Enterprise Domain Email Spoofing — Are You Protected?
Flaws in email security are among the leading causes of cybersecurity incidents for many organizations. Whether it’s ransomware, business email compromise (BEC) attacks, or a spear-phishing email that leads to cyber criminals gaining access to sensitive data, email is the common denominator.
While there are many types of email attacks, unauthenticated email domains which allow bad actors to impersonate a person or an organization are an especially devious and difficult-to-detect vector used by many phishers. One email is all that is needed to launch a devastating and highly sophisticated cyberattack.
Risks of unauthenticated enterprise email domains
There are many inherent risks associated with unauthenticated domains, but the biggest one is the risk of email attacks that appear to be coming from a sender in your organization. Such emails might be directed at your employees, or they could be sent to customers, partners, or other members of the public. These attacks often pass through undetected by the content filtering technologies used in secure email gateways. Why? Because there is typically nothing in the content of the email itself, such as malware, links, or attachments, to trigger the gateway. And, because these messages contain your organization’s exact domain in the “From” field, they can be very difficult for humans to detect, as well.
Beyond phishing, attacks sent from unauthenticated domains also impact the organization’s email deliverability. If receivers detect a large volume of fakes coming from a domain, they will downgrade that domain’s reputation, affecting legitimate email as well. In some cases, this can be bad enough to stop virtually all legitimate email sent from that domain.
The importance of DMARC enforcement
If you’re reading along and wondering what you can do to secure your email domain, the answer is simple – implement email authentication with Domain-based Message Authentication, Reporting and Conformance (DMARC).
Your organization may have already implemented Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), two email authentication methods that DMARC builds upon. DMARC relies on and extends the benefits of SPF and DKIM and can eliminate exact-domain phishing and prevent brand and executive impersonation attacks.
A key benefit of DMARC is that it gives domain owners the ability to specify a policy for how they’d like receivers to handle email messages that fail authentication. The enforcement policy allows domain owners to tell email receivers to put unauthenticated messages in the spam folder or reject them entirely — effectively blocking impersonators.
When a DMARC record is set to a policy of reject or quarantine — what we refer to as being at enforcement — it is the most efficient and effective deterrent of impersonation-based attacks. Enforcement is critical: Having a DMARC record without enforcement is like putting a bouncer at the front door who checks everyone’s ID — but then lets everyone in regardless of whether they’re on the guest list or not.
How Valimail helps you reach enforcement in weeks – not months or years
While DMARC implementation is a critical security measure, there are some significant pitfalls many companies face on their journey to DMARC enforcement. Trying to configure DMARC, SPF, and DKIM is time-consuming, frustrating, and difficult to do manually. That’s why it typically takes months or even years for most organizations.
Valimail offers a simple and easy-to-manage process to get your domain to DMARC enforcement, and to do so quickly.
- First, you do a single DNS update to point your DMARC record to the Valimail Cloud.
- In Valimail’s interactive interface, email sending services are listed by name, not IP address, simplifying identification, and management. We make this identification more completely and more accurately than any other provider in the market. You can easily select the sending services that you want to allow to send as your domain. If you decide to add or remove a sending service or change a vendor, click the drop-down menu, and make the change.
- Once you’ve whitelisted all the senders that should be able to use your domain, you’re ready to move to enforcement. Again, with Valimail’s point-and-click interface, this is a simple selection — no DNS updates are required.
Valimail will leverage any of the work you’ve already done towards DMARC enforcement so that you won’t start all over again. And unlike other solutions, 90% of Valimail’s customers reach enforcement in less than four months. An in-house IT professional typically spends less than 20% of their time in the process of getting to DMARC enforcement with Valimail. Once at DMARC enforcement, that time drops to almost zero.
Ready to start on a winning path towards DMARC enforcement? Drop us a quick note, and we’d be happy to help.