Guest post by Tom S Academia lead - The Mail Check Team NCSC Active Cyber Defence
Cyber security is improving in many areas, but the adoption of DMARC anti-spoofing is still too low. NCSC tools and tips gathered from around the community can help as this guest post from Tom S, Academia lead in NCSC’s Active Cyber Defence Mail Check Team explains.
Why DMARC matters
At NCSC we are committed to making the UK the safest place to live and work online, and one of the areas we care deeply about is the implementation of strong email anti-spoofing controls (SPF, DKIM and DMARC) – they sit in ‘layer one’ of our guidance on phishing and can drastically reduce the success of phishing emails. Email is still a significant vector for cyber attacks – and this has been a particular challenge since Covid-19. Though many of your organisations will have SPF configured, this is not going far enough; you need to work towards a strong DMARC policy – and NCSC can help you with this.
NCSC Mail Check proven in helping the public sector
At NCSC we can provide advice on strengthening your email policies and are now offering our free online tool Mail Check to Universities and Colleges.. We’ve done this already for central and local government with 80% actively using DMARC. Currently universities and colleges are a long way behind that – but we’ve had a fantastic initial response from many of you in the last couple of months so we’re hoping to see the numbers go up!
About SPF, DKIM and DMARC
I want to make sure in this blog I cover the practical stuff, so I’m not going to go into all the theory – our video and guidance are available if you need to know more. Here is the short version, to get you started:
- SPF (Sender Policy Framework) allows you to publish IP addresses of mail systems that send out emails for you and should be trusted for your domain.
- DKIM (Domain Keys Identified Mail) allows you to cryptographically sign email you send to show it’s from your domain.
- DMARC (Domain-Based Message Authentication, Reporting and Conformance) allows you to monitor whether emails from your domains are passing or failing validation checks, and tell a receiving email server how to handle untrusted emails (Pass it on? Send to spam? Block?).
Practical lessons from across the community
I’ve spoken to quite a few of you now about the practical challenges of implementing DMARC – thank you to all those I have spoken to so far – happy to hear any other words of wisdom and war stories! Specific mention must go to Mike from the University of York – he was one of the first to adopt DMARC and gave me the full story over a video conference (whilst sitting proudly on the bridge of the ‘Liberator’ from one of his favourite cult Sci-Fi TV shows ‘Blakes 7’). Mike also helped write this blog.
What have we learnt so far from Mike in York and others we have been speaking to? Here goes…
Don’t put it off – setting up monitoring is quick
Some of you are daunted about the path ahead: unclear how much effort might be required. But you won’t know what you are facing until you get started and size up the problem. Getting started is pretty quick. Signing up to Mail Check takes minutes (and did I mention it’s free?!) – and once you have made a quick change to your DNS record, you will have visibility of your emails passing or failing SPF and DKIM validation, as well as how much domain abuse you may already be experiencing. Setting up this DMARC policy of ‘none’ just gathers information; it doesn’t affect your flow of emails.
Become a detective (Mail Check can help!)
Most organisations we speak to about DMARC are the same – from Local Authorities to Universities to banks. There are a lot more systems sending out emails than you realised, and departments (…you know who you are) sign up for new cloud services all the time without consulting anyone in the IT or security team. You may also have a number of academic mailing lists to contend with.
In this discovery phase you will be doing two things. First, analysing your data. A tool like Mail Check will highlight which systems are in use, and how they are configured. Second, (in Mike’s words) ‘Publicity, publicity, publicity’. You will also need to reach out across your organisation to register who is using what and get them bought into what you are trying to achieve.
Explaining the benefits
People are happier to co-operate if they understand the benefits. Emphasise that introducing DMARC will have two wins: to better protect against phishing emails forged to look like they’re from your organisation and will also help get your outgoing messages delivered more reliably. Need help? When you sign up to Mail Check, we will be able to provide additional materials to help you engage your colleagues.
