Layers of Defense: DANE and DMARC

By Shehzad Mirza, with contributions from Dennis Baaten at Internet.nl


Email was never designed with security in mind. It was just meant to send and deliver messages. Over time, cybercriminals took advantage of the email security vulnerabilities, resulting in email being used as a prime attack vector. While many mechanisms have been developed and implemented to mitigate risks, email scams such as phishing and business email compromise remain prevalent. Verizon’s 2019 Data Breach Investigation Report found nearly one-third of all data breaches involved phishing, and 94 percent of malware is delivered via email. COVID-19 has accelerated the volume of phishing scams as cybercriminals seek to take advantage of this global pandemic.

Phishing is a social engineering attack in which a fraudulent email message is sent and appears to be coming from a legitimate organization or user. The goal of this attack is to either steal personally identifiable information (i.e., usernames, passwords, bank or credit card information), to orchestrate fraud (e.g., false wire transfer requests), or to infect systems with malware such as ransomware or a keylogger. Existing (technical) vulnerabilities are of great value to cybercriminals as they can increase a fraudulent email’s credibility.

For users, it is often difficult to determine the legitimacy of an email. Did the email come from a government agency, bank, or insurance company? Or is an email the work of cybercriminals who, for example, were able to spoof the “From” address of an email message, resulting in a user trusting the email message?

Fortunately there are solutions available that can help reduce the risk of email fraud, and we’ll take a look at two of them: DMARC and DANE. Both are very useful standards for increasing reliability in email and are an important part of your organization’s layered defense strategy, but it is important to understand the differences between the two. Essentially, DMARC ensures that when a recipient receives an email from a particular domain, it has actually come from that domain and not someone impersonating the sender’s domain. DANE ensures that when a user sends an email to its intended recipient domain, it doesn’t get intercepted by a third party (“man-in-the-middle”).

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) will prevent unauthorized usage of the organization’s email domain. In other words, it will protect against domain spoofing.

Before DMARC was developed less than a decade ago, organizations already took several measures to determine the authenticity of an email (such as SPF and DKIM protocols, which help reduce the amount of spam received to a minimum). This is basically a good thing, but if these measures fail to identify whether or not an email is spam with a high level of certainty, the fraudulent email can be redirected to the addressee (the receiving party). This methodology is fraught with risk, since users are generally not equipped with the knowledge or means to classify incoming emails.

DMARC addresses this problem and enables the owner of a domain to take explicit responsibility with regard to the actions taken by the sending party when the validity of an incoming email cannot be determined. This, for example, will protect against domain spoofing and prevent spammers from spoofing the “From” address on email messages. DMARC can increase the deliverability of your messages, because more than 80% of consumer mailboxes worldwide support DMARC. It will also provide reports that will inform the organization as to what systems (authorized and unauthorized) are sending email using the organization’s email domain. It is important that DMARC be set up properly and with reporting enabled.

The United Kingdom kicked things off in 2016 by mandating all UK government entities to implement DMARC at the highest level of enforcement.

In late 2017, the US Department of Homeland Security (DHS) mandated that all US federal civilian agencies implement DMARC at the lowest level within 90 days and the highest level within one year, along with other security measures outlined in BOD 18-01.

The governments of the Netherlands and New Zealand followed suit in 2018, and in 2019 Australia did as well.

Now in 2020, Denmark and Canada are leading the way with the release of implementation guidance on email domain protection.

DANE

Historically SMTP servers transfer emails to each other using either an unencrypted (plaintext) connection or (since 2002) an encrypted connection based on STARTTLS protocol extension. While an encrypted connection is preferred, using STARTTLS still leaves email transport at risk. STARTTLS is opportunistic, which means that encryption is only used after being negotiated over an unencrypted connection. This makes it relatively easy for cybercriminals to circumvent the usage of encryption and force transfer of emails over an unencrypted connection. At the same time SMTP servers, by design, do not validate the authenticity of another mail server’s certificate; any random certificate is accepted. This again makes it relatively easy for cybercriminals to manipulate email transport. In other words: our public email ecosystem cannot ensure confidentiality.

DANE for SMTP addresses this problem and allows for a more secure method of mail transport. DNS-based Authentication of Named Entities (DANE) allows SMTP servers to establish encrypted TLS connections without the disadvantages of STARTTLS. While standards such as DKIM, SPF, and DMARC are primarily focused on authenticating a sender and verifying the integrity of received emails, DANE is used to ensure reliable encryption for email transport. For this to work as intended, DANE uses the secure version of the Domain Name System (DNSSEC) for retrieving information that is published by a domain name’s owner or administrator. As a result this information enables SMTP servers to determine up front whether or not another SMTP server supports an encrypted connection while also providing the means of validating the authenticity of the other mail server’s certificate. Confidentiality of email is available to the masses.

DANE is gaining popularity with nearly two million domains using this security technology. Numerous countries have DANE policies including Germany, Norway, the Netherlands, Sweden, the European Union, and the United States.

As with all aspects of security, defense-in-depth should be utilized with email, and the integration of DANE and DMARC into your organization’s protocols should be considered. Implement spam/phishing filters to prevent harmful incoming messages, but use DMARC to prevent your domain from being used in spoofing attacks. Implement DANE for SMTP (along with other email security mechanisms available) to confirm the identity of the email servers being communicated with. There is no one silver bullet for security – a solid security strategy needs multiple layers of protection.

You can check your email security status by visiting Internet.nl.