Demystifying SPF, DKIM, and DMARC
In my last post for National Cybersecurity Awareness Month, I discussed the need for brands to protect their business and customers through technologies like DMARC (Domain-based Message Authentication, Reporting & Conformance). SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) used in combination with DMARC provide the most effective way today to combat spam, phishing and spoofing. But will SPF, DKIM and DMARC truly end phishing? While we’re closer than ever to ending phishing, people still have common misconceptions about fraud protection, SPF, DKIM and DMARC. I feel it's important to dispel some of these myths.
Myth #1: Phishing and spoofing is a security responsibility, not a marketing one.
Phishing is a companywide responsibility with equal importance given to the marketing and security teams. Marketers spend a lot of time and effort on their email marketing program, including things like brand awareness and email engagement, and it would be a travesty to have that destroyed because of a phishing attack. A partnership with the security team is essential since marketers are often on the front lines to spot phishing issues, and they also have the most to lose with a phishing attack. I would even go a step further and say every company needs a companywide policy. More eyes mean better protection, reduced costs associated with a potentially devastating phishing attack and more importantly, protecting the email channel as a whole.
Myth #2: “I publish a SPF record, so I’m fine”, or “I sign all my emails with DKIM, so I’m protected”, or “I use both SPF and DKIM, so I have nothing to worry about.”
Unfortunately, it is a myth that you are 100% protected by signing with SPF, DKIM or both. First off, mailbox providers have two major challenges with enforcing either SPF or DKIM: lack of widespread adoption by email senders and marketers, and lack of a standard policy across all of the mailbox providers around the world on how to handle authentication failures. SPF works by publishing a record authorizing the IP addresses allowed to send on behalf of a domain, but does not survive email forwarding, can be easily duped and is not an end-to-end authentication solution. DKIM attempted to resolve these shortcomings by cryptographically signing an email which makes DKIM survive forwarding, difficult to forge, and more expensive due to the computational overhead. On the other hand, the complexity, configuration errors, receivers modifying the body, and lack of reporting made mass adoption difficult.
SPF and DKIM did not turn out to be the silver bullet for phishing. Lack of standard use and enforcement by ISPs and the high risk of blocking legitimate email stalled progress. DMARC resolves most of these issues by not only using both SPF and DKIM, but by providing reports on authentication failures, and giving policy control to the sender on how to handle failures by doing nothing, quarantining the failure, or blocking it. As a result, the SPF, DKIM and DMARC trinity greatly reduces the false positive issue. In short, you need all three, not just one to protect yourself.
Myth #3: I use SPF, DKIM and DMARC, so I’m fully protected and all of my emails should be reaching the inbox now.
I know I just said that you need all three to protect yourself, but even that doesn’t go far enough. It is crucial to note using DMARC with DKIM and SPF does not:
1. Provide authentication-level analysis and intelligence
2. Determine whether or not a sender is legitimate or bad, and therefore provide inbox placement benefits
While it is notable that DMARC provides reporting, you still need to extract the intelligence and useful insights from the data. You need this intelligence to identify trends, phishing outbreaks, authentication failure reasons, and authentication failure resolutions. Otherwise, DMARC will not be that useful for you. This is why we created Email Brand Monitor. Marketers do not have the time to extract and analyze this data on a daily basis. Email Brand Monitor provides complete visibility into all mail streams, including email sent on behalf of you, by providing real-time access to authentication failures and phishing attacks. And in the likely scenario of a phishing attack, you cannot afford the time to investigate. You need to act now before the damage from a phishing attack is done. Email Brand Monitor not solves this through real-time monitoring and reporting, but it also allows marketing and security teams to block phishing attacks proactively, or on the fly, and allows you to set policy by ISP, something not possible with DMARC alone.
And that myth about better inbox placement rates through authentication? While authentication is a best practice, it does not provide better inbox placement benefits, nor should it. Authentication is not an alternative to following best practices and having a good sending reputation. On the other hand, not blocking these phishing messages can have an effect on inbox placement, but I’ll go into that in more detail next week.
One final request from everyone reading this: do your part in the war against phishing by educating yourself, authenticating, jointly working with your marketing and security teams, and lastly educating others. You do not buy home owner’s insurance with anticipation that your house will fall, but to protect ourselves in case something does happen. Your brand and email program is no different. It is not a matter of if, but when fraudsters will spoof your brand. There are solutions out there stop direct domain phishing right now. If you’re not protecting your brand, what’s stopping you?