The Technology That Prevent Becoming a Victim of Email Spoofing

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an anti email spoofing technology first drafted in 2012 to help address the issues of fake and phishing email messages. The system is well understood in the IT field to successfully block fraudulent emails, the UK alone in 2017 blocked 80 million fake emails using the DMARC policy in government domains, at the time of this writing around 29% of gov.uk domains are using DMARC. This is something that the NCSC (National Cyber Security Centre) is proud of as DMARC basically saved a lot of people in the UK government offices with a lot of potential headaches.

“That’s how you stop people clicking on the link, because they never get the crap in the first place. Simple things done at scale can have a difference,” emphasized Dr. Ian Levy, NCSC’s Technical Director. The technology is there, so might as a well take advantage of its availability. “DMARC is another tool we have to reduce the amount of spam hitting end users and to bring some trust back to the From: field in email headers. It should be implemented everywhere SPF (sender policy framework) and DKIM (Domain Keys Identified Mail) are implemented, as DMARC provides a way to gain visibility of SPF/DKIM failures, and provides senders with information about how spam is handled,” explained Stephen Gillies, leader of Caret and Stick, a cyber consulting firm.

Unlike individuals that are restricted by the software vendors, organizations have the funding and technical capability to implement DMARC for their email systems. For an individual to receive the benefits of DMARC, the email service she should sign-up for needs to support that feature, only a few vendors/systems have that. GNU Mailman systems implemented it in October 2013, Yahoo and AOL email in 2014 however implementation was very complicated and labor intensive to maintain, it is much more convenient to ignore it altogether.

“Implementing DMARC adds to the work an email administrator needs to do, which includes things like rolling the DKIM keys and getting DNS updated. This can be onerous for companies, as the mail administrators may not be in the same team, business or organisation as whomever looks after DNS. All that said, my view is that DMARC, SPF, and DKIM have a significant impact on spam across domains, and I support the work the UK NCSC is doing in the space. No one is saying DMARC is a silver bullet for spam, but we have seatbelts and airbags. If the NCSC can consolidate reporting across the large number of government domains, there is a great deal of attack indicator data which could be generated from this resource. Consolidated DMARC reports for a top-level domain like .gov.au would provide a resource for spotting phishing/spam/malware campaigns,” added Gillies.

Cybersecurity is not always equal to plain funding for a security project, manpower and energy consumption, it also requires reasonable speed when embracing a different technology to solve the recurring issues. DMARC is a very young technology compared to the email system’s problem like junk emails it is trying to fix, which first occurred in 1978, forty-one years ago. Hopefully, the world will not wait for another forty-one years to implement it across the board, for all email users.