Blog category


BEC (Business Email Compromise) is a targeted email fraud with a potentially high financial assurance. Last year, as per the IC3 Report, Cybercrime led to $3.5 billion losses in the US alone, with BEC fraud accounting for almost half of that. This year has also seen a surge in this particular type of fraud.

The implementation of the DMARC framework is critical to prevent losses from BEC frauds. It starts with a fraudulent email that usually impersonates an executive or high-level staff member of an organization sent to an employee. The email would then state payment or transfer of funds, which could potentially lead to millions in losses.

To prevent such frauds from impacting your organization, we must consider the following two points:  

  1. DMARC Implementation: DMARC framework needs to be effectively implemented with the policy progressed from ‘None’ to ‘Reject’ by analyzing aggregate reports; This would entail identifying and authorizing all of the legitimate email sending sources.


  1. Inbound DMARC Check: Enabling the DMARC check for your incoming emails is a simple step, done through the admin access of your email gateway. Simply check the box for the option to enable DMARC on incoming email traffic.

With these two processes implemented, BEC fraud would be successfully prevented. Your employees will be safeguarded from receiving scam email impersonating your organizational domain.

Best Practices on email security/ email protection

The email gateway is the primary communication channel through the cloud between organizations; therefore, it plays an essential role in every business. Scammers may exploit this critical aspect by utilizing phishing emails to compromise your organization’s email infrastructure. Hence, choosing the right email gateway for your company directly impacts your security infrastructure.

According to cybersecurity experts, the widely distributed email security gateways available via the cloud are preferable. These gateways get their reports from large enterprises, addressing more malicious IP Addresses and domains, resulting in an extensive database of daily identified attacks. However, if cloud-based is not available, you may want to look for an email gateway which includes these main elements: 




  • DKIM signature support, which enables your legitimate emails to be digitally signed and verified by the receivers.
  • The Sandboxing feature to allow email attachments and content to be safely scanned against malware and viruses.
  • Advanced up-to-date Threat Intelligence to automatically blacklist or whitelist domains and senders according to the email reputation.
  • Auto-pull functionality to automatically pull emails identified as threats from your organization’s employees’ mailboxes.

In addition to the above, you should also place emphasis on the following configurations:

  • Anti-spoofing and anti-spamming rules.
  • A Rewrite policy for hyperlinks, allowing you to trace the clicks on a URL included within an email, in addition to monitoring the gateway logs daily. 
  • Enabling the authentication checks (SPF, DKIM, DMARC) for your email gateway’s inbound traffic to verify the sender’s of the email, thus building the authenticity of the received email. 

These basic guidelines will make your email gateway more efficient in dealing with forged emails and protecting your organization from receiving such malicious emails.

DMARC in 2020

DMARC is a relatively new framework first published in early 2012, with its primary purpose being to protect you from being impersonated over email communication. This gives a new paradigm to 'email security' where, unlike most people's perception, this secures your outbound emails by authorizing your legitimate email sending sources rather than your inbound. The new paradigm shift may lead many corporations to become aware of the importance of implementing the DMARC framework. 

In early 2020, the COVID-19 pandemic was taking the headline and while people were busy in this chaos, hackers utilized this opportunity to take advantage of the situation. Fake email scams began to surge, impersonating large industries; 61% of Airlines have no published DMARC record, victimizing them of these attacks. These fraud emails are usually aiming to make a profit by stealing the clients' banking information.



These emails would seem genuine as they were being sent from the exact domain of the organization. An example of that would be the case of WHO (World Health Organization), where the domain "" was spoofed, and hackers sent emails impersonating the organization, asking for donations and money transactions. The same scenario was repeated with various schools and organizations, all either shut down or working remotely.

The hardest hit was beared by Banks and Airlines, where they were held liable for not securing their domain and, as a result, lost their reputation along with monetary losses. 

The year 2020 has shown us the importance of DMARC implementation on our domains appropriately from the 'none' policy all the way to 'reject' policy. Not only does this protect our companies/organizations, but also the people that interact with them as well.

DMARC Compliance of Auto-Generated Emails

Auto-Generated emails, also known as the Automatic Responses, are emails that are generated and sent from your email server. Some of the most common types are:

  • Out of the office, or vacation notices.
  • Change of address.
  • Service Responders
  • NDR (Non-Delivery Receipt) responses.

According to the RFC2298, the return-path of these auto-generated emails MUST be null (<>), which ensures no ‘Delivery Status Notification’ messages are to be sent back in response. In this case the message can be assumed to be generated from the mail server itself. Therefore this return-path will be replaced by the EHLO/HELO hostname (in regards to SPF check).

SPF Compliant

The SPF check for these auto-generated emails will be performed against the EHLO/HELO hostname, which will only pass if there is an SPF record configured on the hostname to include the IP address.

DMARC Compliant

If the sender domain has a DMARC record configured, the HELO hostname MUST be changed/rewritten to be the subdomain of the sender domain. This will result in passing of the SPF alignment check, and therefore passing DMARC, read more about DMARC alignment here.

DKIM workaround

In case the HELO-name changing/rewriting is not possible, the DKIM key of the domain can be used to sign these emails on the email gateway. this option “Signing emails with no envelope address” must be enabled.

Configuring SPF/DKIM for the auto-generated emails can be tricky. You can generate a DMARC record here and Sign up for FREE to utilize our DMARC360 Portal.

DMARC Policies

DMARC has 3 policies, None, Quarantine and Reject. The purpose of these is to ensure appropriate DMARC implementation with limited impact on your genuine emails.

None Policy

This stage is the monitoring mode where you enhance your SPF and DKIM records. This policy lets you monitor the results of your SPF and DKIM without any impact on your emails which allows you to identify and authorize your genuine email sending points.

When all legitimate sources are identified and authorized, you can move onto the quarantine policy. 

Quarantine Policy

In this stage the receiver marks your emails as spam if they fail SPF AND DKIM authentication checks. This enables you to monitor the effect of DMARC on your outgoing emails and make sure your legitimate emails are not being marked as spam.

Reject Policy

Once it is verified that none of your genuine emails are being “quarantined”, can you move onto the Reject Policy. This tells the receiver that if SPF AND DKIM authentication fail, Do NOT accept the email at all.

To ensure appropriate DMARC implementation, signup for FREE now!