Commentary

A 'D' For DMARC: Email Validation System Has Holes

by Ray Schultz , Columnist, January 4, 2023

To hear some tell it, DMARC — Domain-based Message Authentication, Reporting & Conformance — is the greatest invention since penicillin, a surefire way to protect email security. But it has limits, according to an article in Security Boulevard.

For example, it will not work if the brand does not correctly configure its DMARC settings.

“This is especially true for domains that use third-party services, such as email marketing campaign,” the article states. “If the third party does not correctly configure its DMARC settings, the company's brand will not be protected.

And DMARC does not protect against spoofing. For instance, “if we have DMARC enabled for chase.com however bad actor goes and registers chase.tk (different TLD) or an IDN chas.com, DMARC does not protect against such domains.”

In addition, “DMARC is not a silver bullet and cannot detect all malicious activity,” the article continues. “For example, DMARC cannot detect malicious activity from malicious domains that are not associated with a company’s brand.” That means threat actors can target customers and employees even if DMARC is in place.

Finally, DMARC is not a magic bullet and does not protect a company from non-email-based attacks, such as scams on Social media.”

What can happen, even with DMARC in place?

In 2019, several Twitter accounts were hacked, including those of Barack Obama, Joe Biden and Elon Musk, and fraudulent tweets were sent in their names offering to give away cryptocurrency.

How could this be? The perpetrators used domains that were not covered by DMARC policies, the article says.

Similarly, Marriott was hacked in 2018 and personal data on up to 500 million guests were exposed. Again, the malicious parties evaded DMARC checks.

However, DMARC remains the leading email authentication tool, so much so that it is a requirement within the government.

What can brands do to protect themselves? Security Boulevard urges them to:

Identify the email authentication mechanisms being used, be they SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), or both.

Determine the desired level of enforcement — security teams can quarantine email messages that fail DMARC muster, reject them altogether or record the failure and move on.
Monitor DMARC reports from email servers about email messages that claim to be from their domain.
Here’s one final motivation for deploying DMARC: Only DMARC-authenticated emails can display brand logos under BIMI (brand indicators for message identification).

The article can be accessed here.

cyber security, digital, email, internet security

1 comment about "A 'D' For DMARC: Email Validation System Has Holes".

Check to receive email when comments are posted.

Todd Herr from Valimail, January 5, 2023 at 3:31 p.m.
None of this is news. DMARC is designed to stop exact-domain spoofing in email; no more, and no less. Because of its reliance on DNS, a domain owner cannot use DMARC to stop the use of look-alike or cousin domains in spoofed emails unless the domain owner also has control of the DNS for those look-alike or cousin domains.

Also, the link in "The article can be accessed here" goes to golfcourseindustry.com, not the intended article which this post references.
Reply

Next story loading

About the Author

Ray Schultz is the former editor of DM News, Chief Marketer, Direct, Circulation Management and other marketing titles.