vDMARC and your .bank DomainSeptember 2015

● Phishing and brand abuse erode consumer trust

● Attacks cause lasting brand damage

● Fallout impacts every team – IT, IS, Security,

Risk, Marketing, Operations, Customer Service,

& the C-Suite

● Attacks decrease email engagement, reducing

your bottom line

● It’s far too risky to leave your business and

reputation exposed to these kind of attacks

2

EMAIL MAKES IT EASY FOR CRIMINALS TO REACH YOUR CUSTOMERS USING YOUR BRAND

● Specifically designed to protect banks and consumers from cybercriminals

● Require that you:

- are a bank or other eligible entity

- publish a DMARC

• quarantine or reject policy if domain is not used for email• policy plus either DKIM and/or SPF if domain is used for email

● These requirements are the most stringent of any TLD and registry● This is a good thing. Something you should tell your customers and

your boards about● Today our focus is the DMARC reject requirement

3

.bank Registration Requirements

© Copyright 2015 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary.

Copyright 2014 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary. 4

Background: What is DMARC?

“Dee-MARK” is an Acronym

D omain-basedM essageA uthenticationR eporting (and)C onformance

5

… and a de-facto email security standard

In 2007, These Guys Started It

6

And Soon These Guys Joined In

7

8

Proven at Scale With Volume & Complexity

Copyright 2015 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary.

AGARI RECEIVERS

SENDERS RECEIVERS

• 2.5B endpoints• 85% of US inboxes• 70% of global inboxes• 10B messages daily

• Largest bank• Most abused brand• Largest sender of email on the planet• Largest consumer electronics company

● You (a sender of email):

- Send all email messages as compliant messages, authenticated in specific ways

- Tell the world to delete or drop non-compliant email (the “reject policy”)

● Then, the Receivers/ISPs:

- throw out (delete/drop) the non-compliant email

● Dead simple… but the devil is in the details

9

How does DMARC Work?

© Copyright 2015 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary.

Copyright 2015 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary. 10

Using your .bank domain for sending email

1. Audit. Perform an audit to identify types and sources of email you send

2. Plan. Determine which types and sources will be migrated to your new .bank

domain

3. Implement. Implement and confirm the authentication methods applicable to

each source of email. Send test messages. Fix the problems that surface.

Repeat.

4. Communicate. Tell your customers to expect email from the new sources

using existing channels. Or wait and tell using the new channels.

5. Act. Switch over to using your .bank domain when sources are compliant

11

Migrating is a Process

© Copyright 2015 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary.

“Send all email messages as compliant messages”

● Audit Goal: Identify all legitimate sources of email using your brand(s)

● Typically a combination of: - Email sent directly by your bank’s IT systems and departments- Email sent using third party vendors in your behalf- You may be surprised by some sources

● Tips: - Publish a DMARC “monitor” policy on your existing domains. This will help you

identify legit email sources.

- Use a DMARC monitoring, workflow, and security vendor to assist you (this is what Agari and others can help you with)

12

DMARC supports your Audit

© Copyright 2015 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary.

● SPF, DKIM, or both? - Very likely both (depends upon the amount of forwarding)- SPF: fragile but easier to implement- DKIM: signing software at message source, crypto, but resilient to forwarding

● SPF Issues- Identifying and correctly adding the authorized IP space (sets of IP addresses)- Ensuring “alignment” – the SMTP dialog’s MAIL FROM must match the From

Header Domain. Requires server side configuration to fix

● DKIM- Key management: creation, publishing in DNS, signing - Key Length: minimum 1536 bits- Signing domain must match From Header Domain. Requires server side

configuration changes to fix

13

On Implementation – Authentication

© Copyright 2015 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary.

● Good: - “We send DMARC-compliant email with a reject policy today for at least one

customer”

● Warning: - “Oh sure, We sign our messages with SPF”- “We can sign messages with DKIM”- “Doing DMARC just means using DKIM or SPF, so no problem”

● Be Patient, Avoid Pitfalls: - DMARC amends and invalidates certain practices in widespread use with SPF

and DKIM. Consequently, - Existing vendor implementations of SPF or DKIM are rarely DMARC-compliant.

They will need remediation- Overall, the nuances take time to address

● Help for is out there. DMARC.org, Agari, and others work with vendors to help them achieve compliant sending practices

14

Tips: Engage your Vendors

© Copyright 2015 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary.

● .bank Registry requirements are protective of banks and consumers.

● Mandatory use of DMARC ensures that only you can send email as you

● Migrating your email traffic to use your .bank domain for customer communications is a process

● Work with your IT departments, Vendors, and outside DMARC service providers to achieve, confirm and maintain ongoing compliance

● Do not forget to tell your customers and your stakeholders!

15

Summary

© Copyright 2015 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary.

Copyright 2014 Agari . A l l r ights reserved. Conf ident ia l and Propr ietary. 16

Thank You!

DMARC and your .bank DomainEMAIL MAKES IT EASY FOR CRIMINALS TO REACH YOUR CUSTOMERS USING YOUR BRAND.bank Registration Requirements Slide Number 4“Dee-MARK” is an AcronymIn 2007, These Guys Started ItAnd Soon These Guys Joined InProven at Scale With Volume & ComplexityHow does DMARC Work?Slide Number 10Migrating is a ProcessDMARC supports your AuditOn Implementation – AuthenticationTips: Engage your VendorsSummarySlide Number 16