There is no doubt that DMARC is deployed to prevent phishing and spoofing emails; however, misconfigured DMARC records are synonymous with exploitable vulnerabilities. DMARC is implemented in tandem with SPF and DKIM. This email authentication structure compensates for the drawbacks of SPF and DKIM. SPF’s drawback is that it is highly likely to break when emails are forwarded; this means when someone forwards a legitimate email, the receiving server will either mark it as spam or reject it. DKIM’s drawback is that it triggers false positives because of inadvertent message modifications.
For an email to pass DMARC authentication checks, it must pass either SPF or DKIM but does not necessarily need to pass both. This is exactly where threat actors use their evil tactics so that phishing emails sent by them bypass DMARC filters and land in recipients’ inboxes.
Why does DMARC matter?
Once DMARC is in place, it significantly reduces the likelihood of fraudulent emails being sent from a domain. Compared to using SPF or DKIM alone, DMARC is more effective at blocking simple spoofing attempts and basic phishing attacks. DMARC works by combining SPF and DKIM into a unified validation process, with a clear policy (such as reject or quarantine) when authentication fails.
DMARC is especially valuable for domain owners with weak SPF or DKIM configurations. It allows email servers to treat a message as legitimate as long as either SPF or DKIM passes, reducing the risk of false positives. This represents a major step forward in email security.
While DMARC is strongly recommended for all domain owners and email filtering systems, it’s crucial to ensure you manage and control all email sources sent on behalf of your domain.
Interestingly, DMARC can also create a unique risk—in certain cases, it can actually make a domain more vulnerable to advanced spoofing attempts by skilled attackers.
How do attackers bypass DMARC to send forged emails?
A threat actor can possibly send forged emails without triggering DMARC if-
- They are able to send it from an IP address that is allowed under the forged sender domain’s SPF policy. To do this, they need to use the same email provider as the sender.
- They send the email from one of the servers officially authorized by the DKIM for the domain. If the server doesn’t cross-check who initiated the message (which is the case with most servers), it signs the outbound email going through it with the proper DKIM keys. This way, the forged message looks legitimate.
If an attacker creates an account with the same email provider as the legitimate domain, and that provider doesn’t restrict DKIM key usage, the attacker can send emails from the provider’s servers that appear properly signed, just like the real ones.
3. The malicious actor can compromise and access any sender’s devices or email servers. They can also compromise the vendor’s email servers.
But all this can be prevented if you delegate the email authentication responsibilities to experts. Please contact us to know how we can help you.