Federal Agencies Recommend DMARC Policy Enforcement
The Federal Bureau of Investigation (FBI), the Department of State, and the National Security Agency (NSA) have released a security advisory titled North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts. The agencies warn that attackers from the Kimsuky group are seeking out domains with the non-enforced DMARC policy of p=none to orchestrate social engineering intrusions.
p=none Isn’t Enough
This warning not only affects domains that may be in the crosshairs of Kimsuky, but any domain with a p=none DMARC policy, which is just the first step in deploying DMARC. The p=none policy is intended as a monitoring phase and has no effect on restricting the unauthorized use of the email domain to prevent phishing.
Read these best practices for progressing your domains to an enforced DMARC policy
Unfortunately, DMARC policies often remain at this initial unenforced state because some regulatory guidelines currently only requiring p=none have been met. We’ve seen this in Google and Yahoo’s updated sender requirements, where organizations, particularly small- and medium-sized businesses, satisfy the mandate and go no further.
When an organization securely configures a DMARC policy, it helps ensure malicious actors, like Kimsuky, are unable to spoof the organization’s legitimate email domain when sending spear phishing messages to a target.
FBI, NSA, Dept. of State
We’ve also noticed that domain catalog complexity and a lack of domain management expertise can come into play when trying to advance DMARC policies beyond p=none. Some domain catalogs grow organically without the knowledge of the organization’s IT group. Without DMARC, shadow IT that sends email on the organization’s domain flies under IT’s radar and presents a domain security risk. A poor understanding of email sources can also freeze DMARC policy progression; to help with that, we have a directory that lists DMARC-related email sources so domain owners can figure out if a source is capable of sending DMARC-compliant email.
DMARC Policy Enforcement
“Missing DMARC policies or DMARC policies with p=none indicate that the receiving email server should take no security action on emails that fail DMARC checks and allow the emails to be sent through to the recipient’s inbox,” reads the jointly issued advisory. “In order for organizations to make their policy stricter and signal to email servers to consider unauthenticated emails as spam, the authoring agencies recommend mitigating this threat by updating your organization’s DMARC policy to one of these two configurations:
- v=DMARC1; p=quarantine;
p=quarantine indicates that email servers should quarantine emails that fail DMARC, considering them to be probable spam. - v=DMARC1; p=reject;
p=reject instructs email servers to block emails that fail DMARC, considering them to be almost certainly spam. In addition to setting the p field in DMARC policy, the authoring agencies recommend organizations set other DMARC policy fields, such as rua to receive aggregate reports about the DMARC results for email messages purportedly from the organization’s domain.”
Learn about common DMARC mistakes to help make your DMARC project easier.
How dmarcian Can Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul. You can register for our 30-day trial, where our onboarding and support team will help you along the way.
Want to continue the conversation? Head over to the dmarcian Forum.
