The National Cyber Security Centre (NCSC) has launched a new security tool, enabling businesses to check the security settings of their email domains. It can be used to help businesses to determine how secure their domain is for email, and identify any vulnerabilities which may need to be addressed, including privacy and potential spoofing issues.

What does it check?

The tool is set to check publicly available email DNS records to help identify potential vulnerabilities. The ambition is to prevent spoofing (where cyber criminals send emails from your domain, pretending to be you) and privacy, to help prevent criminals from intercepting and reading your emails in transit. Currently, it makes two main checks – your DMARC policy, and your TLS configuration – with the introduction of a third test (MTA-STS Configuration) coming soon. If you run your domain through the checker, they have brilliant explanations of the value of these checks.

What might come back?

Running the test, you might get one or two warnings (one for each test), or two green ticks indicating a test pass. These are an indication of the strength and depth of your security.

  • At minimum, your TLS configuration check must come back as a green tick, because this is a straightforward, simple security addition, and keeps your emails secure while in transit. If this comes back as a red X, contact your IT department or company immediately.
  • What will commonly happen for many small businesses is that the DMARC policy will come back with a red X. DMARC helps to prevent spoofing, but it is common for it not to be implemented, because incorrect implementation can result in significant email downtime (around 48 hours), and DMARC is considered a top security practice rather than a baseline standard for security. The NCSC is right to recommend it as a good security practice and highlight it as a potential vulnerability, but it is not uncommon for SME businesses to skip this step. If yours comes back with a red X, speak to your IT department or company about what’s involved and the value specific to your business, before deciding to implement the changes.

DMARC: Risk versus reward

DMARC settings offer some trade-off between security and operations. As highlighted in the NCSC guidelines, it is absolutely best practice, and it is the only way to fully mitigate potential spoofing campaigns. However, part of the reason it is not introduced by many SME businesses, is that a) the risk of spoofing for a small business is very low, and b) it has the potential to interfere with legitimate email traffic, in the pursuit of quality sending. The NCSC guidelines do provide step by step configuration that enables you to initially introduce DMARC policy as “none”, which then allows you to monitor send traffic and identify legitimate and potentially malicious traffic.

When an email is sent for delivery, there are four levels that an email can be assigned to:

  1.  Inbox
  2. Junk
  3. Quarantine
  4. Rejection.

Levels 1 and 2 (inbox and junk) are serviced through your normal security features, as offered by your email security, for example Microsoft 365 settings ensure that incoming emails are vetted and assigned as secure (to your inbox) or potentially junk or insecure (to your junk box). It does this on the basis of the Sender Policy Framework (SPF), which checks that the mail originates from an authenticated server. SPF is not specifically tested by the NCSC tool, so you will need to check its configuration separately.

Levels 3 (quarantine) and 4 (rejection) are then served by the enhanced DMARC policy settings. What this does is automatically quarantine or reject an email, sent from anyone other than your company, who tries to use your company domain. For example, it will quarantine or reject any email coming into Eurolink Connect inboxes that originate outside the company, but that has an email address (someone)@eurolinkconnect.com. This specifically seeks to filter rogue or malicious spoofing emails where someone is attempting to misrepresent your company.

In the NCSC test, a failed DMARC policy will state “This domain could be used by criminals to spread malicious emails”, which is absolutely and completely true. It could be, and this is the risk. However, there are two caveats here:

  • the first is that spoofing requires an investment by criminals, which means that they typically choose their targets selectively. They seek maximum gain (usually financial) from their work, which means that a small, local SME is unlikely to be a primary target. It can happen, but the risk is low.
  • the second is that spoofed emails that originate outside an organisation, will be diverted to junk boxes, heightening the intended target’s awareness. It isn’t foolproof, and some people may still be duped, but again, the risk is much lower.

If DMARC is best practice, what is the downside?

Well, there are very few downsides, however it isn’t all plain sailing.

Deploying DMARC is a complex undertaking, and as well as requiring resource to set up, also requires constant monitoring and updating to accommodate new senders. If you add new software to the business, and that software wants to send you notifications and updates, you will need to revise your DMARC records and monitoring to ensure that emails reach their intended destinations. Out of date or improperly applied DMARC could see some of your sent or received mail going AWOL.

There will be legitimate reasons that an email will originate from your organisation, but will fail to pass DMARC policy leading to its rejection. Examples include email forwarding, where the email passes through an intermediary server before it ultimately gets delivered to the receiving server, or use of a third-party software such as Gmail, Mailchimp etc. In these instances, the email is legitimate, but will fail authentication and therefore fall into level 3 (quarantine) or level 4 (rejection). These can be overcome, but will require ongoing management and monitoring of your DMARC policy, and for some, this resource isn’t worth the investment when compared to the risk.

The other limitation of DMARC is that it only works for your domain, and not for close cousins or display name spoofing. If a hacker wanted to represent your business, they could register a similar domain that your team, clients, or suppliers might not notice (think eurolinkconnectuk.com or eurolinkconnects.com), delivering emails that look to be directly from you. Similarly, hackers can also use a random domain, but change the display name to your company name, in a bid to evade your detection. The latter will hopefully be picked up by other cybersecurity measures, which is why DMARC should be just one part of a layered approach.

So should we implement DMARC?

As the NCSC has highlighted, it is best practice and it does protect against direct spoofing. What you need to be sure of is the risk versus reward and the ultimate cost of ongoing management. Eurolink Connect can and do implement DMARC – we have done so for ourselves – but not all of our clients want the level of management that comes with DMARC. In addition, we always implement all baseline security features, which will be ample for managing the majority of SME risk.