be your email provider of choice if you care about your online reputation.

Adopting email authentication standards like DMARC (and transport layer encryption standards such as STARTTLS) will go a long, long way to improving your digital messaging security posture. What are you waiting for? Do it.