Skip to main content


Anti-Phishing and DMARC

  • Date : 11 May 2017

  • Time : 11:00 AM to 07:42 PM IST

  • Topic : Anti-Phishing and DMARC Implementation

  • Collaborators : PayPal Inc. & ICICI Bank


Trent Adams

Director of Information Security for PayPal

Trent Adams is a technologist, strategist, and futurist focused on online identity, privacy, and security. He is currently a Director of Information Security for PayPal, leading the Ecosystem Security team. His experience spans pioneering digital media production to running highly trafficked websites and e-commerce engines, to supporting various specification, standards, and advocacy communities. Among his industry roles are being a founding officer of the Data Portability Project, first Chair of the Kantara Leadership Council, and Chair of His reach also extends to galaxies far, far away as he was an extra in Star Wars VII: The Force Awakens.

Bhavin B. Bhansali

Deputy CISO, ICICI Bank

Bhavin B. Bhansali has been employed with ICICI Bank for the past 14 years with about 7 years of stint in the Information Security Group of the Bank. He is a deputy to the CISO and heads areas such as incident management, vulnerability management and security awareness. Prior to ICICI Bank, he was part of the Business Continuity and Risk Management for a leading IT services company in India. He has been awarded with several IT and Information security certifications such as CISA, SANS GSEC, MCSE, CCNA, ISO 27001 lead auditor and Air tight wireless administrator. He has played a key role in conceptualizing, planning, implementing and monitoring of DMARC initiative in the Bank.

Vivek Srivastav

Research and Innovation vertical, ReBIT

Vivek Srivastav leads the Research and Innovation vertical at ReBIT. In this Industry facing role he is responsible for delivering ReBIT's threat intelligence strategy to strengthen cybersecurity posture for the financial sector, introducing new technologies for furthering the mandate of RBI of creating a safe economic environment of growth, financial inclusion. He is working with industry stakeholders and academic institutions to bring best practices and create execution focused impact on the overall cyber resiliency of the sector.


What is DMARC?

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email. 

DMARC specifications when implemented appropriately would enable organizations to reduce spam and phishing emails sent to their customers and employees from unauthorized senders and domains. It would enable fraud protection, simplified email delivery and domain reputation. In addition it will also benefit the domain management and compliance functions of the organization.

What is SPF?

SPF or Sender Policy Framework is a protocol for email message authentication. The SPF specification identifies a set of domains that are allowed to send emails on behalf of an organization. An organization may work with various 3rd parties and enable them to send emails on the firm's behalf (such as marketing emails, payroll etc.). It is implemented using DNS record. SPF is defined in RFC-7208.

What is DKIM?

DKIM or DomainKey Identified Mail is a protocol for email message authentication. The DKIM specification enables the mail receiver agent to verify that the sender indeed has sent the email. The sender sets the DNS domain record with public key of the sender. The outgoing email server uses the private key of the sender and signs the hash of the email, which the receiver can validate using the public key of the sender (published in the DNS DKIM record).

Don’t Receivers use SPF and DKIM results already?

Companies receiving email from the Internet apply many different methods to analyze incoming messages, including SPF and DKIM as well as spam filters, rate limiters, and many other techniques. But frequently Receiver A is performing one set of checks, while Receiver B makes a different set of checks or treats the messages that fail those checks in a completely different way. So one receiver may treat a message with a little more suspicion if it fails an SPF, while another may subject that failing message to an expensive in-depth analysis to determine if it’s spam or not.

DMARC doesn’t eliminate the need for additional forms of analysis, but it does provide a way for participating senders and receivers to streamline the process by coordinating their efforts. If Receiver A can tell that Sender B is using DMARC, then Receiver A can have more confidence in the decisions they make about messages using Sender B’s domain. Because they can more clearly tell which messages are legitimate and which aren’t, they can reduce their processing overhead while preventing more spam and phishing messages from reaching their customers’ inboxes.

How can I tell if DMARC is making a difference?

DMARC would restrict the fraudsters from impersonating your domain from sending malicious emails. Since, DMARC would be initially deployed in monitoring mode, you would be able to identify the number of spoofed emails being sent on your organisation name. Once you move to block mode, you would be normally able to see the reduction in the spoofed email which are being rejected by the consumer mailboxes supporting DMARC

When can I expect to receive my first aggregate report?

In case you implement DMARC on your active domain, you should ideally expect to receive your first aggregate report after 24-48 hours of implementing the DMARC. It also depends on the TTL value set by the organisation on its DNS server.

My mail is going to the spam folder now, is DMARC the problem?

If the SPF, DKIM and DMARC policy are not properly defined, then there is a possibility of mails going to spam folder. It is always advisable to first implement the DMARC in monitoring mode. Analyse the aggregate reports in order to identify any issues in the implementation and then gradually migrate the mails to quarantine mode. When migrating, one has to subject only small percentage of mails to the DMARC policy so that the impact of the organisation emails are minimal

I have domains that do not send emails, how can I protect them?

While the domains that you own is not used for sending emails, the fraudsters may still be using this domain for malicious activity and the end users may fall prey to this attack vector. Hence it is advisable to implement DMARC for these domain as well.