Raising the red flag on recent DMARC hype

It wasn't two weeks into 2018 before the cybersecurity industry found its first darling of the new year: Domain-based Message Authentication, Reporting and Conformance.

Although the origins of DMARC date back to 2011, the early-January revelation that a good portion of U.S. government agencies had recently adopted the policy in response to a Department of Homeland Security mandate catapulted it into the mainstream narrative. If nothing else, such out-of-the-blue DMARC hype signals a strong desire to change the conversation from the phishing and ransomware horror stories that cannibalized the second half of 2017.

As most security folks know by now, DMARC is intended to substantially bolster email security -- it’s a type of email validation system, which in theory, can severely mitigate and prevent email spoofing and business email compromise impersonations. As explained by German security researcher Sabri Haddouche, “DMARC stops that [traditional spoofing] by checking the internet address attached to the email, essentially discarding the message if the sender isn’t actually from the domain they’re claiming to be.”

As today’s premier email authentication policy, DMARC enhances the safeguards that are inherent to the Sender Policy Framework (SPF) and Domain Keys Identified Message (DKIM), two techniques that are all but ubiquitously perceived to benefit an organization’s defense-in-depth security. While there is dispute over the number of Fortune 1000s that adhere to DMARC, many notable global brands such as Facebook, Google and Bank of America do.

DMARC’s flaws require reflection on its benefit to email security

The timing of the fanfare surrounding DMARC is certainly ironic, as it was just this past December that Haddouche  discovered Mailsploit, a collection of “bugs” in email clients that enables spoofing messages that cannot be detected by servers, thereby easily bypassing DMARC protections and checks. Some were quick to dismiss the findings as nothing truly threatening to DMARC’s value proposition, while others began to reassess some of its shortcomings, such as the protocol’s binary limitations that prevent the creation of complete profile mockups capable of cementing educated and accurate threat diagnoses. Other challenges and limitations include:

DKIM and SPF reliability.  Although DMARC empowers DKIM and SPF, there are serious flaws to each that leave organizations vulnerable. DKIM, for example, verifies data integrity only between the time of signing and the time of verifying. SPF has limits to domain lookup while also using return-path addresses that are easily exposed by well-designed phishing attacks. In other words, both authentication techniques are prone to compromise.

DMARC not built for robust cloud app usage. The limitations of SPF’s 10-domain lookup threshold present challenges for organizations that use a variety of cloud-based services. According to an article in Dark Reading, “Since each cloud service typically uses between 3-5 rule sets, you’ll probably run into the 10-lookup limit with only three cloud services.” As more organizations transition to the cloud, it will become increasingly difficult to consistently update DNS records with the IP address information needed to satisfy SPF.

Email interoperability leads to broken mail flows.  DMARC allows organizations to establish their own restrictions policy, which can sometimes lead to “broken” email (i.e., emails not being sent or received). To avoid this scenario, most cybersecurity analysts suggest starting at policy level “None,” which will ensure that DKIM and SPF configurations are accurate. However, such instructions are complicated, especially for those with only novice or moderate experience. Plus, organizations are often burdened with misconfigurations that negatively impact critical business communications.

DMARC scope is limited. Most security pros understand that DMARC is not a complete solution to the email phishing epidemic; however, many chief executives are misinformed about just how much risk it can reduce. DMARC only protects against very specific types of phishing -- when attackers spoof the exact sender address domain. Since most phishers use random domains (and spoof sender names, for example) or subdomains not related to a domain, DMARC can only prevent a small portion of attacks from maturation.

DMARC requires significant setup and maintenance. According to Naked Security, “DMARC needs a lot of experience to implement without causing the sort of problems that ends with email admins being told to clear their desks.” In addition, there are also frequent DNS, IP address and encryption maintenance requests, reports that need to be reviewed and alerts that need to be analyzed. Simply put, DMARC compliance is not easy for the enterprise, no less medium or small organizations.

The concept of DMARC is good, and it’s an important step for U.S. government agencies to take in bolstering their proactive cybersecurity defenses. But DMARC is not without significant challenges, limitations and vulnerabilities. Today’s threat actors are so sophisticated that they can use legit domains to launch phishing attacks or create email spoofs that outsmart DKIM and SFP with ease. And don’t forget about Mailsploit: We haven’t really begun to see the havoc of this email browser vulnerability and its impact on DMARC.

Amidst all of the recent DMARC craze, it’s imperative for organizations -- both public and private --   to approach the hype with caution and to view DMARC as only a small piece of a much larger email security strategy -- one that must include real-time mailbox-level inspections that analyze both communication habits and sender indicators. That is the only proven way to actually learn true sender indicators and reputation and, in turn, reduce the risk of email spoofing in meaningful ways.