In an era where email security is more crucial than ever, DMARC (Domain-based Message Authentication, Reporting & Conformance) has emerged as a key player in the fight against email spoofing and phishing. This blog post aims to demystify DMARC, SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) to help businesses integrate these critical protocols and enhance email security – a strategy that Sequoia has adeptly integrated into its cybersecurity framework.

Email Authentication Protocols

Email authentication protocols like SPF and DKIM are crucial for verifying sender legitimacy and maintaining email content integrity, protecting against email fraud and spoofing.

  • SPF: Ensuring Sender Legitimacy SPF authenticates email senders by allowing domain administrators to list authorized mail servers in their DNS. It compares the sender’s IP with these authorized IPs to validate sender legitimacy.
  • DKIM: Authenticating Email Integrity DKIM maintains email integrity by attaching a digital signature, verified against a public key in the sender’s DNS. This process ensures the email remains unchanged in transit.

What is DMARC?

DMARC builds upon SPF and DKIM, providing a framework for how email receivers handle emails failing these checks. It enables domain owners to define policies (none, quarantine, reject) for unauthenticated emails and receive reports on email traffic. DMARC is designed to combat email spoofing, phishing, and other forms of email fraud, offering domain owners greater control over their email domain’s security and authenticity.

How Does DMARC Work?

DMARC enhances email security by utilizing DNS records, allowing domain owners to set policies that dictate how email servers should handle emails failing SPF and DKIM checks. Its operation involves three policy levels:

  • None: This is a monitoring-only mode where DMARC collects data on emails passing or failing SPF and DKIM checks without impacting their delivery.
  • Quarantine: Emails that fail authentication may be marked as suspicious, often being diverted to spam folders or treated cautiously.
  • Reject: The strictest level, where emails failing authentication checks are outright rejected, preventing them from reaching the intended inbox.

DMARC Reporting

DMARC domain owners can receive reports at specified email addresses, containing detailed data about their email traffic. These reports include the volume of sent emails, sources, authentication results, etc., aiding in monitoring email domain health and identifying potential misuse or fraudulent activities.

Benefits of DMARC

  • Reduced Phishing Attacks: DMARC helps prevent phishing emails that use your domain.
  • Enhanced Brand Reputation: Protect your brand and maintain trust with customers.
  • Improved Email Deliverability: ISPs are more likely to deliver legitimate emails from domains with DMARC policies.
  • Data and Insights: Gain valuable data and insights from DMARC reports to improve your email security posture.

Sequoia’s Approach to DMARC

At Sequoia, the security of our email communications is given utmost importance. We understand that in the fast-evolving digital world, email is not just a communication tool but a vital component of our business operations. To safeguard the integrity and authenticity of our email interactions, we have prioritized the implementation of DMARC.

This initiative is central to our commitment to maintaining robust email security. Remarkably, our dedicated team was able to achieve full DMARC enforcement in just three months from the commencement of the project, demonstrating our efficiency and agility in enhancing our cybersecurity measures.

Here’s a look at how we approached DMARC implementation:

  1. Setting the Foundation:
    • Understanding DMARC: Before diving into implementation, we ensured that our team had a clear understanding of what DMARC is and why it’s essential. DMARC, building upon SPF and DKIM, provides a framework for email receivers to handle messages failing authentication checks.
    • Initial DMARC Policy: We started with a DMARC policy of “p=none,” which operates in monitoring mode. This allowed us to collect data on email traffic without impacting email delivery. It served as a baseline for us to gain insights into our email ecosystem.
  2. Aligning Known Senders:
    • Reviewing DMARC Reports: We began the process of reviewing DMARC reports meticulously. This involved analyzing data on emails that passed and failed authentication checks.
    • Identification of Known Senders: We identified and classified all known senders within our organization, including various business units responsible for sending emails such as marketing, advocate case tickets, and product notifications.
  3. Enhancing Compliance:
    • Onboarding Tools: To streamline our DMARC compliance efforts, Sequoia introduced a a DMARC management platform . This addition significantly improved our reporting capabilities and aided in the migration process.
    • Alignment with SPF and DKIM: We diligently aligned all known senders with SPF and DKIM mechanisms. Achieving close to 100% compliance was a critical milestone in fortifying our email authentication framework.
  4. Phased Migration and Policy Enhancements:
    • Policy Transition: Our migration from “p=none” to “p=reject” was executed in a phased approach. We carefully ensured that this transition occurred seamlessly without causing any email outages for our known and approved systems.
    • Policy Enhancements: We added DMARC policies to restrict sending from Sequoia-owned Parked Domains or domains not designated for email sending. Additionally, we established an internal policy for onboarding new services intended to send emails on behalf of Sequoia. This policy ensures rigorous adherence to DMARC requirements.
  5. Ongoing Commitment to Security:
    • Continuous Monitoring: Our DMARC journey is ongoing. We remain vigilant, constantly monitoring email reports for non-compliant senders.
    • DNS Alerts: We’ve proactively set up alerts to detect any changes to our SPF records in DNS, ensuring rapid responses to any alterations.
    • New Service Onboarding: As Sequoia evolves and integrates new services, our commitment to email security remains steadfast. Newly onboarded services are rigorously assessed to ensure compliance with our established email authentication protocols.

Sequoia’s approach to DMARC is a testament to our unwavering commitment to email security. By embracing DMARC and continually refining our email security practices, we uphold the highest standards of data protection and trustworthiness in our digital communications. DMARC is not just a technology for us; it’s a fundamental element in ensuring the integrity and authenticity of every email bearing the Sequoia name.

In embracing DMARC (Domain-based Message Authentication, Reporting, and Conformance), Sequoia has taken a decisive step towards fortifying the security of its email communications. This reflects our unwavering commitment to upholding the highest standards of digital security and trustworthiness.

Petros Rotsidis — As VP of Security, Petros is responsible for overseeing the Security Program at Sequoia and supervising the IT function. He works collaboratively across the organization to protect Sequoia’s systems and data, as well as our clients’ data and to support the company’s growth. In his free time he enjoys hiking, playing tennis, running, snowboarding, and experiencing new cultures and landscapes.