Protecting Your Brand from Phishing: Using DMARC to identify, quarantine and block phishing emails.

Posted by John Pollard 

Over the past two weeks you have been provided a lot of information about how to authenticate your email streams and create a DMARC record. Ultimately, it should be a goal for any organization that relies on email as a revenue center to block suspected fraudulent messages from being received by subscribers. However, it is important not to rush in to blocking suspected fraudulent messages until you have identified the scope of the problem, are confident that your outbound mail is authenticated with SPF and DKIM and have a properly configured DMARC DNS text record.

Step 1: Identify and monitor suspected fraudulent messages

Before you start blocking suspected fraudulent messages, you need to gain visibility in to all of your company’s outbound mail streams. In your DMARC record within DNS, set the ‘p=’ tag to “none” and use Return Path’s Email Brand Monitor to identify suspected phishing and spoofing activity. This instructs mailbox providers NOT to take action if the DMARC check fails. It also allows you to receive reports about suspected phishing activity using your domain.

Step 2: Quarantine suspected fraudulent messages

While you gain confidence and experience that all of your outbound mail streams are authenticating properly, take the next step and set the DMARC DNS record ‘p=’ tag to “quarantine”. Mailbox providers may treat this instruction to automatically send suspected fraudulent messages to the spam folder or it may cause a “suspected phishing” message to be displayed to the subscriber and advise the subscriber to use caution when opening the message.

During this time, diligently check your reports within the Secure.EQ solution user interface. With the ability to receive DMARC reports, our solutions analyze the aggregate reports and present back detailed intelligence on suspicious messages and authentication failures. Our anti-phishing solutions have integrated support for DMARC, helping you to quickly and easily take advantage of the benefits.

Step 3: Block phishing and spoofing messages

Once you are confident that your system is authenticating all outbound mail streams with no errors, set the DMARC DNS record ‘p=’ tag to “reject” and place your domains on Return Path’s Domain Protect Registry. This instructs the mailbox providers to block suspected fraudulent messages. The first two steps are critical before changing your DNS record to “reject”.  If you haven’t identified that you have suspected fraudulent messages and started receiving and monitoring quarantined messages then you could be at risk of instructing ISPs to block your own messages.

Spoofing and phishing is increasingly a big problem for companies worldwide so continue to arm yourself with the information and the tools your business needs to protect your valuable subscribers from phishing attacks. All mailbox providers including Gmail, Yahoo!, AOL and Microsoft take phishing attacks very seriously. Phishing attacks not only harm your brand’s image but can also lead to mailbox providers and subscribers perceiving your legitimate messages as a phishing attack or spam.

Author Image

About John Pollard

John is a Senior Knowledge Strategist at Return Path. He is dedicated to building and maintaining knowledge and content assets to help marketers maximize the value of their email programs. John believes that sharing knowledge feeds the imagination, fosters collaboration and empowers people to grow and evolve. He has been in the email marketing industry since 2008 and has consulted numerous businesses and ESPs on deliverability and email optimization. Prior to joining Return Path, John worked in the finance industry with roles in business analysis and system administration.

Author Archive