We’ve been helping businesses with SPF, DKIM, and DMARC for years, so we’ve heard a lot about it. People like to make outrageous claims about it. As a result, there’s a lot of misinformation out there. We recently came across a claim we hadn’t heard before. This time, the claims are based on how DMARC works.
The author of this article claims that DMARC won’t improve email security at all. We disagree. Before you write off DMARC as another failed tech idea, let’s consider both sides of the argument. Then you can decide if you think DMARC improves email security.
First, Let’s Look at How DMARC Works
DMARC’s RFC -Request for Comments; a formal document from the Internet Engineering Task Force (IETF)- is very clear about what DMARC is meant to do. DMARC allows domain owners to monitor emails sent from their domains and block unauthorized emails for their domains. DMARC uses SPF and DKIM to determine which senders are authorized to send from a particular domain. When a domain is on a DMARC Reject policy and a sender is not authorized for the domain based on SPF or DKIM, then the email is not delivered.
The Argument Against DMARC
DMARC does not solve the phishing problem because it will not block all types of phishing emails. Deceptive & malicious emails can still be sent claiming to be from a business using a strict DMARC policy since servers do not perceive an email the same way that an end user does.
The difficulty with DMARC, according to this argument, comes from determining whose perception of the email is relevant in order to secure the domain against phishing emails. Is it relevant to consider how the system (the servers that receive emails and evaluate domains using DMARC) perceives an email? Or does only the user’s perspective matter for email security? The author argues that only the user’s perspective is relevant because the “threat actor’s” (as the author refers to attackers) objective is to fool the user, not the system. The author refers to this as DMARC’s Achilles heel.
DMARC blocks spoofed emails. However, there are other ways to make an email look like it’s from someone else. For example, there’s the display name, which is the name displayed next to the from address. The display name can be anything the sender wants to write, and it is not evaluated with DMARC. An attacker could claim to be a particular individual, business, or government agency in the display name, without using the corresponding domain name in the from address. If they register a different domain and set up authentication for it, they can send an authenticated email that looks like it’s from their target, it just won’t be authenticated as the target’s domain. This skirts DMARC and still appears to be from the target from the user’s perspective.
There’s also the challenge of cousin domains, which are visually similar domains. For example, paypa1.com is visually similar to paypal.com. The author gave the example of govdelivery.com vs usgovdelivery.com. The danger of cousin domains is not necessarily how visually similar the domains are, but the user’s expectation of what the domain should be. Because with phishing it’s all about the user’s perspective.
All of the author’s claims about DMARC and the ways attackers can get around it to deliver their malicious messages to their victims “from” their targets are accurate.
So… DMARC is NOT the Answer We Thought It Was?
If you’ve read our previous posts, you know that we’ve never claimed DMARC will stop all types of phishing emails. We have even described these exact challenges with relying on DMARC alone as a complete security measure. See our post, What DMARC Can and Can’t Do for Domains.
But, let’s go back to the root of the argument- whose perspective is relevant? Does it matter how the system perceives the email? Or is it really only about the user’s perception?
Consider this- which is easier to fool: the system or the user? The user is definitely easier to fool. So making it impossible for an attacker to fool a user is a different, and much bigger, problem than DMARC was created to solve. When properly implemented, DMARC makes it impossible for an attacker to fool the system. This allows the system to reduce the volume of attacks by blocking blatantly spoofed emails from inboxes. The system’s perspective is relevant because it reduces the burden on the user, even though the user’s perspective is the focus of all attackers.
(Note: The phishing messages that get around DMARC do not “fool the system,” but DMARC limits control to the particular domain it protects- that’s why it doesn’t cover display names and cousin domains.)
Domains are Better Off With DMARC
Can an attacker get around DMARC? Yes. We’ve covered that. So DMARC is not a completely foolproof and unbreakable system. However, no security system is flawless. The main mechanism of protection offered by most security systems is raising the cost of breaking the security until the cost is higher than the protected value. DMARC raises the cost of breaking email security, and we will continue developing more security layers to raise the cost even higher.
Just because it isn’t an all-encompassing solution, does not mean it doesn’t increase security. This would be like saying there’s no need to keep your social security number secret because someone might be successful at assuming your identity without using your SSN.
Let’s consider this from the perspective of the attacker for a moment. If you want to deceive users into giving you something of value, you could buy a cousin domain, set up authentication for it, and change the display name on the message in hopes that you didn’t choose a tech-savvy or detail-oriented victim. But why would you go through all of that if you could just use the target’s actual domain? When businesses leave their domains unprotected, they are making it easier for attackers to target them.
The author claims DMARC does not solve the phishing problem completely and therefore does not increase email security. We agree that DMARC doesn’t block all phishing, but it does block spoofed email, which definitely increases email security. There’s more to be done beyond DMARC to put an end to phishing emails, and Fraudmarc will be here to do that when it’s time. But given the current low adoption of DMARC across the internet, it seems prudent to first take this step towards email security. Then we can move on to the next step in increasing email security. If you could reduce the volume of phishing emails your contacts receive, and make it easier for them to distinguish between legitimate email and phishing email, why wouldn’t you do it? (Hint: you can with DMARC!)
Fraudmarc Can Help
Email authentication is what we do. We have a variety of tools, plans, and services, including SPF Compression℠ and DMARC Reports. In addition, Fraudmarc CE offers a completely open source version of Fraudmarc’s reports. We offer resources in our blog and support through Fraudmarc’s community page. If you’re looking for help with email authentication, you’ve come to the right place.