DMARC Prominent in Interagency Phishing Guidance
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released Phishing Guidance—Stopping the Attack Cycle at Phase One to provide guidance in the ever-waging battle against phishing exploits.
The guidance is relevant to all organizations, though it may pose challenges for those with limited resources. To address this, the guide incorporates a section with customized suggestions tailored for small- and medium-sized businesses that may lack the resources for a dedicated IT staff to consistently combat phishing threats.
For software manufacturers, the emphasis is on adopting secure-by-design and default strategies. The guidance encourages software companies to create and deliver software that is resistant to common phishing threats, ultimately enhancing the cybersecurity resilience of their customers.
In the phishing mitigation guidance for all organizations, CISA, NSA, FBI, and MS-ISAC recommend organizations implement DMARC and other controls to reduce the chance of login credential phishing. Specifically, they recommend the following relative to DMARC:
- Enable DMARC for received emails.
- DMARC, along with SPF and DKIM, verify the sending server of received emails by checking published rules. If an email fails the check, it is deemed a spoofed email address, and the mail system will quarantine and report it as malicious.
- Multiple recipients can be defined for the receipt of DMARC reports.
- These tools reject any incoming email that has a domain that is being spoofed when a DMARC policy of reject is enabled.
- Ensure DMARC is set to p=reject for sent emails. This provides decisive protection against other users receiving emails that impersonate a domain.
- Spoofed emails are rejected at the mail server prior to delivery.
- DMARC reports provide a mechanism for notifying the owner of a spoofed domain including the source of an apparent forger (information they would not receive otherwise.)
- Enable DMARC policies to lower the chance of cyber threat actors crafting emails that appear to come from your organization’s domain(s).
In the section of the guidance addressing software manufacturers, the federal agencies recommend incorporating secure-by-design and secure-by-default practices into their software development to lower the risk of phishing attack to their customers. One of those practices is DMARC, as follows:
- Provide email software with DMARC enabled for received emails by default.
- Provide email software with DMARC configured to p=reject for sent emails by default.
The recent release of Secure By Design, a roadmap for software manufacturers to prioritize product security integration, CISA and international partners recognize that off-the-shelf software vulnerabilities can provide an open door to networks that leads to crippling cyber intrusions.
Knowing how to navigate phishing danger is essential because anyone can fall victim to these attacks. Cyber threat actors are constantly evolving their techniques and harnessing new technologies to their advantage, including artificial intelligence. They are also finding it easier to deceive people who have transitioned to hybrid work environments and have fewer face-to-face-interactions.
Eric Chudow, NSA’s Cybersecurity System Threats & Vulnerability Analysis Subject Matter Expert
Whether you’re an enterprise, a small- or medium-sized business, or a software manufacturer, DMARC is the primary control to observe and restrict email domain usage and helps legitimize your and your customers’ email.
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
