Combatting Phishing with DMARC
Email shouldn't feel like a dark art, but to a lot of people it does. Everyone should have DMARC setup by this point, but they don't. Here's the first piece of a 3 part guide covering why it works and how to set it up.
Since writing about how to reverse account takeovers last week I've decided to write a security series covering all the weird things I encountered back in 2012, when I accidentally ended up combating phishing and fraud for a year. In the last article, the first recommendation was to setup DMARC. So let's take a deeper look at why, how and what's involved in long term management once it's setup.
This guide is exhaustive and is broken into three parts: Education, Deployment and Enterprise. In this post we'll cover the problems of phishing, why they exist, what DMARC is how it works, why it works and why everyone needs it. In Deployment next week, we go into detail on how to deploy DMARC from a domain with no email to a startup with a few email sources all the way to an enterprise with an entirely unknown number of email sources.
I walked into a weird situation in 2012. I took over everything for a 14 year old high end marketplace that was in the middle of a rewrite from Perl to Ruby, in which the prior developers and support staff were gone. Because of the transition from old site to new site, old design to new design and the mixing of "some new" and "some old" in the look of things, there was a lot of confusion among the site's 300,000+ users already. When the phishers realize they could capitalize on this confusion, things got crazy fast.
