Email Time Bomb 1200x600-01

If you are anything like me, you’re sick and tired of bogus email that attempts to corrupt your computer, steal your information, compromise stuff like identity, bank information and all sorts of other nefarious deeds. As a business person you are in charged with positively impacting your clientele (or target audience), provide information through a variety of means, and recognize the importance of email, which has long been at the top of the tools list for doing so.

Every developed business depends on email for communicating directly with it’s customers, clients, prospects, or patients. It’s the one way to know the message is getting through to them. That is, it used to be.

As email continued to grow as fast as internet adoption in general, attempts were made to keep junk, spam and bogus email from clogging our inboxes. I’ll share a bit more about the first two attempts, but first, let’s get familiar with the latest and greatest.

Introducing DMARC

Domain-based Message Authentication, Reporting & Conformance or DMARC is the latest attempt at securing email deliverability, and a lot of people are placing their hopes directly on it. It’s not the first time something has been enacted to keep email secure and free from phishers, fraud artists, and just plain old SPAMMERS. But it very well may be the best thus far.

What’s DMARC Supposed To Do?

DMARC is designed to identify bogus email and domain activity. It’s not designed to protect from all types of phishing or email hacking, however. Here’s some information that might help understand its role.

A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

A domain owner who has deployed email authentication can begin using DMARC in “monitor mode” to collect data from participating receivers. As the data shows that their legitimate traffic is passing authentication checks, they can change their policy to request that failing messages be quarantined. As they grow confident that no legitimate messages are being incorrectly quarantined, they can move to a “reject” policy.  –  dmarc.org/overview

DMARC graphic 1
Image Credit: DMARC.org

What is SPF and DKIM?

First there was SPF, the Sender Policy Framework. This undertaking created volunteers headed up by Meng Weng Wong in 2003. This group has spent untold thousands of hours trying to stem the tide of email fraud, phishing, hijacking of domains, and all sorts of mayhem and has successfully authored several proposed sender authentication protocols.

But is it truly effective? Sadly no, SPF does not completely stop email spoofing. At best it makes things more difficult on an attacker. SPF works by checking for an SPF record at the domain in the mail-from data in the SMTP transaction. It does not the message-from header that the receiving mail client sees.

This means that an attacker can use SMTP headers to direct the target’s mail server to merely check a domain under control by the attacker, simply by using an authorizing mechanism for the mail server the attacker is using, while spoofing a completely different domain for the target to see in the message-from header (enough tech-speak as this get tedious to write and to read).

While this initiative was taking place, other new ways to thwart bogus email was happening all around the globe. Another method of attempting putting a block on illegal email activity was the founding of DKIM.org, a means by which to control emails in transmission. “DomainKeys Identified Mail” basically provides some level of trust upon the sender or intermediary so as to avoid all of the negativity wrongdoers can wreak upon email senders and recipients. DKIM basically applies cryptographic tagging to ensure the sender is legitimate, that the email address and domain have not been hijacked, and that the emails can be trusted.

Ode to Bogus Email

Given the state of almost everyone’s inbox these days it is not difficult to assess the effectiveness of these early attempts to clean up email delivery and address fraudulent email practices. No one is completely immune from SPAM, fraudulent emails, phishing attempts, and who knows what else will be heading our way. And the energy, effort, and creativity exhibited by the “bad guys” is dauntless. But, DMARC seems to be the evolution of better control over email delivery and safety.

The links contained throughout this article provide a much deeper explanation of how those in the know are doing what may be done to slow the invasion of bad stuff via email. Will the third time be the charm? Only time will tell.