Don’t rely on SPF alone
Many organisations try to rely on SPF alone, but then later run into issues. SPF is prone to break as emails get forwarded around, and there are limits on the size of your SPF record. DKIM is a stronger method of validation in which you digitally sign your emails, and whilst in the early days of DMARC this wasn’t well supported by suppliers, there is much better support out there now.
We often see organisations take a pragmatic approach – usually involving implementing both SPF and DKIM on their key email systems (Office 365 or Google etc.), but then layering up SPF and DKIM on other systems taking account of priority and effort.
Use sub-domains to your advantage
Our experience is that almost all larger organisations are going to need to use sub-domains to help. Establishing separate policies for sub-domains (allocated to finance systems, marketing systems etc.) helps to avoid SPF constraints (you don’t have to put everything into one SPF record), as well as avoiding troublesome systems holding you up, so you can move over to a strong DMARC policy on your main domains, and then deal with those other systems at a slower pace.
Turning the handle
You can now work away at each of your systems in priority order. We often see that successful organisations chip away at improvements in parallel with other work, rather than waiting for a gap in their project activity (that never materialises). Set yourself a realistic set of tasks to complete every fortnight and put a review meeting in the diary every fortnight to check how you are progressing and forecast ahead. Most activities will take hours, rather than days.
Dealing with complications
You are likely to come across some specific challenges as you implement DMARC – Mail Check will guide you on these points (and if you need help get in touch… details at the end of this blog post):
- Looks like you’re passing SPF and/or DKIM, but you’re failing DMARC? Most of the time this is a problem with ‘alignment’. For an incoming message to pass DMARC it must pass SPF, DKIM or both. But that’s not sufficient! DMARC enhances both tests by requiring alignment. This checks that the domains used in the SPF and DKIM tests match that in the ‘Header from’ address. For example, you will fail alignment if you’re DKIM signing your email from ‘uniorcollege.onmicrosoft.com’ but the ‘header from’ address is ‘uniorcollege.ac.uk’.
- Forwarded mail. Forwarded emails don’t always play nicely when you implement DMARC – headers, signatures and IP addresses can change with each hop. You won’t be able to achieve perfection when it comes to forwarded mail, but if you are using Office 365 or G Suite, it’s worth checking you have switched on SRS (Sender Rewriting Scheme) and ARC (Authenticated Receive Chain).
- Mailing lists. Google Groups and other mailing lists are used a lot in this sector – Mail Check will help with tips and tricks to get these working with DMARC.
- Parked domains. Attackers can still go for domains that aren’t used for email. Even those ‘vanity domains’ you were forced to buy for the ‘Department of cheesemaking’. The good news is these are quick to fix – our guidance shows you how.
Don’t drag it out
Mike’s words, but very much echoed by many other organisations we speak to. Once the core of the work is done (and by the very nature of email things won’t be perfect), you shouldn’t drag out the decision to get to quarantine. This must be a necessary calculated risk. In Mike’s case, they were anticipating some issues with legitimate emails being quarantined but felt on balance that the benefits of now strengthening their DMARC position outweighed the risks. Over a period of 4 weeks they dialled up gradually through to a policy of quarantine and then to reject. Our guidance explains how. They had a couple of users ring in with issues, which were quickly resolved, but overall the experience wasn’t that bad with far fewer support calls than anticipated.
It’s an ongoing challenge, particularly in a world where cloud IT services can be signed up to for free in 4 minutes by someone in your marketing department (everyone I’ve spoken to has experienced this!). Many I’ve spoken to are working to control this (York use a ‘Cloud Risk Assessment’ process), putting in checks and balances and avoiding proliferation of IT across your estate.
Mail Check sign in or register: https://www.mailcheck.service.ncsc.gov.uk
Mail Check info page and video:
NCSC Email security guidance:
NCSC Phishing guidance:
Contact the Mail Check team: email@example.com