Without DMARC, email is the Achilles Heel of cybersecurity

Lack of protection from exact impersonation is a hole in the way the global email infrastructure works, exposing every business to cybercriminals. DMARC is the security protocol that secures your email, protects your clients, and improves the deliverability of every email you send.

When we started Red Sift, we wanted to unlock the data hidden in every business, and help decision-makers make better choices as they grow and adapt to ever-changing conditions. We began with deep email integration  – simply because it’s a data store that every single person in every business has. We’ve all got thousands of emails with to-do lists, client contacts, meetings, and attachments we’re meant to look at. This is a tremendous consolidated view of our digital lives.

As we built a platform to transform this data into insight, we knew that security was going to be a prime concern. No business wants to give a third-party program, however respectable, a view of their email. We built and contributed code to the various email security libraries out there but quickly ran into a big problem.

Before DMARC, existing email security was completely ineffective against impersonation

It’s entirely straightforward and very easy to effectively impersonate someone online. I don’t mean on a chatroom, or through the dark web. With just a few lines of code, it’s possible to ‘spoof’ an email address and send a malicious phishing email that looks genuine. Just take a look below.

I have redacted some of the commands, but anyone who can parse an open RFC — and most hackers can — knows what needs to be done.

Banco Popular did not send this email. I did, using a tool you probably have installed on your computer. On the left, I used telnet (a simple program that has been around since 1969 and comes pre-installed on every Mac, Linux, and most Windows machines), and emulated the email protocol, effectively impersonating someone else  –  in this case, one of Spain’s biggest financial institutions.

Unlike standard phishing attacks  –  those emails that look legitimate but with a clearly suspicious reply address (you know ‘theocb@sgsfg.id’, or the like)  –  the email address in this attack looks completely legitimate  ( ‘customer-support@bancopopular.es’).

With just a single email to go on, your email server will think it’s ok and let it through your spam filter. And if you have a Banco Popular account, you’ll probably think it’s legitimate too!

My co-founder didn’t send this. I disabled our protections to let this spoof through.

Exact domain impersonation is perfect for Business Email Compromise (BEC)

This tactic works with almost all email addresses, and many cybercriminals use it to carry out BEC attacks. This is where they impersonate someone important within a business, and phish employees to gain access to money, credentials, and more.

What if you got an email like the above from the Chairman, Co-Founder, or your MD at your business asking you to review a document they’re working on? Would you be able to tell if it’s fake if it came from a legitimate email address?

Probably not, and you’d probably click on it. Why wouldn’t you? It even has your chairman’s name and picture  – the Gmail iOS App even does you the courtesy of filling in the Google+ profile picture encouraging you to act.

Your email is the back door to your business, without DMARC it’s wide open

Crucially, and terrifyingly, no accounts need to be hacked or passwords stolen to impersonate a business. I didn’t have to go to the dark web and find exotic exploits or buy lists of compromised mail servers. To carry out the above example, all I needed was telnet and a little social engineering  –  looking up the business’ chairman or directors on LinkedIn to get their names and job titles is enough.

We all trust our email providers (Google, Microsoft, etc) to effectively handle the security of our email identities online. But this impersonation technique is part of a deeply rooted problem, emerging from the unfortunate way mail relay has worked since the dawn of the internet.

You may have invested in cyber security measures, have a modern strong password policy, file scanners and spam detectors, and enabled 2FA. But these don’t doesn’t make a difference when it comes to impersonation. All of this can be sidestepped by exploiting the pervasive weakness in email leading to further compromises across the rest of your security infrastructure. It’s like securing your house with the latest alarm systems and then leaving the front door wide open.

There is a solution for exact domain impersonation: DMARC

Just because it’s part of the way the internet works, it doesn’t mean exact impersonation is unsolvable. If you tried to spoof a Red Sift email address today, the Gmail server would actively reject your telnet session and log you off. Essentially, the front door would be slammed in your face and your attempt to impersonate the domain would be thwarted. This is because we’ve adopted DMARC and we have enabled it to reject unauthorized traffic. And more and more businesses are doing this too.

