A recent event in Washington D.C. brought together the Global Cyber Alliance (GCA), the Cybersecurity Tech Accord (CTA), the Department of Homeland Security (DHS), and the Department of Justice (DoJ) to acknowledge the importance of email authentication in securing the online world. The event coincided with the one year anniversary of the DHS BoD 1801 – a Binding Operational Directive instructing the Federal government to adopt email and web security standards including DMARC.
dmarcian’s founder, and one of the primary authors of the DMARC specification, Tim Draegen, was invited to speak on a panel regarding the importance of DMARC in securing email. Below are his comments and responses to questions provided at the event.
Why is DMARC important in ensuring the security of email?
TD: About the importance of DMARC: it solves a problem that has always been with email: basic identity. Prior to DMARC, there wasn’t a consistent way to determine if a piece of email is real or not.
It’s hard for me to imagine any security model that doesn’t have at its core some ability to tell if something is legitimate or not. Because of my lack of imagination, I think DMARC – or some ability to tell if email is real or not – is required to even talk about email security.
Important? Yes. But it feels weird to say. Like saying wings are important to an airplane. That’s weird, right?
OK. Why is DMARC an important part of securing email? Without DMARC, the world of email is stuck trying to filter out the bad stuff. Not only is there a lack of something good to build on, but by and large filtering removes all but the most harmful stuff. The leftover stuff – the most harmful stuff – is kept for normal people to try to figure out if its real or not. That’s a terrible situation!
With DMARC, the model gets flipped on its head. Instead of filtering out bad stuff, start by pulling out known & wanted email, then feel free to scrutinize the crud out of what is left over. Over time, as DMARC adoption continues, the leftover pile contains less and less wanted email until – at some point in the future – the whole pile can be tossed out.
I have one last thing: as a control, DMARC is based on the email domain – everything after the @ sign. The email domain is usually in use across an entire organization, which means the scope of the work can touch the entire org.
To get DMARC into place, organizations have to go through and make sure all legitimate email using the domain is compliant with DMARC. In our experience, the process of rolling out DMARC provides an excellent opportunity to build a better security posture into an organization. The rollout process itself isn’t even really that technical. Aside from a bunch of bad information on the Internet about how DMARC and the tech it builds upon works, there are clean ways to manage the technology that do not require spending large amounts of money on black-box automation software.
When done right, deploying DMARC is largely a business and operational cleanup process that puts in place a bunch of really nice things: DMARC compliance, improved vendor and infrastructure management, internal controls on how email is sent on behalf of the organization, well-defined escalation paths, a framework to manage online assets like Internet domains, and tools to manage the risk involved in operating an online presence. These are all things that get implemented as happy accidents along the way.
An industry colleague last week told me that DMARC is having far more of an impact than it should based on what is written down in the tech spec. I think this is true as DMARC happens to site a neat intersection of email, Internet domains, compliance, risk management, and security. One can look at a specific slice of data – like as is published today by the GCA – and see the benefits of DMARC. But if rolled out in a specific way, all of the different slices of benefits add up to a significantly improved security posture. Because of this, in my opinion DMARC is pretty important to email security.
So what's the challenge? DMARC is increasing and being widely deployed, with lots of room for growth. Is it merely a question of time?
TD: Given enough time, good ideas tend to get implemented. However, DMARC adoption has always been a combination of: minimizing the investment and increasing the return. Improving each should cause DMARC adoption to increase, and there are a lot of ongoing activities to do this. In preparing for this panel, one key item did stand out:
GCA has great tools to help people get started. Once turned on and data starts to flow, people then get very little guidance. Without guidance, people end up having to spend way too much time doing research, talking with vendors, and trying to sift through mountains of junk just to get an understanding of what needs to be done.
Everyone just wants to get the work done.
Unfortunately, some vendors are using DMARC as a stepping stone to selling other stuff not exactly related to DMARC. Other vendors are inflating aspects of DMARC deployment to sell a product that locks people into a proprietary solution – all to drive up vendor valuations for a glorious exit event. Still other vendors are more like consultants that bill by the hour and do not want to simplify the work.
If you’re trying to figure out what work needs to be done, at best you spend an awful amount of time learning about DMARC; at worst you end up being taken in by a story and overpaying for work that isn’t in your best interest.
I think this is a big challenge. Meeting it would go a long way to reducing the “Investment” part of the equation. The right guidance by the right organization could significantly push up the “Return” part of the equation. Less investment with far better return. That means accelerated adoption, right?
How can we all help DMARC scale? Governments requiring its use? More assistance?
TD: Government requirement definitely speeds things up. However, a requirement without support is sort of like inventing neat technology but not bothering to go out and advocate for it. Arguably, the difficult part is the long slog of advocating and waiting for the gears to turn. That part is annoying.
Last thing, I spoke about the big challenge earlier. Publishing guidance on what to expect after DMARC data is turned on is needed. With shared or common guidance, communities of people could then get together to work on their own deployments while helping each other out over some of the bumps.
What is the future for DMARC & email security? Will we ever be able to open attachments? What puzzle pieces are not part of DMARC?
TD: The future of DMARC? Global adoption. Built into the Internet.
The future of email security… I don’t think it gets very interesting until email clients – the things people use to read email – are worked on in a smart way. What I mean is, web browsers have the W3C. The email world has no similar forum where people get together to make email clients better across the board. These pieces are not part of DMARC, but until actual end users get better tools for working with email, there’s only so much that can be done. At least DMARC gives email clients something to build on.
I’d like to thank the GCA for the work they do in increasing awareness of initiatives and technologies that make online life a little better. Things like DMARC are not products and do no have the backing of corporate PR and marketing teams to push them. Some companies do spread the news, but those companies are either anomalies or far more commonly they tell the DMARC story only in a specific way to shine a light on the product they’re selling. As I spoke about earlier, this muddies the waters. In contrast, the GCA has been telling a very clear story around the world about what is possible. From my seat, the impact of their work is obvious, even more so once one gets outside of the United States. So, thank you Global Cyber Alliance!
– Tim Draegen
More information on the panel can be found here: