Interview: GCA Director of Operations Shehzad Mirza on the importance of DMARC and the Defend and Deliver DMARC Bootcamp

Hello, we are pleased to be joined by Shehzad Mirza today to discuss DMARC (Domain-Based Message Authentication, Reporting and Conformance) which allows sending organizations to indicate that their email messages are protected, and tells the receiver what to do if one of the authentication methods passes or fails – either send the message or reject the message to junk.

1 Like

Hi Rodney, happy to be here and participate in answering questions about DMARC.

Shehzad, the Global Cyber Alliance has developed a significant number of resources to aid the deployment of DMARC amongst both public and private sector organizations. Why is DMARC so important and what success have you had so far?

DMARC is important in that it will protect the brand, reputation and integrity of an organization. DMARC prevents unauthorized sources from sending email using an organization’s domain name.

Take the most recent example in the news around what happened to WHO (World Health Organization) and COVID-19. WHO’s domain (who.int) was being used by spammers for fraudulent activity. The only way to stop it is to implement DMARC.

We have seen this with a law enforcement entity as well. However, they had DMARC setup at level ‘reject’ beforehand, and they were able to stop a large amount of spam messages using their domain name. Any message that did get through to the recipient, the call desk was able to handle and inform them that it was fraudulent.

In case people have missed the news article in regards to WHO: Why coronavirus scammers can send fake emails from real domains

Here is the article in regards to the law enforcement entity: A DMARC Success Story! - DMARC | Global Cyber Alliance

You also work with partners to help organizations understand and act on the reports that are generated by DMARC. What do these reports enable organizations to do?

There are two types of reports, failure (forensic) reports and aggregate reports.

The Aggregate reports are the ones that will help organizations determine what is happening to the messages being delivered (failing alignment, SPF/DKIM failures). It provides information on not only legitimate systems, but also fraudulent systems (if any). These are the reports that you absolute want to receive and review.

The failure (forensic) reports are the actual messages that are failing to deliver or could fail in delivery due to DMARC. These can be used to further help fix configuration issues, or inform you of the spam messages being sent. These you many not get as there are privacy concerns surrounding them, and many email service providers no longer send these.

There are various free methods and paid methods to be able to analyze reports. We are happy to provide a list of both.

So implementation of DMARC is important, but not necessarily easy which is one of the reasons the GCA has developed the DMARC Bootcamp Series. The next one is starting on May 6th and will run for 5 weeks - who should be attending and how do they register?

Anyone that is starting off with DMARC should attend, or anyone that just wants to learn what DMARC is. We will do a deep dive into DMARC, so it will get quite technical.

The best part is this is FREE!

We’ll give an introduction to the components of SPF and DKIM, we’ll break down the different parts of a DMARC policy, provide a demo of how to implement it on various DNS systems, and lastly we’ll give a high-level overview of how to review the reports. This should be enough information to get start at the lowest policy level and have enough of information to proceed to an enforcement level.

To register, just follow this link: GCA DMARC Bootcamp May 2020

Even if you can’t attend, we will be providing the recordings and resources to everyone for free.

Sounds good, thanks Shehzad, what other initiatives are GCA working on which support email security?

We are looking at expanding to a “Secure Email” project. DMARC is not the only secure mechanism for email that should be used. There are other security measures that need to be taken, such as DANE, MTA-STS, TLS-RPT, BIMI, etc.

1 Like

And finally how can the community get involved in these projects, or find out more about our work in this field?

We’re looking for more guidance on other (and new) email security mechanisms that we should be focusing on. If there is enough interest, we could create a workgroup to discuss which direction is best (i.e. focus on just server side mechanisms, or should we focus on user level as well). We are happy to take any guidance and advice from the cyber security community.

Feel free to reach out to me directly or to [email protected]

Thanks Shehzad this has been extremely interesting, and if anyone in the community has any questions they’d like to ask please feel free to do so - either here or via our dedicated DMARC Forum

Thank you Rodney, and thank to everyone that was following along.