Domain-based Message Authentication, Reporting, and Conformance, aka DMARC, has long been a best-practice recommendation that helps organizations protect their email domains from spoofing scams. And yet, many companies still haven’t fully embraced this anti-phishing standard.
But now may be the time to act, as recent events have provided a strong impetus for organizations to take this email security practice more seriously. These developments include mandates from two tech giants, and a recent U.S. government warning about a North Korea-based spear phishing operation that impersonates entities with non-existent or overly permissive DMARC policies.
For those unfamiliar, DMARC is one of four key pillars of email authentication. The first pillar is Sender Policy Framework (SPF) – a DNS (Domain Name System) record that lists the mail servers that are exclusively permitted to send an outgoing email from a particular domain. The second pillar is DomainKeys Identified Mail (DKIM) – an encryption-based verification process that’s used to prove that an emailed message hasn’t been altered while in transit.
Next up is DMARC, which allows companies to set rules for any emails that fail either the SPF or DKIM process. The company can allow these emails to still reach the recipient’s inbox, or they can demand that the potentially spoofed email be blocked or quarantined in a spam folder. And finally, the fourth pillar is Brand Indicators for Message Identification (BIMI) – a newer layer of security that allows senders to include their brand’s logo in email messaging, for further verification.
Companies that have yet to implement DMARC may find themselves encountering technical difficulties with their e-marketing campaigns, as they might end up being blocked. That’s because Google and Yahoo are enforcing mandates for emails that are sent to inboxes running on their respective email platforms. Both of these tech giants began requiring mass email senders to institute a DMARC policy as of February 2024.
If that weren’t enough incentive, a joint advisory issued in May 2024 by the FBI, the U.S. Department of State and the National Security Agency (NSA) warned that the malicious North Korean hacker group Kimsuky has been exploiting weakly configured DMARC policies in order to conduct a stealthy, intelligence-gathering spear phishing campaign that impersonates experts specializing in East Asian affairs.
“Without properly configured DMARC policies, malicious cyber actors are able to send spoofed emails as if they came from a legitimate domain’s email exchange,” the advisory warned readers.
The advisory recommends that companies ensure their DMARC policies are set to either a “quarantine” or “reject” policy – but not “none,” which allows unauthenticated, possibly spoofed emails to pass through to the recipient. It also suggested that organizations “set other DMARC policy fields, such as ‘rua’ to receive aggregate reports about the DMARC results for email messages purportedly from the organization’s domain.”