In reading this article, “Raising the red flag on recent DMARC hype, https://gcn.com/articles/2018/02/02/dmarc-email-security-hype.aspx, I find that the author is misinformed on the process of implementing DMARC. DMARC itself is certainly not a silver bullet, but a mechanism that seeks to expose and to some degree fix the issues of the humble email that has had very little change since its inception back in the 1970s. And yet, its benefits are substantial.
An email security strategy would involve aspects such as phishing simulation and broader security awareness training such as Ironschool and O’Phish, post delivery email scanning of inbox such as GreatHorn’s Inbound Email security and of course DMARC amongst others.
The road to perfection is long and challenging but the process starts from the very first small step, and there will be many small steps along the way. The Japanese culture knows this process of seeking perfection very well. They call it "Kaizen" - meaning improvement. In quality management this refers to activities that continuously improve all functions. But I digress!
Yes, there is hype around DMARC and what it can accomplish, and you have covered its flaws quite well.
But, you haven't discussed how to overcome those flaws - Ingressum calls this process DMARC Compliance.
DMARC Compliance is a process that uses a DMARC dashboard as a tool to receive and analyse reports through which informed recommendations can be made.
So lets discuss the flaws identified:
Mailsploit - this website identifies bugs in certain email applications that are shown to be vulnerable to XSS and code injection attacks. In fact, this issue is discussed with our customers when we undertake a PT/VA service on their internal and external web facing infrastructure. Larger organizations would have seen this issue and made appropriate changes to accommodate the risks. For smaller organizations that don’t have large IT teams, Gmail for Business seems to be the better application to use from those listed.
SPF & DKIM. Yes there are flaws in both - I believe that the hackers bypassed the SPF record 1 year after it was released and that was almost 10 years ago. Similarly, with DKIM spoofing, it didn’t take long to figure out a way around it. But DMARC can identify when a FROM address that's visible in the consumer's inbox does not match the return path address in the email header and when DKIM uses an older DKIM key pair. So DMARC can actively report such abuses to the domain owner, allowing specific action to be taken to counter the threat.
DMARC and cloud apps. Ingressum takes advantage of DMARC's excellent auditing features to identify those domains that may exceed the 10 domain lookup threshold, and with our core recommendation of moving all 3rd party email providers to a specific subdomain, this issue can be overcome. For example, news.mydomain.com would be delegated to 3rd party vendor, that would have specific spf and dkim records. This keeps your top level domain clean of external vendors - where possible - keeping the domain lookups number to well below 10. This also allows your organization to implement a different and stricter dmarc policy to that of the subdomain - such as reject.
BTW – you are aware that an ip address in the spf record doesn’t add to the lookup number?
DMARC scope is limited only to the exact domain and subdomains, but they still must be protected. When I leave home, I lock all doors and close all windows – that’s a personal physical asset that I own and wish to protect. Similarly, your organization’s domain is an important digital asset that equally must be protected. Social engineering attacks based on homograph or internationalized domain names should not be a reason to discourage implementation of DMARC. In fact it’s the very opposite – by implementing DMARC you make the job of the hacker so much harder. This will take us into anti-phishing and online fraud protection techniques that are outside the scope of this article.
DMARC setup and maintenance. In fact, it takes very little setup and maintenance. If you look at it from the financial perspective of “what does it cost to setup and maintain”, it is literally cents compared to the massive amounts of dollars spent on a broad range of security technology. However its benefits are massively higher.
Email interoperability. Broken or undelivered emails are a result of internal teams NOT working together to implement DMARC. The implementation process involves ALL organizational functions that have a requirement to send email, either directly or through 3rd party vendors. The left hand must know what the right hand is doing !! By moving many of our customers to a DMARC reject policy, we have proven that a collective approach to implementation means that ALL legitimate emails are delivered.
Finally, I do agree with you final conclusion – “to view DMARC as only a small piece of a much larger email security strategy” !
Ingressum views the implementation of DMARC through a DMARC Compliance program as simple as baking a cake, and certainly not as complex as building a car engine.
By Con Lokos