With our protections re-enabled, my attempt fails.

What is DMARC?

DMARC is an email security protocol that prevents anyone from impersonating your domain to send malicious phishing emails to your customers, employees, clients, and supply chain. When you have DMARC fully implemented at a policy of p=reject, it’s impossible for anyone to impersonate your email domain, and they can’t pretend to be anyone else in your business. So there’s no worry that hackers might use your email domain to send fake emails to your employees or clients.

The National Cyber Security Centre talks about it continuously, and a wide range of governments recommend you use it too. Yet many organizations globally still haven’t adopted a DMARC policy of p=reject. Why? Because enabling DMARC to actively reject unauthorized traffic requires a bit of know-how, and without the right AI-enabled tools, it can be a complicated task.

OnDMARC  is a simple DMARC solution for every business

Using the Red Sift platform, we built OnDMARC, the software as a service (SaaS) that acts as a step-by-step guide for anyone wanting to make their email secure by enabling DMARC at p=reject. OnDMARC analyses email traffic on your domain automatically, and then tells you how to set up the protocol to stop hackers while letting legitimate emails through the net.

OnDMARC takes the complexity and guesswork out of implementing DMARC. You don’t want to delve into the black art of email security protocols, you want a simple solution to the problem so you can get back to your business. We built OnDMARC with this vision in mind : it’s straightforward enough that anyone can do it,  even if they have no IT experience.

The average time it takes for OnDMARC customers to get to p=reject is 4 – 8 weeks, as opposed to months.

OnDMARC improves email deliverability

Security isn’t the only benefit of OnDMARC. Ever have your emails get sent straight to the spam box of a client? Have a newsletter with really low open rates? That’s because most email domains are badly configured, which means the emails they send out to the world look a bit suspicious to other domains. Legitimate emails can get stuck because they look suspicious — even though it really is you!

OnDMARC goes a long way to solving this problem. It reconfigures your settings, which puts the emails you send above suspicion  and straight to the top of your clients’ inboxes too. This is a business enabler that stops you from throwing money down the drain.

DMARC is for every business

DMARC works best when we all have it. The more email domains and companies that have this protection, the harder it will be for hackers to exploit this hole in the internet.

So at Red Sift, we want to make sure there are no barriers to adoption. We price our product to scale with your email volume  and we offer a free trial too. OnDMARC basic is free for all charities, with 50% off for larger packages. OnDMARC can also be integrated with your SSO or existing operational dashboards via our API, so we have you covered.

OnDMARC secures your email from exploitation, protects your customers, shuts the front door on hackers, and improves the deliverability of every email you send. It’s hard to get better than that. Why not try it out with a 14-day free trial, and begin securing your business email today?

free trial red sift


Rahul Powar

13 Apr. 2017



Recent Posts


Red Sift Recognized on Deloitte’s EMEA Fast 500™ List

Francesca Rünger-Field

We’re thrilled to share that Red Sift has been included in Deloitte’s 2023 EMEA Fast 500 list. This recognition stems from 389% revenue growth over three years, $54 million in Series B funding, acquiring ASM innovator Hardenize, and introducing the Red Sift Pulse Platform. Read the press release here. About the award The Deloitte Technology Fast…

Read more
Brand Protection

The vital role of cybersecurity for Nonprofits: A deep dive 

Sean Costigan

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the…

Read more

Red Sift brings DMARC data to the SOC with new Cisco XDR…

Rebecca Warren

Today, we’re thrilled to announce that we’re extending our partnership by joining the Cisco Security Technical Alliance and integrating Red Sift OnDMARC with Cisco XDR. This integration builds on the Domain Protection partnership we announced in November 2023 to bring visibility of business email compromise into the SOC (security operations center). At release, Red…

Read more

Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more