Is an email hacker impersonating your brand? You need DMARC.

| In SMX Blog |
SMX Blog Banner DMARC June 2023

Is an email hacker impersonating your brand? You need DMARC.

Make implementation simple

Cybercriminals’ favourite attack strategy? Sending an email. 90% of successful cyberattacks in Australasia come in through email phishing, scams and fraud. There’s a way to stop them from entering inboxes altogether: DMARC. 

While we see more and more New Zealand enterprises take the first step towards implementing the email authentication protocol, that’s as far as they go. Is it enough? Not quite.

DMARC explained

DMARC has been around since 2015. It could be a game changer in cybersecurity if only organisations would use it.  

It validates every email using Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF). DKIM signatures confirm that an email’s content lines up with the sending source – it may say it’s from a well-known brand, but is it coming from one of their domains? SPF strengthens these checks by letting a domain owner – the brand, in this case – say which IP addresses can send from your domain. Sender Policy Framework (SPF) hardens your email security and restricts who can send emails from your domain. 

DMARC pulls these two protocols together under a policy tailor-made for an organisation. This instructs any incoming server on what to do with suspicious emails – quarantine or block. Domain owners will also get reports, so they can improve processes and take action fast if they spot domain spoofing.  

In 2016, DMARC became mandated for UK government agencies. In 2017, the US followed suit. We expect DMARC will become mandatory for Australasian organisations soon, with the NZISM currently stating government agencies MUST deploy DMARC. For many governmental organisations it’s already a compliance requirement, but we’re also working with many brands dealing with the threat or risk of impersonation attacks.

The three phases of DMARC implementation

Step 1: implementing DMARC

According to our annual DMARC State of Nation survey, the last three years have seen an increase in the number of Australasian organisations implementing DMARC. This gives them visibility over who is sending emails as your brand – a great start, but this phase won’t offer any protection. ‘Reporting mode’ is where most organisations stall.

Step 2: enforcing DMARC

DMARC enforcement – or reject mode – means you’ve identified your sending sources and authorised which can send on your behalf. This ensures that email from unauthenticated sources will be immediately rejected by the recipient's email platform. It protects everyday people and businesses from cybercrime while safeguarding your brand reputation.

Step 3: maintaining DMARC

Organisations aren’t static, and neither is the threat landscape. You need to continue monitoring your DMARC policies over time, so they identify any new sending sources and report on any new risks or impersonation attacks.  

"DMARC provides protection, but also the data for ongoing review and monitoring of your security posture," says Jamie Callaghan, SMX Head of Product.

Pushing beyond reporting mode

DMARC is exceptionally valuable, but only if you use it. Many organisations have begun implementing DMARC but don’t take the final step from reporting to enforcement. That’s down to two things: lack of specialised expertise and too much risk. Email is the lifeblood of an organisation, connecting departments, suppliers and customers – if it stops, so does the business. In-house IT teams rarely have the experience to manage a DMARC implementation – there’s too much chance that a botched implementation will bring down the email system. Understandably, DMARC enforcement goes into the too-hard basket.  

Smooth rollouts: people, process, technology

Domain Protection Service (DPS) from SMX is a managed service designed to deliver a fast, smooth DMARC rollout with no risk of email downtime.  

  • People: SMX’s email experts work with multiple stakeholders to understand your operations and define your policy. 
  • Platform: World-class reporting tools give you full visibility over your data. We report on sending behaviour and remote sites and then offer usable insights based on that data.  
  • Process: Implementation follows a proven process framework, so it’s fast and very low risk.  

When you’re ready to implement DMARC for your organisation, start here.

Protect your people, domains and brands

DMARC isn’t just about security. It’s also about ensuring the people emailing on your behalf are legitimate, and protecting your brand from any potential damage. But it needs to be implemented properly.   

Want more info on DMARC and our Domain Protection Service? Watch the full interview with Jamie.