Created in 2012 by major email providers, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that prevents hackers from spoofing a person's email address. More specifically, it acts on an organization's domain name.
The DMARC system identifies phishing emails or messages sent by individuals who are illegally using an organization's domain name. It authenticates emails. With DMARC, the sender who owns the domain name is notified of the success or failure of an email's authentication. Once informed, they can take action if their domain name is being misused by an unauthorized third party.
This protocol therefore helps reduce the misuse of spam and phishing emails. This is particularly important when it comes to one type of phishing fraud: domain name spoofing. By implementing the DMARC solution, all senders can protect their employees, customers, and partners from cybercriminals who send emails in their place.
What is a domain name?
An Internet address is the equivalent of an organization's postal address on the Internet. It allows contacts and customers to find a website on the web. A domain name is an integral part of the Internet address, known as a "URL" (Uniform Resource Locator). It consists of a string of characters and an extension (.fr, .com, .org). In France, AFNIC is the long-standing manager of .fr domains.
For example, in the Internet address "www.avantdecliquer.com," hucency.com/ is the domain name.
Purchasing and registering a domain name is done through a registrar.
For a more professional look, when an organization has a domain name, it can create email addresses in the form of "prenom.nom@nom-de-domaine.com." In our example: prenom.nom@avantdecliquer.com.
What is phishing?
Phishing is a widespread email fraud technique. Used by hackers to infiltrate an organization's IT system, the aim is to extort personal and/or professional data.
Phishing and spear phishing remain the most prevalent cyberattacks (sources: CESIN and Cybermalveillance.gouv.fr):
- 1 in 3 users opens a phishing email.
- 79% of French organizations reported having been victims of phishing.
Around the world, this type of fraud is the predominant threat. The financial, organizational, and reputational damage can be dramatic.
The consequences of clicking on a corrupted link or fraudulent attachment are varied: data extortion, malware (viruses, ransomware, etc.).
Spear phishing, on the other hand, involves carrying out the same type of fraud by identifying a specific target.
Phishing and domain name spoofing
Sending fraudulent emails while posing as a third party is becoming a common act of cybermaliciousness. For an experienced hacker, spoofing the "From" field of an email is "child's play." This type of fraud is called "cybersquatting." It involves registering domain names that are identical or similar to the official domain names of the organizations sending the emails.
The hacker's goal is to infringe on the rights of the owner in order to take advantage of their identity or to harm them.
For example:
In June 2020, for example, FNAC was the victim of a phishing campaign aimed at stealing its identity. The company warned its customers about the risk of phishing. It stated that "these emails claim to be confirmations of fictitious orders and use our company's graphic charter and logo."
In April 2020, a major flaw detected in Gmail allowed hackers to impersonate any user.
Or, in 2016, the example of Vinci, which fell victim to identity theft via email, causing its share price to plummet.
How does DMARC combat phishing?
DMARC improves the deliverability of senders' emails. This is because the sender, who owns the domain name, can request that illegitimate messages be automatically directed to the recipient's "junk" (or "spam") folder. They can also request direct rejection by the receiving server (direct deletion from the mail server).
As a result, spam and especially phishing emails are automatically filtered out of users' inboxes.
How does DMARC work?
DMARC works by combining two other protocols:
- SPF (Sender Policy Framework): this protocol allows an organization to send its digital providers a list of servers authorized to send emails using its domain name.
- DKIM (Domain Keys Identified Mail): this protocol systematically adds a digital signature to emails sent by an organization. The presence of this DKIM signature guarantees the integrity of the email during transmission.
These two protocols complement each other, and if one of them is not complied with, DMARC proposes an action to be taken in the event of a suspected attack.
Three protocols (SPF, DKIM, and DMARC) therefore authenticate the source of an email.
Is DMARC the solution to phishing?
DMARC offers effective protection against email spoofing, also known as "business email compromise."
Although highly effective, its implementation remains quite complex for most organizations.
Furthermore, it is not the only solution to the problem of phishing, as it only combats one type of phishing: domain name spoofing.
Like any cybersecurity solution, it is its combination with other technical solutions (spam filters, firewalls, etc.) and organizational solutions (cybersecurity awareness, training users to avoid phishing traps) that make it an additional asset in the fight against phishing.
