It is more than a month since many of us travelled by air. But we can still remember how the security officer stopped us at the gate to check our tickets/boarding passes and compared it with our identification documents. The security officer matches our name in the ticket/boarding pass with our identification documents like driving license or passport. He allowed us if the details matched or stopped us from going inside if the details did not match.
Now take the case of emails. Even though the email provider knows that the incoming email is a spoof email, they still allow it. This email is delivered either in the inbox or in the bulk/junk folder. In this current COVID-19 situation, the number of spoof emails sent increased substantially. Many are falling victims and are losing their previous earnings. Losses due to compromise of the email system or user are high - according to a 2016 report from the FBI, approximately the amount lost to CEO Email Scams is $2.3 billion. The email is the most common vector in over 90% cyber-attacks across the world.
But why are they delivering this spoof email and not rejecting just like what the security officer did? Because there is no such rule written for email.
Email Spoofing is a method where the sender makes it appear that the message originated from someone or somewhere and not from the actual source. It is a popular method used in phishing and spam campaigns because unsuspecting people will open emails, thinking that they came from known or reliable sources.
Organizations can stop spoof emails impersonating as them from reaching their customer’s inbox or junk/bulk folder by enabling DMARC.
What is DMARC?
To fight email spoofing, a group of leading organizations came together to collaborate on a method to combat email spoofing at internet-scale.
The founding contributors included:
· Receivers: AOL, Comcast, Gmail, Hotmail, Netease, Yahoo! Mail
· Senders: American Greetings, Bank of America, Facebook, Fidelity, JPMorgan Chase & Co., LinkedIn, PayPal
· Intermediaries & Vendors: Agari, Cloudmark, ReturnPath, Trusted Domain Project
The primary mission was two-fold:
1. Enable senders to publish easily discoverable policies on unauthenticated email
2. Enable receivers to provide authentication reporting to senders so that they can improve and monitor their authentication infrastructure
The common goal for the group was to develop an operational specification, with the desire that it would be able to achieve formal standards status. The result was –the creation of an email authentication protocol - Domain-based Message Authentication, Reporting, and Conformance, commonly referred to as DMARC.
The Protocols, Explained
The authentication protocols enable the elimination of email spoofing and the integrity of the email, and its sender is established. To achieve this, DMARC and the following components should be configured.
1. DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor the protection of the domain from fraudulent email.
2. Domain Keys Identified Mail (DKIM) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature.
3. Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF, an organization can publish authorized mail servers.