As a quickly growing problem affecting all industries and businesses of all sizes, addressing email fraud is a top priority for many organizations. The FBI recently released a report detailing $26.2 billion lost to BEC/EAC attacks since 2016, and as just a single attack vector of email fraud, it shows just how pervasive the issue has become.
DMARC (Domain-based Message Authentication Reporting & Conformance) email authentication is an excellent tool that can be used to protect trusted domains from identity deception attacks. However, DMARC must be implemented responsibly in order to work properly. DMARC deployment must include the consideration of all legitimate 3rd-party email senders, block fraudulent messages, and ensure that your organization is prepared to handle feedback. When embarking on a DMARC implementation journey, there are several points that every organization should consider:
Effective DMARC implementation takes time
Naturally, when most organizations begin to implement DMARC email authentication, their goal is to enforce a DMARC ‘reject’ policy on their trusted domains. A ‘reject’ policy is the strongest level of protection an organization has to secure their domains and their brand from email spoofing attacks. Fully implementing a DMARC ‘reject’ policy at a rapid pace is important to the organization, as well as any DMARC solution provider. However, not every organization is the same when it comes to their internal - and third-party - email sending infrastructures. Scale and flexibility are important aspects of every email authentication project. For example, if a 3rd-party sender is added or subtracted, you need a DMARC implementation plan in place to account for that change.
DMARC ‘quarantine’ can come with significant risk
Although 'reject' is the ideal DMARC policy in terms of protection, some organizations may choose to enforce a ‘quarantine’ policy and remain at that level of enforcement going forward. There are legitimate legal reasons why organizations in specific industries choose to do this. However, there are some who advocate that a ‘quarantine’ policy is a protected state for the organization and implement this policy as quickly as possible. This comes with several downsides. Most notably, it still leaves your employees, customers, and business partners exposed to identity deception attacks. Unlike a ‘reject’ policy, suspicious messages are still delivered, albeit in the spam folder. But many people still check their spam folder to find legitimate messages that were erroneously placed there. Threat actors have been known to use this to their advantage. For example, they may send emails that specify that ‘their messages have been known to end up in the spam folder lately’ in order to appear legitimate.
Have you closed the feedback loop?
When looking to implement DMARC email authentication, it’s important that you notify various stakeholders outside of your email security and messaging groups. Take a common situation – a customer or business partner calls in to a service department and complains that they are no longer receiving messages from your organization. If DMARC is implemented haphazardly, it likely isn’t in the DMARC Implementation plan to notify these organizational stakeholders. This lack of communication could lead to increased customer service communication times, delayed notification of issues, and escalation of potential problems to senior management. On the flip side, a responsible DMARC implementation would involve 3rd party senders as well as these stakeholders throughout the process – giving them a feedback loop to troubleshoot any problems that may arise.
Regardless of where you’re at in your DMARC implementation journey, it’s crucial to balance speed and responsibility to properly authenticate email. Proofpoint Email Fraud Defence provides visibility, tools, and the most experienced service consultants in the industry to help organizations implement and continually manage their DMARC deployment. This ensures that their DMARC implementation project is not only as quick as possible, but it’s done the right way too.
Learn more about to defend your organization against email fraud in our latest guide.