DMARC: Zero Trust Email
Over the past year, we have witnessed a flurry of interest in Zero Trust Architecture after President Biden released the Executive Order on Improving the Nation’s Cybersecurity.
The executive order directs federal agencies to “develop a plan to implement Zero Trust Architecture.” The executive order notes that “the Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”
Zero Trust Architecture is gaining steam but what exactly is it? In the simplest terms, Zero Trust means that users, devices, networks, services and software shouldn’t be trusted inherently. This model requires privileged access and ceaseless identity verification.
When the internet—a massive network of networks—was being developed, attention was focused on connectivity among networks and the devices interacting with them. This primary focus on interconnectivity is the internet’s great strength and, as it turned out, a great weakness in the realm of trust. Like email, this vast network of networks wasn’t built with native security to stop cyber attacks.
Domain-based Message Authentication Reporting and Conformance (DMARC)
DMARC’s original use case is that of verifying identity to fight email fraud. DMARC provides visibility of how a domain is used and prevents unauthorized senders from sending email on behalf of an organization; as a result, domain trust is built. With this trust comes email reliability—DMARC is the foundation for authoritative email delivery and often the first step taken to resolve email delivery issues.
Historically, email defense consists of filtering out malicious and nuisance email. Huge markets exist to provide countermeasures to the latest email threat—anti-spam, anti-phishing, anti-BEC, anti-malware, and anti-spoofing.
DMARC and the zero trust email security model it represents is not a product. One does not simply buy DMARC, place it into a datacenter, and pay an annual license fee. DMARC is an interoperability security standard that describes how operators and the internet can work together to bring stable, trustworthy domain-level identifiers to email.
With DMARC at a compliance level, all email sending services and contacts are seen as untrustworthy unless they are unequivocally recognized as legitimate through SPF, DKIM and DMARC protocols. With this control in place, people receiving email from an organization with DMARC compliance can trust that it comes from where it says it does.
The Intersection of DMARC and Zero Trust
The idea that Zero Trust eliminates implicit trust and requires continuous verification is where we find the intersection of DMARC and Zero Trust. DMARC has been a Zero Trust email security model since its inception—ten years and counting.
DMARC integrates with Zero Trust as a control that lets legitimate email in the front door so people don’t have to be trusted to decide if it’s real or a scam.
DMARC’s utility as an anti-spoofing technology stems from a significant innovation—instead of attempting to filter out malicious email, why not provide people with a way to easily identify legitimate email? In effect, DMARC’s promise is to replace the fundamentally flawed “filter out bad” email security model with a “filter in good” model.
— Tim Draegen, dmarcian founder and DMARC coauthor
Because email is the attack vector involved in more than 90% of online fraud, DMARC must be central to any Zero Trust implementation to provide visibility, protect individuals and create trustworthy domains.
If you need any help with deploying DMARC, we’re here to help. You can get in touch with us or register for a free trial with no strings attached. Feel free to use our DMARC research and testing tools; they are available to everyone, even if you don’t have a dmarcian account.
Want to continue the conversation? Head over to the dmarcian Forum.
