Email — The Achilles Heel of Cybersecurity That Lets Everyone Down

A hole in the way the global email infrastructure works exposes every business to cyber-criminals. DMARC is a new security protocol that secures your email, protects your clients and improves the deliverability of every email you send.

When we started Red Sift, we wanted to unlock the data hidden in every business, and help decision makers make better choices as they grow and adapt to ever-changing conditions. We began with deep email integration — simply because it’s a datastore that every single person in every business has. We’ve all got thousands of emails with to-do lists, client contacts and meetings and attachments we were meant to look at. This is a tremendous consolidated view of our digital lives.

As we built a platform to transform this data into insight, we knew that security was going to be a prime concern. No business wants to give a third-party program, however respectable, a view of their email! We built and contributed code to the various email security libraries out there but quickly ran into a big problem.

Existing email security is completely ineffective.

It is entirely straightforward, and very easy to effectively impersonate someone online. I don’t mean on a chatroom, or through the ‘dark web’. With just a few lines of code, it’s possible to ‘borrow’ email address and send malicious email that looks genuine. To demonstrate this, look at what I just did.

I have redacted some of the commands, but anyone who can parse an open RFC — and most hackers can — knows what needs to be done.

Banco Popular did not send this email. I did, using a tool you probably have installed on your computer. On the left, I used telnet (a simple program that has been around since 1969 and comes pre-installed on every Mac, Linux and most Windows machines), and emulated the email protocol, effectively impersonating someone else — in this case, one of Spain’s biggest financial institutions.

And unlike standard phishing attacks — those emails that look legitimate but the reply address is clearly suspicious (you know ‘theocb@sgsfg.id’, or the like, when it purports to be from FedEx) — the email address in this attack looks completely legitimate — ‘customer-support@bancopopular.es’). With just a single email to go on, your email server will think it’s ok, and let it through your spam filter. And if you have a Banco Popular account, you’ll probably think so too!

My co-founder didn’t send this. I disabled our protections to let this spoof through.

Ok, so you may not have a BP bank account, and ignore this email. But this tactic works with most email address. What if you got an email from your co-founder, or your MD? Or your chairman, asking you to review a document they’re working on? And it looked like this?

You’d probably click on it. Why wouldn’t you? It even has your chairman’s name and picture — the GMail iOS App even does me the courtesy of filling in the Google+ profile picture encouraging you to act.

Your Email Is the Back Door To Your Business

Crucially, and terrifyingly, no accounts needed to be hacked or passwords stolen. I didn’t have to go to the dark web and find exotic exploits or buy lists of compromised mail servers. All I needed was telnet and a little social engineering — looking up your chairman or directors on LinkedIn to get their names would be enough.

We all trust our email providers (Google, Microsoft etc.) to effectively handle security of our email identities online. But this impersonation technique is part of a deeply rooted problem— emerging from the unfortunate way mail relay has worked since the dawn of the Internet..

You may have invested in cyber security measures, have a modern strong password policy and enabled 2FA (or your IT may have). It doesn’t matter. All of this can be sidestepped by exploiting the pervasive weakness in email leading to further compromises across the rest of your security infrastructure. It’s like securing your house with the latest alarm systems and then leaving the front door wide open.

But There Is A Fix. Meet DMARC.

Just because it’s part of the way the internet works doesn’t meant that it’s not solvable. If you tried this tactic against Red Sift today, the GMail server would actively reject your telnet session and log you off. The front door slammed in your face. This is because we have adopted a new protocol across our organisation called DMARC and we have enabled it to reject unauthorised traffic.

With our protections re-enabled, my attempt fails.

What is DMARC?

DMARC is an email security protocol that prevents anyone ‘borrowing’ your domain in this way. When you have DMARC, it’s impossible for anyone to impersonate your email domain. They can’t pretend to be your co-founder — or anyone else in your business. They can’t pretend to be you to other people, either. So there’s no worry that hackers might use your email domain to send fake emails to your clients. HMRC is using DMARC right now on their email — and now block over 300m unauthorised emails a year.

The National Cyber Security Centre talks about it continuously. A wide range of governments recommend you use it. Yet most organisations do not have DMARC — in the UK, just 3% of businesses use it. Why? Because enabling DMARC to actively reject unauthorised traffic requires a bit of know-how or your legitimate email will also go nowhere.

OnDMARC — a Simple DMARC Solution for EVERY Business

We used Red Sift, to build a service that acts as a step-by-step guide for anyone who want to make their email secure. OnDMARC analyses email traffic on your domain automatically, and then tells you how to set up the protocol to stop hackers while letting legitimate emails through the net.

OnDMARC takes the complexity and guesswork out of implementing DMARC. You don’t want to delve into the black art of email security protocols, you want a simple solution to the problem so you can get back to your business. We built OnDMARC with that vision in mind — it’s simple enough that anyone can do it — even if they have no IT experience at all.

OnDMARC Improves Email Deliverability

Security isn’t the only benefit of OnDMARC. Ever have your emails get sent straight to the spam box of a client? Have a newsletter with really low open-rates? That’s because most email domains are badly configured, which mean the emails they send out to the world look a little bit suspicious to other email domains. Legitimate emails can ‘get stuck’ because they look suspicious — even though it really is you! OnDMARC goes a long way to solving this problem. It reconfigures your settings, which puts the emails you send above suspicion — and straight to the top of your clients’ inboxes. This is a business enabler that stops you throwing money down the sink.

DMARC is for Everyone

DMARC works best when we all have it. The more email domains and companies that have this protection, the harder it will be for hackers to exploit this hole in the internet. So at Red Sift, we want to make sure there are no barriers to adoption. We price our product to scale with your email volume — it starts off being free. And if you are a registered charity, we are completely free to you. OnDMARC can also be integrated with your SSO or existing operational dashboards via our API, so we have you covered. If you want to “set it and forget it” and have a bot let you know about exceptions that need your attention, it can do that too.

DMARC secures your email from exploitation, protects your customers, shuts the front door on hackers, and improves the deliverability of every email you send. Hard to get better than that.

Psssst: If you want to know how DMARC works, we and others have put together lots of information.


Curious about your email address or domain? Try our handy online tester and we will tell you your risk to email impersonation in a few seconds.


TLDR: don’t use email without DMARC. You are leaving the front door open.