DMARC: Is It Really a Solution to the Spoofing and Phishing Problem?

Spoofing and phishing, the practice in which criminals send e-mails masquerading as a trusted source in order to obtain users’credentials or install malware on the victim’s computer, has long been a problem that has plagued financial institutions, the healthcare industry, law firms and others. The concept is simple: an e-mail is sent that appears to the recipient as if from an individual or entity it knows and trusts. The user opens the message and follows the instructions contained in it, whether it’s to download and open an attachment, which often contains a virus that installs itself onto the victim’s computer that will record keystrokes (including the user’s login credentials for various Web sites or the computer itself), replicates itself throughout the user’s network, thus infecting potentially an unlimited number of machines, acts as a gateway for other attacks, and more. Or the e-mail may warn users that their bank accounts had been compromised and that they need to reset their account passwords. The user is then directed, via a link contained in the e-mail, to the attacker’s Web site that’s made to look like the login portal of the user’s bank. Users then proceed to log in with their account credentials and the attacker now has the information it needs in order raid the user’s account.

Over the years, tech companies have developed strategies to combat spoofing and phishing. First came Sender Policy Framework (SPF), which was intended to validate the message envelope. The concept of SPF originated in 2000 and by 2006 it became an Internet standard. Then came DomainKeys Identified Mail (DKIM) between 2004 and 2011, to provide validation of the message contents. Now we have Domain-based Message Authentication, Reporting and Conformance (DMARC), which was developed between 2007 and 2015 and was intended to overcome the limitations of SPF and DKIM (see Overview).

If you talk to many companies implementing DMARC, you’d think that it was a solution to the spoofing and phishing problem and that there is no no longer anything to worry about in that area, either for their employees or customers. But this belief is way premature for the following reasons:

    1. DMARC, like its predecessors SPF and DKIM, requires implementation by both the sender’s and recipient’s e-mail service providers (MSPs).

Although the major MSPs have gotten behind DMARC and implemented it, like they did with SPF and DKIM earlier, there are still many organizations and individuals, both within the enterprise and outside it, whose mail is handled by non-DMARC compliant servers, for one reason or another. And let’s face it: how likely is it that an attacker is going to use DMARC-compliant mail servers when sending a spoofed message?

    1. Mail clients generally display only the purported message sender name, not the e-mail address.

This is a more serious problem and isn’t addressed easily. For example, when you or I send an e-mail message, we can identify ourselves in any way we want: by our real name, by a nickname or even as Wells Fargo Online. For example, here’s an e-mail message I sent to myself:

Spoof demo

If you select the link labeled “wellsfargo.com”, you’ll be taken to a bogus Web site, www.spoofersrus.com, which can easily be made to look like the Wells Fargo login page. Sure, the tech-savvy user on a desktop computer may mouse over the link and notice that it doesn’t really take them to the Wells Fargo login page, but what if they’re reading the message on a mobile device, as over 75% of the users now do?

Fortunately, there is a solution to this problem and it doesn’t even involve SPF, DKIM or DMARC. ChiaraMail’s Envelope-Content Splitting (ECS) is the only technology that can protect against any kind of spoof attempt; here’s how it works. At the core of ECS is the ChiaraMail content server, which was awarded an “A+” security rating by Qualys SSL Labs, a leading Internet security firm. Compare this with the “A” rating that Apple was given and the “B” for Google.

Consumer-ready, industrial strength. ChiaraMail ECS. Try it today.