We’re all familiar with phishing schemes that lure users into entering their passwords, credit card numbers, or other sensitive information, which is then stolen for nefarious purposes. The vehicle for these schemes is often an email message that spoofs the sender’s domain.
If that spoofed domain comes from your brand, it puts your supply chain and reputation at risk. and if multiple recipients report the message as spam, legitimate messages sent from your organization can end up in recipients’ spam folders.
This type of brand impersonation is a growing problem. Mimecast’s 2021 Brand Protection Status research shows that, on average, there were 44% more phishing emails per month inbound to mimecast customers in 2020 than in 2019. Additionally, in the State of mimecast email security 2021 (SOES), more than three in four companies surveyed (76%) experienced at least one email or web phishing attack in 2020 that used their domains or a similar one, and 25% saw 10 or more.
If your organization uses Google Workspace (formerly G Suite) for Gmail and other services, you can use the DMARC protocol in association with DNS servers and email receiving servers to prevent spoofing of your branded domains.
what is a dmarc record?
a domain-based message authentication, reporting and conformance (dmarc) log explains in detail to a receiving email server what to do if a gmail message from your brand domain fails authentication.
dmarc works with two email authentication methods: Sender Policy Framework (spf) and Domain Key Identified Mail (dkim). spf allows you to specify which ip addresses in your domain are authorized to send email. dkim adds a digital signature to outgoing messages. the receiving server uses spf to authenticate the message as coming from a trusted source and dkim to verify that the message hasn’t been tampered with along the way.
google workspace dmarc policies
A dmarc record must specify a policy for the action the receiving server should take if incoming email fails spf or dkim authentication. there are three gmail dmarc policy options:
- none: Delivers the message normally.
- quarantine: Sends the message to the recipient’s spam folder or to the quarantine, if the quarantine option is configured.
- reject – Do not deliver the message. often the receiving server will inform the sender of the failure of the message.
google workspace recommends using the “none” setting at first, and then carefully reviewing the reports. Then, as it identifies illegitimate versus legitimate users of your domain (marketing partners, for example, who send emails on your behalf), Google suggests changing the policy to quarantine and finally reject. Regardless of the action taken, you can configure the dmarc record to require the receiving email server to send a report indicating which of your domain’s email servers are sending email and the percentage of messages that pass or fail. authentication.
Optionally, a second policy called alignment can be set for spf and dkim. possible values are “strict” or “relaxed” and have slightly different effects for spf and dkim.
for spf, the options are:
- strict: The sender address of the message must exactly match the domain name of the sender.
- relaxed: partial matches , including subdomain names, are acceptable.
for dkim, the options are:
- strict: The domain name must exactly match the d=domainname field in the dkim header.
- relaxed: Partial matches are accepted, including subdomains.
steps to configure a google workspace dmarc record[i]
dmarc is configured as a dns txt record on your domain host. the registry contains flags that specify parameters for the receiving server. each parameter is a label-value pair. for example, to set the reject policy, the label-value pair would be “p=reject”.
following these steps will configure and publish your dmarc record:
1. configure spf and dkim, then wait 48 hours before posting the dmarc record.
2. create the dmarc record as a line of text with label-value pairs separated by semicolons. the accompanying table lists sample labels and possible values. note that these labels and values may vary from host to host. the v and p tags are required and must appear first. the remaining tags are optional.
3. from the administration console of your domain host, locate the place where you can update the dns record. enter the name of your dmarc txt record as “dmarc” followed by a period and your domain name. some hosts will automatically add the domain name. load the record and save the changes.
Repeat this process for each of your domains.
3rd party solutions for dmarc configuration
If the google workspace dmarc process seems a bit daunting, the good news is that security service providers like mimecast offer cloud-based dmarc tools. such tools simplify dmarc installation, for example by providing setup wizards to create dmarc records for all your domains. other tools validate dmarc records and create easy-to-use reports and graphs to analyze messages that failed authentication, as well as forensic reports to find the source of malicious email messages.
the end result
As online brand impersonation continues to grow, it is becoming a more serious concern for brands of all sizes. configuring google workspace dmarc can help brands defend against email phishing schemes that impersonate their domains.
[i] see google dmarc instructions