Most cyberattacks rely on something called “social engineering” to be successful.
Social engineering is when a cyber-criminal “short-circuits” our normal due diligence by:
- applying pressure to the victim and assuming someone else’s identity and
- the authority which comes with that identity.
Sometimes, those attacks will happen over the phone – for example, someone pretending to be a senior partner at your firm phoning someone in accounts and insisting that an invoice is paid straight away.
Most times though, these attacks happen by email. 96% of all attempted cybersecurity breaches are currently caused by either email cloning or phishing attacks.
Email is the delivery method of choice for cybercriminals because, in its most popular form, it’s an insecure technology full of vulnerabilities which are relatively easy for hackers to exploit.
Emails can be compromised on the device you’re using, the device your recipient is using, on IT networks, and on internet servers. They are particular easy to compromise on your device and on your recipient’s device.
Email is, in essence, a 50-year old app built with no intrinsic security or privacy in mind.
“From names”, reply to addresses and more can be spoofed to make a recipient believe that an email has come from a friend, family member, business partner, or trusted supplier.
It’s so easy to do in fact that one of its most catastrophic applications for victims has been the well-publicised rise in conveyancing fraud.
In this article, Sprout IT examines DMARC – a protocol that is set to protect your firm from others using your domain or domain on cyber attacks using phishing and email spoofing. We’ll tell you:
- what is DMARC – in the simplest possible terms, please
- what is DMARC’s most significant benefit to legal firms?
- what is a DMARC record?
- when is an email DMARC compliant?
- how does DMARC protect against email spoofing?
- more on Sprout IT's DMARC solution – OnDMARC
What is DMARC – in the simplest possible terms, please
DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.” When deployed, your firm provides a DMARC DNS record to your DNS hosting company. When you send an email, assuming the recipient’s email system support this, their email system checks to see if your domain has a DMARC record.
DMARC builds upon the following two technologies to determine an email’s authenticity:
- Sender Policy Framework (SPF)
- SPF helps to identify the mail services which are allowed to send emails from a given domain
- DomainKeys identified mail (DKIM)
- A system developed by Yahoo! to check an embedded and encrypted key within an email against a public register
If either the SPF or DKIM alignment and authentication tests on your email fails, then DMARC then decides what to do with an email based upon your DMARC policy.
You can instruct that failed emails are allowed to pass, whether they are rejected, or whether they are quarantined if the SPF and DKIM test fails. Whatever happens with the message, a report is then sent back on the outcome of the message for inclusion in a “DMARC Aggregate Report”. The results are then sent to the email address specified on your domain’s DMARC record.
DMARC is not universal yet however it is being used by an increasing number of ISPs.
Many argue that DMARC may become a default email format which, in future, will plug the private and security deficiencies of the standard email system.
When is an email DMARC compliant?
An email is compliant with DMARC when you have configured and implements your DMARC profile for each and every email domain within your practice.
What is a DMARC record?
Stored within your DNS database is a specially formatted text record using a particular name like “_dmarc.sproutit.co.uk” (all names must start with an underscore).
The record itself will take a format like the following:
_dmarc.sproutit.co.uk. IN TXT "v=DMARC1\; p=none\; rua=mailto:firstname.lastname@example.org\; ruf=mailto:email@example.com\ ;rf=afrf\; pct=100"
What does this mean?
- The “v=” field is what the recipient’s email server looks for when it is trying to retrieve your DMARC record. If it does not take the format v=DMARC1, the recipient’s email server will not run a check.
- The “p=” field tells the recipient’s email server what it should do with emails which have failed the DMARC test. You can instruct the server to do nothing, to quarantine, or to reject.
- The “rua=” field tells the recipient’s server where to send reports of DMARC failures – they are sent everyday to the domain’s administrator.
- The “ruf=” field tells the receipient’s server where to send detailed reports of DMARC failures – they are sent in real time.
- The “rf=afrf” field tells the receipient’s server what type of report the administrator of your domain wants to receive.
- And, finally, the “pct=100” instructs the recipient’s server how much of your firm’s mail should be handled in the way you’ve stipulated.
How does DMARC protect against email spoofing?
DMARC is the best solution so far in providing recipients with a high degree of trust that the “header from” address in your emails is correct and genuine.
There are limitations however. Cyber criminals can use email addresses with are a close match to yours and they can still alter the “From name” which appears to look like a trusted contact.
To circumvent the DMARC system, some hackers will use brand new domains for a few hours after they are registered because it can take the system a few days to shut these emails down.
DMARC and your Practice or Chambers – the next steps
DMARC should be part of a wider system of defences against email spoofing and phishing from cyber criminals using your identity in their attacks.
OnDMARC is Sprout IT’s preferred solution allowing you to deploy and maintain DMARC protection against all of your domains. The system lets you know what’s happening across all your domains as well as useful ways to use the information. Once implemented, your domain is protect as we report and monitor any configuration or security issue directly to you.