Written by Laurent G. and Gyorgy J.
Since its inception at MIT in 1965, email has revolutionized our daily communications, becoming a central collaboration tool and playing an increasingly important role in our personal lives: every day, more than 306 billion emails are sent worldwide!
When it was created, its designers were a million miles away from imagining the cybersecurity challenges we face today.
Did you know? It is possible to impersonate anyone when sending an email. All you need is a simple SMTP server.
Launched in 1982, the SMTP (Simple Mail Transfer Protocol) protocol does not offer any security mechanisms that can guarantee the identity of an email sender. When you send an email, your email software converts your email and its attachments into "text" format before connecting to the configured SMTP server. The text is sent.
But as surprising as it may seem, the "sender address" information is carried by a simple text field! The sender is entirely responsible for the sender address. The SMTP server then simply sends the email to the recipient's server.
Malicious individuals have thus found in email the ideal entry point to exploit the vulnerability that is most difficult to protect against: human error.
Whether targeted identity theft or large-scale phishing campaigns, these attacks have one thing in common: they exploit the difficulty of confirming the identity of the email sender, and therefore its legitimacy, to induce the recipient to take action: clicking on a link to a malicious website, executing a bank transfer, transmitting confidential information, etc. Today, it is estimated that more than 9 out of 10 cyberattacks use fraudulent emails.
This is indeed the main challenge in securing our email accounts: ensuring email authentication, given that nearly one in three phishing emails is opened by the intended recipient. It is clear that user training alone is not enough, and that technical protection solutions must be put in place.
Rather than completely overhauling SMTP to make it more secure, which would be too complex to implement on a protocol that is already widely deployed, we have seen the emergence of new protocols designed to improve the security of SMTP exchanges. Have you implemented them?
DMARC: the best technical solution for ensuring email legitimacy?
Faced with a surge in email attacks, a group of industry leaders (Microsoft, Yahoo!, Google, etc.) created DMARC in 2012. An acronym for Domain-based Message Authentication, Reporting, and Conformance, this technical specification, which ensures email authentication, has since proven particularly effective in preventing phishing attacks.
This protocol is configured by directly adding a DNS record to your domains in order to detect and prevent the distribution of fraudulent emails. Specifically, DMARC prevents unauthorized senders from using your domain name in the "sender" field of an email. Its implementation requires the implementation of SPF, which consists of defining the sender(s) authorized to send emails with a given domain, as well as DKIM, which ensures the "signature" of your emails. DMARC then tells email service providers what to do when they receive an email sent from an address in your domain. They can accept it if the email is signed with your domain name using theDKIM orSPFprotocols, or reject it if this is not the case.
Building on its success, DMARC has established itself as an essential security solution, and many email providers and spam filters are now configured to more or less systematically exclude unauthenticated emails from desirable mail. Implementing DMARC therefore offers a new advantage for your organization: it limits the risk of emails from your domain (particularly your marketing campaigns) being categorized as spam and contributes to your brand's good reputation in this area.
Towards widespread implementation of DMARC
The US Department of Homeland Security (DHS) has issued a binding operational directive requiring all its agencies to implement DMARC by 2018. DMARC is also widely used in Europe: in the United Kingdom, the UK Governmental Digital Service (GDS) has also mandated DMARC, as has the Netherlands, where "all Dutch governments must implement a strict DMARC policy by the end of 2019." After public organizations, it is now the turn of businesses to make the switch to DMARC.
Implementing DMARC requires preliminary work to identify a "whitelist" of authorized sending servers, in order to avoid blocking legitimate emails from domains and subdomains outside your organization. One very important point: most of your company's emails may not originate from your Outlook email system, but may be commercial emails, marketing emails, informational and survey emails, emails sent from your internal applications or third-party tools, in the cloud, etc.
When implementing DMARC, it is therefore essential to work with all stakeholders in your organization to understand their business needs, rethink email sending options, reconfigure solutions, consider changing tools, migrate to new subdomains, etc. This is a major undertaking in itself, which goes beyond the simple technical dimension and must encompass all uses within your organization.
Once you have compiled a list of legitimate senders, it is time to activate DMARC by configuring it on your domain.
From that moment on, your organization's domain and subdomains are secured, preventing any misuse of @yourcompany.com, protecting against email compromise attacks, spoofed emails, phishing emails, email scams, and more. Your emails will be "authenticated" natively. Fake emails will be blocked or quarantined.
With more than 100,000 new DMARC activations each month, the trend is toward widespread adoption, with growth of nearly 50% in 2020. We have seen a significant decrease in the open rate of phishing emails among the customers we have supported on this issue, and therefore a reduction in the risk of compromise.
To draw a comparison with current events, we can consider that, like a vaccination campaign, the systematic implementation of DMARC by organizations and email service providers will bring us closer to herd immunity against malicious emails...
