We authenticate everything we need to trust in IT. Except email. This is part of the reason email is the number one threat vector in healthcare, as well as basically every type of organization. There is an obvious way to combat this, and it’s called the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard.
Some leading healthcare organizations, innovative companies in other industries, and the Federal Government are using, and in the case of the government, requiring use of DMARC to create more secure environments. So, why is DMARC necessary, what is it, and how do you implement it?
Why is DMARC Necessary?
“SMTP mail is inherently insecure…” This is stated in clear technical terms in the email specification RFC 2821. This fact is manifested in economic terms, as well. The FBI states that $5.3 Billion has been lost in business email compromise in the past three years. As a result of these, and other factors, the Department of Homeland Security (DHS) issued Binding Operational Directive 18-01 mandating federal agencies must implement DMARC email authentication by October 2018. Read more about it here. The Federal government action is a requirement, whereas the healthcare action is a recommendation, but both are seeking the same goal of increasing the security posture of their respective environments.
What is DMARC
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. DMARC allows email senders to tell email receivers how to handle unauthenticated email from its domain, and to also collect intel on how bad actors are using/abusing its domain. It also provides reports reflecting this activity. The bottom line is that DMARC grants you exclusive use of your own domain, rather than allowing others, i.e. bad actors, to use it for malicious purposes.
It’s important to note that DMARC can be implemented such that the policy exists in one of three different modes:
- “None” - provides reports, to give insight and identify legitimate email, but takes no action;
- “Quarantine” - all email failing authentication is sent to a junk folder; and
- “Reject” – all email failing authentication is blocked
It is relatively easy to get to “none,” and while you get reports starting you on the journey towards authenticated email, you get no action, thus you are not any more secure. Getting to “reject” is the goal, because unauthenticated email is blocked and spoofing is addressed, for your domain. You can quickly check your DMARC status or (not quite as quickly) create a DMARC record.
How do you implement DMARC?
Getting to “reject” can be challenging because email fraud is based on identity deception. Most organizations have many partners that engage in what's essentially legitimate identity deception, e.g. using a marketing company to send on their behalf (think Marketo, etc.). Furthermore, these organizations are constantly changing. Consequently, filtering out legitimate versus illegitimate organizations using your domain can be one of many challenges in getting to “reject” and blocking only bad email.
There is a high risk of blocking legitimate email if not done correctly. So, it’s a good idea to assure you have strong visibility into failures, understand what email is and is not legitimate, and ideally have someone that has experience doing this, before moving to “reject.”
Proofpoint Email Fraud Solutions – DMARC & Beyond
Proofpoint provides the product and the people to get you to DMARC “reject” and to eliminate domain spoofing as a phishing technique for patients and consumers.
If you would like to go beyond protecting your patients and consumers and also protect your employees and partners, that requires more than DMARC. This requires deep integration with your email gateway and DMARC solution. Furthermore, DMARC stops threats from domains you own. However, the attack surface is extended beyond brand-owned domains. As a result, you need to stop threats from domains you do not own – domains that have registered to look like you and be used against you, your partners and consumers. Proofpoint has a unique solution that can help with all of this.
In summary, the more healthcare organizations implement DMARC “reject” policy, the more secure healthcare will be. To get a free DMARC assessment, to understand your potential risk exposure, and learn how DMARC email authentication can help you prevent email fraud, please visit: https://www.proofpoint.com/us/dmarc-assessment
Subscribe to the Proofpoint Blog