Phishing Indicators DMARC Won't Catch

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an indispensable pillar of email security. By enforcing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) alignment, DMARC prevents unauthorized parties from spoofing your domain. It gives you the power to tell receiving mail servers what to do with unauthenticated emails claiming to be from you: quarantine them, reject them, or simply monitor them.

Implementing DMARC to an enforcement policy (p=quarantine or p=reject) is a critical step in protecting your brand and your users from direct domain impersonation. However, DMARC, like any security control, has its specific scope and limitations. It's not a silver bullet against all forms of email-based threats. This article will explore common phishing tactics that DMARC, by design, will not catch, and what you can do about them.

A Quick DMARC Refresher (and Its Core Strength)

At its heart, DMARC ensures that the domain in the visible From: header (the one your users see) aligns with the domain authenticated by either SPF or DKIM.

• SPF (Sender Policy Framework): Verifies that the sending server's IP address is authorized by the domain in the Return-Path header. For DMARC, the Return-Path domain must align with the From: header domain.
• DKIM (DomainKeys Identified Mail): Uses cryptographic signatures to verify that an email hasn't been tampered with in transit and that it was sent by an authorized server. For DMARC, the domain specified in the DKIM signature (d= tag) must align with the From: header domain.

If either SPF or DKIM passes DMARC's alignment checks, the email passes DMARC. If both fail, the DMARC policy for the From: header domain is applied.

DMARC's core strength is its ability to protect your domain from being used fraudulently. If an attacker tries to send an email as ceo@yourcompany.com from an unauthorized server, DMARC will ensure that email is rejected or quarantined.

When DMARC's Strength Becomes a Blind Spot

The limitation of DMARC lies precisely in its strength: its focus on the From: header domain's alignment with SPF/DKIM authentication. Phishing attacks that don't attempt to spoof your specific domain in a way that violates DMARC's alignment rules will simply pass DMARC checks, or DMARC won't even be relevant to the check.

Let's break down these scenarios.

Category 1: Lookalike Domains (Homograph, Typo-squatting)

This is a classic and highly effective phishing technique. Attackers register domains that are visually similar to your legitimate domain, hoping to trick users who don't scrutinize email addresses closely.

• Examples:
  • yourcampany.com instead of yourcompany.com (typo-squatting)
  • y0urcompany.com instead of yourcompany.com (homograph, using a zero for 'o')
  • yourcompany.co instead of yourcompany.com (different TLD)
  • your-company.com instead of yourcompany.com (hyphenation)

Why DMARC Fails to Catch It: The attacker registers yourcampany.com and then properly configures SPF, DKIM, and even DMARC (with a p=reject policy) for their malicious domain. When an email is sent from support@yourcampany.com, the receiving mail server performs DMARC checks against yourcampany.com. Since the email is legitimately coming from yourcampany.com and aligns with its SPF/DKIM records, the DMARC check for yourcampany.com passes. Your yourcompany.com DMARC policy is never even evaluated because the email isn't claiming to be from your domain.

Real-world Example: Imagine a phishing email arriving from support@micr0soft.com (using a zero instead of an 'o'). The attacker has registered micr0soft.com and set up valid SPF and DKIM records for it. When a mail server receives this email, it checks the DMARC policy for `micr0soft