Word Notes 4.5.22
Ep 94 | 4.5.22

Domain-based Message Authentication Reporting Conformance (DMARC) (noun)


Rick: The word is: DMARC.

Rick: Spelled: D for domain-based, M for message, A for authentication, R for reporting, and C for conformance.

Rick: Definition: DMARC is an open source email authentication protocol designed to prevent emails, spoofing in phishing, business email compromise or BEC, and other email-based attacks. 

Rick: Example sentence: DMARC works with two other email authentication protocols, Sender Policy Framework or SPF, and DomainKeys Identified Mail or DKIM, to recognize when an in-bound email isn't coming from an authoritative source 

Rick: Origin and context: According to Samuel Gibbs at the guardian newspaper, DARPA proposed the first email standard in 1973 and finalized it in 1977.

Rick: Ever since, email systems have been vulnerable to abuse from attackers claiming to be somebody they weren't and tricking users into doing things they shouldn't. That started to change in the 1990s when RSA began development of the S/MIME protocol, Secure, Multipurpose, Internet Mail Extension.

Rick: In 1996, the IETF released the first standard as a way for users to sign and encrypt their own messages. Unfortunately, despite being technically sound, email encryption, using S/MIME was too difficult to use for the common user and it never caught on. According to Agari, in the mid-2000s, researchers began looking for two new protocols to solve the problem, the SPF standard Sender Policy Framework, and the DKIM standard, DomainKeys Identified Email. 

Rick: Using the DNS, the Domain Name System to store the information, the SPF standard allows email systems to specify which IP addresses are allowed to send email from their domains. Email receivers can check potentially spoofed email to make sure the stores IPS are authoritative. The DKIM standard merged to new technologies, Domain Keys developed at Yahoo and Identified Internet Mail developed at Cisco.

Rick: It allows email systems to digitally sign all outgoing messages and uses the DNS to store its public key. This lets the receiving email provider confirmed the legitimacy of the email's origin. The beauty of both the SPF and DKIM protocols is that common email users didn't have to do a thing, that checking is all done by the email systems themselves. The problem is that both are just tools and not management platforms that allow for policy that's where DMARC comes in.

Rick: According to Agari, DMARC is another standard email authentication protocol that adds feedback, policy and identity alignment to the already deployed SPF and DKIM frameworks. It allows email senders to publish policies telling receivers when they should rely on DKIM and SPF for a given domain, and what to do when messages fail those tests.

Rick: In other words, DMARC makes it possible for email receiving systems to make firm decisions about which messages to reject and which to deliver. For example, if an email receiver, working in the domain, Thanos.com rejects a message claiming to be from StarkEnterprises.com because it failed the DKIM test Thanos is doing so because the StarkEnterprise DMARC policy says to do just that.

Rick: DMARC provides a method for starkEnterprise to tell the world that they signed all of their outgoing email, and if anybody ever receives a message that isn't correctly signed by StarkEnterprise, they should delete it. This is a way for organizations like StarkEnterprise to protect its own brand from criminals and spies, trying to use the brand in nefarious ways.

Rick: DMARC, SPF, and DKIM provide amazing protections for email systems, but they can be intimidating to deploy. Incorrect implementation can lead to blocking legitimate email, and its unforgiving syntax can cause a host of errors if entered incorrectly. In response to this challenge, the Global Cyber Alliance has been championing DMARC's adoption rate by supplying organizations with tools and resources to aid implementation. Due to their sustained efforts thousands of organizations, and over 180 countries have adopted DMARC and millions of dollars have been saved from limiting business, email compromise. 

Rick: Nerd reference: In this clip taken from the 2018 RSA security conference, SC media's executive editor, Terry Robinson asks Philip Reitinger, the President and CEO of the global cyber Alliance "Why CEOs and CISOs should be thinking about DMARC."

Terry Robinson: It seems like it's almost a no-brainer that you'd want to do DMARC. 

Philip Reitinger: I think it is a no brainer. It could be a challenge to deploy, but it's not that much of a challenge and it does a really good job of protecting your customers. I think part of the problem is that for the smaller vendors, it's not something they've gotten to yet, and for other folks, they're worried about a lot of things, and they're particularly worried about inbound attacks and DMARC helps with that, but the thing it helps with most is protecting your customers and the people you're sending email to. So there's a little bit of a market mismatch in the sense that the people who really ought to care about DMARC deployment are the CEOs and chief marketing officers and chief financial officers, because it makes their email more trustworthy. But the CIS owes, who are the ones who really understand what DMARC is. They're just trying to deal with, you know, keeping their heads above water. 

Rick: Word Notes has written by Nyla Gennaoui, executive produced by Peter Kilpe and edited by John Petrik, and me Rick Howard. The mix sound design and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.