Email Marketers' Responsibility in Phishing Protection
Mike Veilleux, Dyn
As email marketers we have an additional responsibility to getting users to open and click emails beyond selling our products and services. We have an obligation to be a voice for our company on email security and protection. What made email a success—an open and independent infrastructure for deploying messages—has also created a security challenge in the form of phishing emails.
As marketers well know, phishing emails attempt to illegally acquire sensitive information like passwords, credit card numbers, and user names by looking like they have come from your brand. As a business, phishing can severely impact your business. Recipients who are exposed to a phishing attempt on your brand are 42% less likely to do business with you in the future, according to information compiled by Return Path, an email intelligence company.
What to do about it
In the past there weren't as many methods of ensuring that emails are authenticated to come from a particular sender. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) were introductory methods of email authentication and are common methods mailbox providers use to determine if messages are phishing or spam emails today. SPF is an email validation system that allows mailbox providers to validate mail from your domain against the IP addresses sending the mail. If a mail server doesn't appear in a domain's SPF record, but is attempting to send mail from that domain, it is most likely spoofed or unapproved mail and can be rejected by the ISP. Similarly, DKIM is an email authentication framework system that allows mailbox providers to validate mail from your domain against a public (DNS) and private (embedded within the email) key, thus validating mail from your domain, protecting your brand and customers.
As mail volumes began to grow, computer processing became more and more intensive and mailbox providers had to develop algorithms to provide “best guesses” on what to do with messages that may have SPF or DKIM authentication. The question they had to answer was: Were these messages really representative of that brand's mailstream? Or were they a phishing or spam attack under that brand's identity? These algorithms became complex and mailbox providers and senders yearned for a better way of making this more transparent.
Domain-based Message Authentication, Reporting & Conformance (DMARC) was born for this reason and provides an ability to combine SPF and DKIM in a way that publicly announces what mailbox providers should check for in your mail's domain. This makes the decision on whether a message is phishing much clearer, through understanding whether the email is intended to have SPF or DKIM. This increases the accuracy rate of diagnosing phishing and minimizing processing requirements. Additionally, mailbox providers will send you reports on passed and failed messages to give you insight into any phishing threats that may exist.
As an email marketer it's your responsibility to implement the latest email security protections for your company and brands. To do this, get your technical team or email service provider (ESP) to help. Here are the main items you'll need to review:
- Setup SPF / DKIM: If you don't already use SPF and DKIM, set them up.
- Get in compliance: DMARC requires that your sending domains, IP addresses forward and reverse, MAIL FROM, etc., are all in alignment for the same domain. This can be done either with strict mode (meaning all at the root domain) or relaxed mode which allows a sub domain.
- Generate a DMARC record: Next you'll generate a DMARC record and you'll be able to specify a few items:
○ Failure reporting options: What type of reports to send and where to send them
○ Mail policy: What to do with mail that is rejected (spam folder or reject)
○ Percentage: The percentage of mail to apply this policy to
- Implement the DNS record change – Presto! Your setup is complete.
As you can see, setting up DMARC is a simple process, but understanding how to use the reports and how to tweak the configuration of your DMARC record to get the most protection possible is the harder part.
- DMARC can filter good mail too. DMARC doesn't know if you have a Web application running on an old server that you forgot to include in your SPF record. So be sure to set the policy to “none” at the beginning. This will give you time to review reports to ensure you're not failing any “good” mail that you may need to complete your SPF and DKIM configuration. Review the reports and change the policy to “quarantine” or “reject” mail once you gain confidence that all your valid email is passing DMARC compliance.
- Review the reports for unknown IP addresses. Your organization most likely uses your domain for a significant amount of email for different reasons. Maybe you have an email marketing platform, Google Apps for business email, and use Salesforce or Zendesk in addition. All of these will need to match your DMARC record and SPF/DKIM setup.
- Get a tool to read DMARC reports. These reports are large and complex and you'll need some sort of tool for viewing and using the data within them.
As email marketers within your organization, you'll need to be your brand's ambassador for email whether it's building lists and converting customers or educating your company on the possible vulnerabilities to email phishing. Take this back to your teams to get the conversation going today, your brand's reputation is worth it.
Mike Veilleux is director of email product at Dyn.