The email has emerged as one of the most critical communication channels to interact with customers, partners, and third parties. Unfortunately, cybercriminals exploit this channel by spoofing the organization's mail domain identity and targeting the brand, it's employees, customers, partners, and third parties. This may cause the organisation or their associates, financial loss, data leakage, or trust erosion.
Realising the requirement to mitigate such email-based threats, several regulators and governing bodies globally have recommended the implementation of DMARC (Domain-based Message Authentication, Reporting, and Conformance), an email-based security technology. DMARC is a globally recognised and adopted email security standard that will complement other email security initiatives of the organisation and help to achieve outbound email visibility and security. Banks and other financial institutions in India have been widely implemented as it is mandated by the Reserve Bank of India (RBI). By enforcing DMARC standards, any fraudulent email attempted to be sent using organisation identity will get blocked, thereby increasing the successful delivery of our genuine emails and user trust on the brand. Many public email providers like Yahoo, Gmail, Zoho, Rediff, Outlook, etc. honour the DMARC for inbound emails. DMARC also increases your email program's visibility by letting you know who is sending email from your domain.
DMARC journey starts with a learning phase to monitor and inventories all genuine mailing activities done either in-house or through a third-party system (partners). These mail senders need to be whitelisted as genuine senders by making a specific configuration change at the backend. Once all genuine mail senders have been inventoried and whitelisted, need to migrate DMARC to an enforcement phase, post which all the spoofed emails (aka non-inventoried mail senders) would get blocked.
There must be sufficient due diligence that needs to be done before the organisation migrates the email domains to the final phase in which all the spoofed emails (aka non-inventoried mail senders) would get Blocked. Once it is set to Reject/Blocked state, all business process owners inter-alia Marketing, Operations, Customer Service, Finance, CRM, Sales, etc. who dispatch mails through any third-party (partner) need to inform InfoSec/IT team about any new future arrangements. They need to ensure that these partners are proactively whitelisted to ensure that none of the business processes get impacted due to DMARC enforcement.
Also, DMARC implementation will increase the emails' deliverability to the Inbox, thereby increasing customer transaction emails and marketing campaigns' overall efficiency. It is also promoted as a brand reputation tool rather than prevent email spoofing solutions.
Article by.
Kiran Belsekar
Vice President - Information Security at Aegon Life