How DMARC works to protect companies — and elections (video)
TechRepublic recently published an article plus a short, 6-minute video that explains exactly how DMARC works and why it’s needed to protect companies, organizations, and even presidential campaigns.
Lance Whitney, a writer for TechRepublic, spoke with Karen Roby about how email spoofing works, how devastating it can be, and why there’s cause for hope in the email security posture of the majority of presidential campaigns.
It’s a lucid, accessible explanation of the threat of email spoofing — and the power of DMARC to stop it.
How email spoofing happens
Scammers often trick people into opening their junk emails by spoofing the From address with a domain that looks like a trusted company name, as Karen explains in the video.
“This type of spoofing can affect any company … and of course presidential campaigns,” Lance said.
“If you receive an email that looks like it comes from a legitimate company, organization, or campaign, you’re probably going to pay more attention to it than if it came from a generic domain.”
Lance goes on:
“Fortunately there is a tool out there that any organization can use to protect itself from this kind of spoofing, and it’s called DMARC.”
What DMARC does
“What DMARC does is provide a way to authenticate the actual sender’s domain, to see if it’s authorized and approved by the real domain holder. And if not, then the email is tagged as spam.”
Valimail recently analyzed presidential campaigns’ domains and found that of the 15 then-current campaigns, eight were fully protected by DMARC at enforcement. Today, there are 10 active campaigns (eight Democrats and two Republicans), and all but three are protected by DMARC at enforcement.
If campaigns aren’t using this type of protection, Lance explains that cyber criminals can exploit the spoofing gap several ways. For instance, a hacker could send out a negative email that looks like it comes from the campaign, but which contains offensive or objectionable content that might discredit the campaign in the minds of recipients.
Or, another possibility is that hackers could spoof a domain to send messages to potential donors, redirecting their contributions to a bogus donation site, so the donated money goes into the hands of the hackers.
DMARC is for everyone
“Besides presidential campaigns, companies can also benefit from this type of protection,” says Karen.
Indeed, DMARC is a freely available standard that anyone can set up for their domain, Lance explains. It lets domain owners authorize certain senders that can send out emails on their behalf — and for senders that aren’t on that “authorized” list, any email that they send will be kept out of the end-user’s inbox.
Lance notes that DMARC is not fully supported throughout the world by email receivers — but the reality is that 80% of all inboxes support and enforce DMARC policies for inbound email. That includes 100% of major U.S. providers, such as Gmail, Yahoo Mail, AOL Mail, Microsoft Office 365 and Outlook.com email, and more.