In my previous article I outlined the first element of the three-pronged approach to eliminating phishing emails. This involves email service providers screening and rejecting spoofed emails based on explicit policies specified by legitimate email domains. About 85% of all ESPs already observe these policies when they are provided, so now the matter is in the hands of legitimate organizations. This is the second prong of the approach.
Any organization – a business, government agency, educational institution, charitable organization, and so on – that sends out email must implement DMARC in order to protect its own domain(s). The process isn’t difficult but it does involve a little legwork. Read what to do in these two articles:
- Step-By-Step Instructions to Implement DMARC in Your Organization, Part 1: Laying the Groundwork
- Step-By-Step Instructions to Implement DMARC in Your Organization, Part 2: Deploying the DMARC Record
There are service companies that will do this implementation and, more importantly, will receive, consolidate and analyze the regular DMARC reports for any organization that prefers not to tackle this alone. Agari and Message Systems are two such vendors, among others.
Once an organization has fully implemented DMARC, it gives the ESPs the directive to reject any and all email messages that have come from an illegitimate source. The only legitimate sources are those domains that have deployed the SPF and DKIM standards on the organization’s behalf. This would include the organization itself and any outsourced providers such as a marketing partner.
How well does this process work? Agari reports that it has begun working with a large U.S. bank. Prior to implementing DMARC, this bank had some 20 million phishing emails attempted against its domain names per month. After DMARC, that volume has dropped to under half a million attempts per month, and of those, about 80% are being blocked before they can reach their intended targets. The actual number of phishing attempts getting delivered is now down to about 100,000 per month. The number hasn’t gone to zero yet because of the email service providers like Fred’s ISP that haven’t implemented DMARC on their side yet.
It’s imperative for every organization to implement DMARC now. The leading edge of companies that intend to implement DMARC have already done so, and that means their mail is now protected so cyber criminals are moving down the road to the unprotected organizations. As the pool of possible targets shrinks, the risk of having one’s brand abused increases. It’s only a matter of time before the criminal elements target your organization if it remains unprotected.
The third and final leg of this three-pronged approach involves using takedown vendors that have the legitimate authority to force Internet service providers to remove a hosted website that is using another organization’s name, likeness and trademarks. Takedown vendors like Cyveillance, RSA and Internet Identity use the legal and remediation mechanisms available with ISPs to shut down these sites. How do you know what these URLs are? This information comes directly from the DMARC reports that are sent from the ESPs. These reports detail the originating source of every email message – legitimate or not – sent using an organization’s domain. The illegitimate sources are the ones to shut down in order to protect consumers who might be drawn to their URLs. Just as importantly, this protects an organization’s brand identity.
DMARC might not completely eliminate phishing emails, but it can certainly go a long way toward that goal. Right now it’s up to every email-originating organization to do its part to implement DMARC for its own authorized domains. The process isn’t difficult (see my detailed steps) and helpful resources are available. For more information about deploying DMARC, read through this description from a LinkedIn engineering team. You’ll also find good resources on www.dmarc.org.