Brand Protection

    On Your DMARC: Protecting MS 365 Email Users from Phishing Scams

    DMARC is a very effective way to protect Microsoft 365 users from phishing and other email-based scams. However, the protocol can be difficult to implement; third-party tools can help.

    by Elliot Kass

    Key Points

    • Email is easy to spoof and MS 365’s enormous customer base makes it an inviting target for scammers.
    • Microsoft recognizes this and uses DMARC to protect MS 365 inboxes.
    • Organizations can set DMARC policies to help prevent scammers from impersonating their brand in email messages, and to help ensure that their authentic outgoing emails reach recipients.
    • DMARC can be complex to deploy without the help of a third-party product.


    Should Microsoft 365 users be deploying DMARC?

    Business email compromise and phishing attacks are a real threat to businesses. Email is easy to spoof and MS 365’s enormous customer base makes it an inviting target for fraudsters. Since anyone can pretend to be anybody in the “from” field of an email, it’s understandably difficult for employees and customers to tell a real message from a fake one.

    Recent data underscores the dangers of email-based fraud. Spoofing and impersonations surged 250 percent in 2018, with consumers losing $172 billion to these and other internet scams on an annual basis.[1] More than 90 percent of businesses have been hit by such impersonations,[2] with average losses from successful attacks now standing at $2 million[3]—or as high as $7.9 million costs when they result in a data breach.[4]

    All this puts enormous pressure on Microsoft to try and defend its customers against these attacks, and Microsoft is often caught between a rock and a hard place when it comes to deciding which emails to deliver and which ones to block. Inevitably, even the best possible decision invites trouble on both sides of the equation—as important communications continue to get waylaid while bogus messages still manage to get through.

    Resolving the Email Spoofing Dilemma

    It is this Sophie’s choice of a dilemma that Domain Message Authentication Reporting and Conformance was developed to resolve. Better known as DMARC, this email authentication protocol was designed to help determine whether a given message is legitimate and actually originated from within the domain with which it is associated. First published by the Internet Engineering Task Force in 2015, the protocol is supported by Microsoft and helps protect companies against domain spoofing by safeguarding their MS 365 users without disrupting their business.

    Email’s fundamental security flaw is that the name displayed in the ‘from’ field of a message doesn’t have to belong to the actual sender or match the return address. That makes it easy for scammers to send phishing emails that impersonate an organization’s domain.

    DMARC allows an organization to set a policy that helps stop those phishing emails from reaching its customers or other unsuspecting recipients. The policy tells recipients’ email systems how to respond if they receive a fake email that impersonates the organization’s domain—whether to discard them, quarantine them or let them through. In this way, DMARC acts as the policy layer for other email authentication mechanisms that are already in wide use—including the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) security protocols.

    On the inbound side, DMARC allows the recipient’s email system to recognize whether a message is actually coming from where it purports to be coming from. Every time an email is sent from a domain with a DMARC record in place, the inbound mail server can check to see if the IP address is included in its SPF records and whether the DKIM signature is valid. If the email can’t be authenticated, this DMARC check determines what should be done with it based on the policy in place.

    Ready, Set and Going with DMARC

    Microsoft recognizes the value of DMARC for MS 365 users, and applies it by default to protect MS 365 inboxes from phishing emails.[5] DMARC currently stands watch over 2.5 billion email inboxes worldwide[6], and a growing number of companies are planning to implement DMARC policies to prevent scammers from impersonating their domains. Among corporate security officers surveyed for Mimecast’s 2020 State of Email Security report, only 28% said they currently use DMARC—but most said they have plans to implement the standard.

    But while DMARC will help identify and block email spoofing, the reports it generates are difficult to read and interpret, and the protocol can be quite complex to configure and manage. To implement DMARC effectively you need to identify each of the domains and subdomains across all of your business units and any external partners that send email on your behalf. And because any domain can be spoofed or impersonated—whether or not it’s actually used to send email—every domain across your extended business network should be DMARC-protected. This alone helps to ensure that any messages purporting to come from any of your domains are in fact legitimate. 

    But identifying and onboarding thousands of domains controlled by multiple business units, outside agencies and other external partners can be quite daunting. Acknowledging this, Gartner recommends using a third-party tool or service to manage and implement DMARC, noting that this is frequently the most effective way of deploying the protocol and realizing the full degree of protection that it can afford.[7]

    The Bottom Line

    Consumer-focused brand impersonations are up 11 times in the last five years and 80 percent of these involve email.[8] In industries such as healthcare and retail, 57 percent of consumer emails are now fraudulent,[9] and in 2018 the Internet Crime Complaint Center received more than 20,000 business email compromise complaints representing losses of more than $1.2 billion.[10]

    DMARC can give you the firepower you need to combat this surging tidal wave of fraud. But given its complexity, your organization may want to consider using a third-party product to manage the protocol and take full advantage of its spoof-stopping potential.


    [1] “Norton LifeLock Cyber Safety Insights Report,” NortonLifeLock

    [2] “Email Phishing on the Rise This Year, Mimecast Reports,” Email Marketing Daily

    [3] “Office 365 and LinkedIn integration—a goldmine for fraudsters?” IT Pro Portal

    [4] “How to prevent phishing attacks that target your customers with DMARC and Office 365,” Microsoft

    [5] “Implement DMARC for inbound mail,” Microsoft 

    [6] Ibid

    [7] “Protecting Against Business Email Compromise Phishing,” Gartner

    [8] “How to Protect Your Brand From Malicious Brand Impersonations,” Adweek

    [9] “NH-ISAC Calls for Improved Healthcare Email Security Practices,” Health IT Security

    [10] “2018 Internet Crime Report,” Federal Bureau of Investigation Internet Crime Complaint Center


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top