DMARC (Domain-based Message Authentication, Reporting and Conformance) is a technical specification published in 2012 with the goal of reducing the potential for email-based fraud. It works by allowing senders to indicate that emails from their domain name are protected by authentication technologies, SPF (Sender Policy Framework) and/or DKIM (DomainKeys Identified Mail), and that any messages claiming to come from that domain, but which don't pass authentication and/or don't align with the domain displayed to users in the 'from' header field should be either junked or rejected according to that sender's policy. This means legitimate senders can ensure that their real emails (marketing emails, customer support communications, etc.) can reliably reach their intended recipients, but that spoofed ones (potential phish, malware, or any other type of message falsely appearing to come from that sender) will not reach inboxes in any DMARC compliant email receiver, which includes ~70% of the world's email addresses.
DMARC also provides a way for the email provider to report which messages from a domain name pass and/or fail DMARC evaluation back to the sender so that they can verify that legitimate emails from them or a third party partner sending on their behalf are getting through to customers, and see what fake messages people have tried to send in their name that got rejected or junked. This provides organizations with visibility into the email channel that is analogous to the visibility that RiskIQ provides for web, mobile apps, and social media when we allow companies to see what their customers see in those channels and authenticate each site, app, or social profile related to their brand against the company's inventory and event policies to determine whether it's legitimate.
RiskIQ and DMARC
RiskIQ has established partnerships with two of the top vendors in the customer email fraud and security space, Agari and Proofpoint (formerly Return Path's Email Fraud Protection Business Unit, acquired by Proofpoint in August 2016), both of whom participated in developing the original DMARC specification alongside industry representatives from major email senders and receivers. With a customer’s permission, RiskIQ and these DMARC providers will exchange data concerning our shared customer’s brands in order to enrich both products.
This exchange can take two forms:
- For RiskIQ External Threats customers subscribed to the Phishing module, Agari and Proofpoint send RiskIQ links found in emails spoofing one of that client's DMARC-protected domains, and RiskIQ analyzes the URLs in those emails for phishing / malware. DMARC doesn't tell you anything about the content of links contained in an email–it simply flags messages as failing to pass authentication. Therefore, RiskIQ can step in to help provide additional context around the exact nature and severity of the threats in those emailed links by crawling the URLs with virtual users and creating events in your workspace based on that data.
- For RiskIQ Digital Footprint customers, RiskIQ provides a list of all customer-owned domain names within the customer’s Inventory of Digital Assets, which can be used to used to show which domains are currently DMARC-protected (and thus, monitored for email spoofing via Agari or Proofpoint's tools), and which customer-owned domains are not currently protected. Having to research and uncover a customer’s domain inventory by hand greatly extends the time needed for an organization to operationalize and start getting the full value possible out of their Agari or Proofpoint purchase and can leave un-protected domains vulnerable to spoofing if they are missing from the list. Bringing RiskIQ-discovered domain assets into DMARC compliance and monitoring increases the number of spoofed emails our partners can uncover on behalf of that client.
How to Start Sending DMARC Data to RiskIQ
Let your RiskIQ Technical Account Manager know you are interested in using this service and who your DMARC provider is.
We will work with contacts at that company to notify them that a mutual customer between our organizations has given permission for RiskIQ to access their DMARC data, and/or that RiskIQ has identified additional domains you own that you would like added to their DMARC monitoring.