A case study on implementing DMARC – by Rahul Powar, Co-Founder Red Sift
Since the creation of bitcoin in 2009, the concept of digital currency has at times divided the public.
Yet despite the sceptics and the naysayers, today, there are over 1100 different types of cryptocurrencies. Funds are raised for currencies via Initial Coin Offerings (ICOs) and ICO platforms maintain the listings of all active and upcoming ICOs.
The financial services industry has already been on high alert for cybersecurity attacks for years; adding this digital currency dimension further intensifies the concern. The only way to steal these assets is to hack the digital wallet or hack the mining pools, and once stolen, the ‘transaction’ cannot be undone.
Pittsburgh-based ICO Alert promotes the digital currencies for companies wishing to raise money through ICOs. It’s therefore essential that the company’s communications are trusted – as the number of ICOs grow, so too does the potential for fraud and scams.
ICO Alert is a go-to source for information regarding active and upcoming ICOs and sends and receives thousands of emails a week. Inevitably, some of their clients have been subject to phishing attacks as they’ve grown in prominence, receiving emails purporting to come from ICO Alert asking them to carry out financial transactions. As Rob Finch, CEO of ICO Alert explains, “Our email domain was spoofed and one of our clients was sent an email highlighting the specifics of a deal. The email that was sent was a perfect fake – they’d used my headshot, my email signature, and of course they’d impersonated my sender address. Luckily, we were able to intercept this deal, but we did have a couple of clients that were affected by a similar scam. We were quick to resolve the financial ramifications, but knew that we needed to bolster our existing email protection.”
Rob already had DKIM implemented, a protocol that verifies if an email is sent from a valid source by using encryption in the header of an email. But with reports of email impersonation, Rob quickly realised he also needed to implement SPF, a tool that verifies if an email is sent from a valid IP address. However, his research highlighted that neither enforced the policies so there was still potential for the ICO Alert domain to be spoofed.
Consequently, Rob started looking more deeply into the nature of the phishing attacks. He knew there had to be a way to prevent email spoofing. It was at this point he discovered DMARC – an email protocol that combines the authentication that SPF and DKIM provide to enforce an authentication policy. DMARC has been around for several years but awareness is low – astonishing given that it can potentially solve the problem of email impersonation for every organisation on the planet. Understandably, Rob was intrigued by what he found.
While DMARC is a free-to-implement protocol, services to make implementation simpler, and management easier, are available to organizations of any size. With DMARC fully deployed with external support, Rob was able to establish a policy whereby only emails from ICO Alert’s domain that passed the SPF or DKIM authentication would be DMARC-validated and would thus reach the intended recipient.
Furthermore, ICO Alert, like many other organizations of its size, sends email from multiple email services, including up to 250,000 emails from its domain each year and a further 750,000 emails being sent through MailChimp. To maintain its strong brand reputation, it was vital to ICO Alert that emails which weren’t sent directly from its domain were able to carry the same guarantee of authenticity, a concern quickly resolved with DMARC – reports generated via the protocol are able to determine which domains are correctly configured and which, if any, are spoofing yours.
Once DMARC was implemented and configured to reject emails that weren’t fully authenticated – all within two weeks – ICO Alert was seeing 100% deliverability rates and experiencing zero bouncebacks, via its MailChimp campaigns too.
By setting up DMARC, Rob concludes, “Not only has it given us complete confidence in the deliverability of our email campaigns, but now our clients can also be confident in the legitimacy of the communications they receive from ICO Alert.”