Jeff Orr's Analyst Perspectives

Red Sift Stops Phishing and Domain Cloning at the DMARC

Written by Jeff Orr | Aug 15, 2023 10:00:00 AM

Enterprise organizations remain vulnerable to a host of security attacks. Cyberattacks are often associated with techniques that have never been seen before, which lead to data breaches if not quickly detected and remediated. However, one of the most common vulnerabilities for an organization is phishing. Phishing lures people to give up confidential information by clicking on a link or opening a file in an email from what appears to be a trusted source but is actually a bad actor. Unfortunately, this type of social engineering tactic only requires one mistake to compromise credentials or gain access to data. The technology to stop phishing attacks and email domain spoofing is readily available but overlooked all too often. 

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) are three global standards for email authentication that help prevent spammers, phishers and other unauthorized parties from sending emails on behalf of a web domain they do not own. 

SPF is a way for a domain to list all the servers from which it sends emails. The SPF records the IP addresses of all the servers allowed to send emails from the domain. Mail servers receiving an email message check it against the SPF record before delivering it to the recipient’s inbox. 

DKIM enables domain owners to automatically “sign” emails from their domain. The DKIM digital “signature” uses cryptography to verify that the email originated from the domain. 

DMARC tells receiving email servers what to do with messages from domains that fail SPF or DKIM checks. A domain’s DMARC policy determines the subsequent action taken, from instructing mail servers to quarantine failed emails, to rejecting failed emails, or to deliver them. The DMARC policies are stored in DMARC records. Using DMARC with SPF and DKIM gives organizations more protection against spoofing and phishing. Together, these three standards provide a powerful defense against phishing attacks. 

Red Sift is a software vendor seeking to address the awareness and configuration challenges associated with DMARC. The vendor’s OnDMARC product was launched to implement DMARC without manual trial and error. The product was expanded a year later to enable organizations to check their domain’s SPF, DKIM and DMARC setup for functionality and accuracy. 

In 2021, Red Sift partnered with identity vendor Entrust. Red Sift launched an end-to-end BIMI (Brand Indicators for Message Identification) approach, allowing organizations to attach their registered logo to every DMARC-authenticated email they send. As consumers, we’re familiar with BIMI from the logos of email senders appearing in the Gmail inbox. Those emails have been authenticated as coming from the sender associated with that brand mark. 

Digital protection of systems and workers is a function that resides with the organization’s security team. However, these email protection standards are part of the internet and networking architecture usually found within the IT team’s management. Successful security practices require coordination and cooperation between the cyber and IT teams. Ventana Research asserts that through 2025, ineffective relationships between the IT and security teams will contribute to 3 in 5 organizations experiencing access and authentication vulnerabilities. 

A leading reason why organizations may not implement these email protection standards is that implementing DMARC can be technically challenging. The details of implementing DMARC are not widely understood, and it contains some subtleties that many messaging professionals are not familiar with. For a message to pass DMARC validation, that message must first pass either SPF or DKIM, but with an added twist — the domain used in the SPF or DKIM validation check must be aligned with the domain in the visible “From” email header. The OnDMARC product interface identifies all email senders within a domain, recommends the appropriate configuration and tracks changes over time. As with most cloud applications that present their own interface for status and settings, some organizations will have policies favoring their own “single pane of glass” dashboards to minimize risk from external vulnerabilities. Red Sift should strive to offer APIs for data-exchange practices and greater compatibility with existing management stacks across organizations. 

Organizations looking to reduce or eliminate email domain spoofing, regardless of size or number of workers, should implement the DMARC record and policy. Expediting the process to enable DMARC and increasing the likelihood that it is configured correctly requires specialized software to identify all the senders in the domain and prescribe the right implementation. I recommend that any organization considering tools and services to improve the security posture of its domains against spoofing and phishing attacks include Red Sift in the evaluation.  

Regards,

Jeff Orr