by Paul Crighton
Spoofing, where an organisation’s contact information (phone number, email, and website) is used by cybercriminals to create an appearance of authenticity, is an increasing problem across the globe.
Domain spoofing can be used to create website addresses that mimic legitimate URLs, but instead direct unsuspecting users to sites that can infect them with malware or steal their login credentials. It can also be used to generate emails that appear to come from the address of a legitimate organisation, lulling recipients into a false sense of security.
This spoofing poses a significant threat to educational institutions. Many schools have limited cybersecurity resources and a diverse user base of children, parents, teachers, and other stakeholders. This includes tech-savvy students who may attempt to exploit existing security vulnerabilities or avoid security firewalls designed to protect them.
Spoofing may damage the trust and credibility of a school, especially if the attack contains offensive or misleading content, or if it is used to spread malware or spam to other contacts. Through email and domain spoofing, fraudsters could trick school staff into transferring money to fake accounts or paying fraudulent invoices. Hackers could access sensitive information, such as student records, staff payroll, or exam results, and use it for identity theft, blackmail, or ransomware.
Fortunately, there is a readily available and increasingly used technology that can protect educational institutions from having their email domains spoofed and abused by cybercriminals: Domain-based Message Authentication, Reporting, and Conformance (DMARC). Since February 1, 2024, several major online platforms, including Google, require bulk email senders to have additional email security protocols in place. K-12 educational institutions across Australia are likely to fall under this new requirement.
Building a layered defence in K-12
Implementing DMARC is important for K-12 educational institutions because it can help them plug a critical security gap.
Furthermore, educational service providers like Blackboard, PowerSchool, and MySchoolBucks are often authorised by schools to send students mass emails that appear to originate from the school’s domain. This is essentially an instance of ‘legitimate spoofing’, which enables more convenient communication with students. However, if Google Workspace or Yahoo hosts these domains, they can now no longer send these emails unless the school has fully implemented DMARC.
Both Google and Yahoo have updated their email security policies and will block all emails that appear to come from domains that have not implemented DMARC, which may seriously affect the day-to-day operations of a school.
Sender domains that deliver more than 5,000 emails per day to Gmail or any Google Workspace-hosted entity must have implemented DMARC or risk having legitimate inbound email messages rejected.
DMARC works in conjunction with two other email verification technologies: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) which are implemented across both the sender’s and recipient’s domains.
SPF specifies which email servers are authorised to send emails carrying a particular domain address. The receiving email server uses this information to determine whether to accept, reject or flag incoming mail as suspicious.
DKIM, on the other hand, appends a digital signature to an email to confirm that a message was sent and authorised by the domain owner from which it purports to come.
DMARC adds an additional layer of security to these two technologies. When DMARC is implemented, another record is sent to receiving email servers, which tells them how they should handle any messages that fail the SPF or DKIM tests of authenticity: pass, reject or quarantine the message.
DMARC can also send an aggregated report to schools’ IT teams, which details how all emails from the school’s domain have been handled by receiving email servers. This enables IT staff to quickly see if their domain has been spoofed.
The current policy changes from Google and Yahoo will make full DMARC implementation essential for many schools, but even those that don’t use Google or Yahoo should ensure they have fully implemented the technology.
Traditionally, schools have struggled to configure their email security properly, often placing this in the “too hard” basket. However, modern solutions combined with DMARC greatly simplify this process and offer numerous benefits including:
- Email authentication: DMARC will prevent unauthorised users—internal and external—from using the school’s domain.
- Third-party sender verification: the protections offered by DMARC will extend to any organisation sending emails from the school’s domain on its behalf.
- Reputation protection: DMARC will prevent legitimate emails from being blocked or flagged as suspicious by receiving email servers.
- Real-time reporting and visibility: the school will immediately receive notification of any spoofing of its domain name, enabling it to respond rapidly and effectively.
- Compliance with email-provider mandates: the school will be able to ensure that major organisations like Google and Yahoo do not block emails carrying its domain name from legitimate third parties.
By embracing DMARC, educational institutions can significantly enhance their email security posture, safeguard their domains, and ensure reliable communication channels with their stakeholders.
For more information on DMARC and how to implement this in your school, please review the official Australian Government guidelines here.
Paul Crighton is the Managing Director at Barracuda Networks.