top of page
  • OpaCyber

There's a right way to do it, and a wrong way

"What?"


Implementing Dmarc for email security to protect yourself and others. Here's two examples: one done correctly, the other not so much!


(Just a reminder: Dmarc is what tells receiving email systems to do with emails that don't meet the authorisation settings that you have set. Or as we put it previously "We like to think of Dmarc as Robocop, but with less violence 🤭". Link to that post here: https://www.opacyber.com/post/why-your-outbound-email-security-sucks-and-what-you-can-do-about-it-part-4 )


Example 1️⃣ came as something of a surprise as it affected one of our own email domains! This particular domain is mostly used for testing so doesn't receive much email in the normal way. However that didn't stop it receiving several phishing emails, one of which WAS TRYING TO IMPERSONATE (spoof) THE DOMAIN and contains a classic social engineering red flag of urgency (your account has been de-activated)



Several things wrong here:

  1. The "sender" is "administrator@" which is not a real email account but an alias, so it can't send emails

  2. If it were a real email it wouldn't appear in an external spam filter as it wouldn't go outside of MS Exchange (internal to internal email)

  3. It was a spoofed email as can be seen in the email header:



The most important thing: because Dmarc is set up correctly this email failed authentication and therefore wasn't delivered to an inbox. Your organisation might not be in such a good place, which brings us to:


Example 2️⃣ was an email to one of our clients. Again this was stopped by a spam filter but not all organisations have one of those..


In this case it was an email spoofing a VERY large organisation. In this case a quite normal type of request in that industry - an RFQ (request for quotation) so if that had landed in an inbox it wouldn't be out of the ordinary and we bet that clicking on one of those Excel attachments wouldn't have been a good thing:



Fortunately, again, a spam filter stopped this as the email failed both SPF and Dkim but that wouldn't happen at all organisations. Also, again, looking at the email header shows it is not coming from where it is pretending to come from


The problem here is that despite being a multi-billion $ company it hasn't managed to set up Dmarc for email correctly:



Having a Dmarc policy set to none is the same as not having a policy at all. In fact it may even be worse. The policy should at least be "Quarantine" and preferably "Reject". In that way the email wouldn't be a threat


This organisation is not helping the world-wide problem of email phishing and if it had arrived and caused a breach I think the recipient would be quite justified in calling it out and maybe denting the spoofed organisation's reputation a bit


Dmarc is a critical component of email security. A shame then, that so many organisations can't do it correctly


(but if you want help, we're here 😊)

Comments


bottom of page