The Australian Signals Directorate (ASD) has published a ‘how-to’ guide for tackling email spoofing to help more organizations adopt email security protocols that can thwart phishing and business email compromise (BEC) attacks.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is one of the key email protocols that can mitigate email that spoofs a trusted organization’s email domain to boost the chances that a recipient opens an email or downloads an attachment.
In the new document, the ASD recommends organizations implement DMARC, which is designed to work on top of Sender Policy Framework (SPF) and/or Domain Keys Identified Mail (DKIM).
Both SPF and DKIM aim to verify the sender’s authenticity but DKIM uses public key cryptography for verification. SPF however appears to be the preferred base.
“SPF and DMARC records are publically visible indicators of good cyber hygiene. The public can query a DNS server and see whether an organisation has SPF and/or DMARC protection. DKIM records are attached to outgoing emails and their presence (or lack thereof) is also visible to any external party you email,” the ASD notes.
DMARC is useful between trusted organizations as it allows the owners of a domain to tell the recipient how to handle email coming from its domain, utilizing verification processes enabled by SPF/DKIM.
Admins can also get reports that tell them which IP addresses emails come from and if they failed either SPF or DKIM verification.
Setting up DMARC on top of these verification systems can be an effective method to prevent a host of email spoofing attacks that enable fraud like business email compromise (BEC) — a type of phishing or hacking that exploits relationships between trusted parties, typically when large transactions are involved, such between buyers and suppliers in multiple industries, as well as brokers.
The Australian Competition & Consumer Commission (ACCC) warned earlier this year that the BEC threat is growing for Australian organizations.
ASD also last month cited BEC fraud one of the top cyber risks during mergers and acquisitions in the corporate sector as well as major changes within government agencies. Large changes give scammers ample opportunity to use simple methods to exploit people as they navigate through changing relationships and processes.
After setting up DMARC and SPF/DKIM, organizations should be able to state what domains cannot sent emails from specified domains, which flags this to organizations that receive email from that organization.
The ASD’s document runs through several other issues with establishing SPF and DMARC and provides helpful diagrams and flow charts to explain exactly how the protocol works.
The document could help fill in gaps of the ASD’s “Malicious Email Mitigations Strategies” published in April, which advised organizations to implement DMARC to enhance SPF or DKIM but didn’t explain how or why quite as clearly.