Your Customers Need A Hero - Save Them From Internet Villains With DMARC

Your Customers
Need A Hero
Save them from Internet Villains
with DMARC

About the Speaker
• Email’s been my arch nemesis for 14 years
• Implemented DMARC for 128 domains in 7 months
• I’ve been saying, “Email is the worst thing ever”
for 10 years

Agenda
• Our Customers’ inboxes are under attack. They
need a hero.
• How do YOU become a DMARC hero?
• Getting your first victories.
• What will stand in your way?
• Know your weaknesses.

WHO WILL HELP IN OUR HOUR OF NEED?

What is DMARC?
No DMARC, 23
Monitor, 13
Quarantine, 1 Reject, 1
FORTUNE 500
HEALTH CARE SECTOR NOV. 2017
• Email authentication via DNS
• What can it do?
• Email blocking
• DMARC policies can stop bad emails
pretending to be from you.
• Provides insight into BEC
• You can see IPs that are trying
to send emails with your brand.
• Establishes Brand Assurance
• Your customers can be assured
that they’re safe emailing with
you.
To Start, read this:
• https://seanthegeek.net/459/
demystifying-dmarc/
Reject &
Quarantine 10.5%
None 34.9%
Invalid
DMARC 3.6%
No DMARC
51%
TECHNOLOGY INDUSTRY 2019
Source: @Valimail
Source: @AgariInc

But it should be.
• You gain control of your email brand.
• It’s FREE
• It’s easy to start and maintain.
• Marketing teams will see increases in delivery.
So why isn’t DMARC everywhere?
• Email is a utility.
• DMARC’s not a sexy topic.
• And it’s not the squeakiest wheel.

• You need a place to
receive DMARC
Reports: Then the
Telemetry comes to
you!
• Put up the _DMARC
entry in “Monitor”
mode. (p=none)
• Once you know who’s
trying to send email
as your brand, form a
plan.
• Save the metrics for
POV later!
GEAR UP

Where can you analyze your DMARC Reports?
FREE!
Hosted Services
• Postmark; dmarcian; DMARC
Analyzer…
DIY
• Parsedmarc by Sean Whalen
https://domainaware.github.io/
parsedmarc/
BUY A SIDEKICK!
• You can staff-augment to
quickly onboard knowledge
and assist with monitoring
post-implementation.
• Folks like Agari, dmarcian,
Valimail, and Proofpoint (to
name a few) have sidekicks
standing by!
Visit https://dmarc.org/resources/products-and-services/ for more!

Superhero Training Montage
Find your defensively
registered & non
sending domains and
set them to reject!
Your first victories!
Find your most
spoofed domain
and show how
the Reject
posture was
successful.
Work in the
shadows for now.

• No one else sends emails on your behalf?
• Only use one email hosting provider?
• Set up SPF/DKIM and monitor for a month.
• Then you’re ready to p=reject!
• You’re DONE!
You may then safely ignore the rest of this
presentation. Or read on just for fun!
You may be super close to being done!

Case Study: steves.nonsending.domain
Image Source: @proofpoint

The easy part’s over…
• Carefully review telemetry from your
sending domains.
• Enumerate your EaaS vendors – [Engage your
Third-party cyber risk Hero back at the
“Hall of Justice” if you’ve got one]
• Add their SPF & DKIM info to your DNS and
grow stronger
• Use your CNAME Kung–FU for lots of
defensively registered domains

Who are the villains that will stop at nothing
to destroy your initiative?
…the battle’s just begun.

• Multiple DNS TXT records
• More than 10 SPF Lookups
• DKIM Record typos
CONFUZOR
a.com IN TXT v=spf1 –all
a.com IN TXT v=spf1 include:spf.stuff.com ~all

• Tracking down
multi-national or BU EaaS
affiliations
• Tracking down Business
Cycle Specific Emails
THE SNEAK

• EaaS vendors who
issue SOWs or
charge extra to
support DMARC
for your domains.
NICKEL
& DIME

• Bad code that will cause
your DMARC evaluations
to fail.
• Usually DKIM related
• DMARC Telemetry system
Failures
SABOTAGE

• Bad email practices
from within.
YOUR OWN
ORGANIZATION

Where will DMARC not help?
• Misspelled Domains
• Compromised partner email accounts
• LISTSRV & Other assorted email hops
Know Your Weaknesses
What can help you Save the world?
• Centralize your Mail Flow
• Leverage Subdomains or…
• …Use Vanity Domains
Use your powers

• Take an iterative approach. Move domains to reject as
soon as you can; show the benefits when malicious use is
blocked or drops to zero for that domain.
• Headlines in the News: Tell everyone you’re protecting
your members directly, not just mitigating business risks.
• Constant Vigilance: Get DMARC into your standards,
policies, and business use cases. Get your marketing and
corp comm teams familiar with DMARC, why it’s important and
how it benefits their delivery rates.
A Hero’s Work is Never Done

What’s that in the sky?! A bird? A plane?
It’s BIMI!
• After you get to p=reject.
• Your logo will appear next to your
emails in your customers’ inboxes.
• In beta
• Requires rights to use a logo and
(after go-live) a cert to prove that
you own the logo.
• https://authindicators.github.io/rfc
-brand-indicators-for-message-
identification/
• Microsoft is doing their own thing:
• https://business.microsoft.com/
Image Source: Yahoo! Mail

Our Members deserve trustworthy
communications.
Start with the easy wins; iterate; don’t
let up.
Laughing about fictitious comic book
villains will help you have fun
implementing DMARC.

Be the hero!
Email me: info@steveocodez.com

© 2019 Stephen Mitchell and Matthew Bielewicz. Except where
otherwise noted,“Your Customers Need A Hero - Save Them From
Internet Villains With DMARC” is licensed under a Creative Commons
Attribution 4.0 International License.
http://creativecommons.org/licenses/by/4.0/

Your Customers Need A Hero - Save Them From Internet Villains With DMARC

More Related Content

Similar to Your Customers Need A Hero - Save Them From Internet Villains With DMARC (20)

Recently uploaded (20)

Your Customers Need A Hero - Save Them From Internet Villains With DMARC