DMARC is Effective in Protecting Educational Institutions from Targeted Impersonation Attacks

Schools, colleges and universities are attractive targets to cybercriminals because of the amount of personal data they collect, process and store. This personal data can include residential addresses, social security numbers and bank account information. Colleges and universities, specifically, also have troves of detailed information about current research efforts that attackers may want to get their hands on. To gain unauthorized access to data or money, cybercriminals frequently target students, parents and faculty by impersonating educational institutions and sending out fake emails that ask for login credentials, personal information or money transfers. These attackers rely on the authority of educational organizations to make recipients more likely to comply quickly. Successful phishing campaigns of this nature can lead to financial and reputational loss as well as serious legal action. Enforcing a DMARC policy helps prevent your organization from being spoofed in phishing attacks, ensuring that students, parents and employees only see emails that authentically come from you. As an added bonus, DMARC increases email deliverability to enable streamlined communication.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) helps protect your organization by providing visibility into active threats using your domains, thus giving you the ability to stop them before they are delivered. DMARC is an email validation system used to protect an organization’s email channel from spoofing, phishing scams and other email-borne attacks. Established by Google, Yahoo!, Microsoft and others in 2012, DMARC builds on existing email authentication techniques SPF and DKIM to strengthen your domain’s fortifications against fraudulent use. DMARC is the best way for email senders and receivers to determine if a given message is authentically from the sender and decide what to do if it is not. It also helps improve your educational organization’s email deliverability to the inbox, meaning you can reach more people more often.

DMARC educational

Most Schools Get a Failing Grade When it Comes to DMARC

The educational sector is not on its A game when it comes to protecting against spoofing. A study of the top 200 U.S. schools in the 2020 WSJ/THE College Rankings found that only six schools had DMARC deployed and set to block suspicious email — that’s only 3%. Of those 200 colleges and universities, 58% did not have a DMARC record in place at all. Cybercriminals have taken note and repeatedly exploited schools’ vulnerabilities. In 2019, Oregon University lost personal information relating to over 600 students when an employee fell for a phishing scam. In the same year, a phishing scam tricked Wichita State University employees into handing over login credentials, which subsequently enabled cybercriminals to access other employees’ banking information and steal money. Student loan scams are also increasingly common. While colleges and universities are institutions of learning and academic advancement, they are also businesses that garner attention from cybercriminals for their valuable assets.


DMARC Benefits for Educational Institutions

Students, parents and faculty members look to schools as a place of authority and trust. To maintain that trust, it’s crucial to secure all channels of communication. DMARC empowers your school, college or university to take control of its email domain while experiencing the following benefits:

Online brand protection: Educational organizations are common targets for cybercriminals to impersonate for malicious purposes. DMARC protects your brand’s integrity by keeping your organization out of their arsenal of easily spoof-able email domains.

Increased email deliverability: By deploying DMARC authentication, you signal to email receivers that your organization’s emails are legitimate, ensuring they’re delivered to the inbox rather than blocked or sent to the spam folder.

A published policy that instructs ISPs and other email receivers to deliver, quarantine or delete emails: With DMARC, you can decide if potential abuses of your email domain are solely reported back to you without further action, quarantined for further review or — the golden standard — automatically rejected.

Greater visibility into cyber threats: DMARC’s reporting capability enables you to monitor all authorized third parties that send emails on your behalf, alongside those that are not authorized. This helps ensure compliance with security best practices and aids investigations into email security or phishing issues.

Prevent Email Phishing and BEC Attacks

Email is the backbone of professional and educational communication. Unfortunately, it’s also the starting point for 95% of cyberattacks. Though cybersecurity technologies have made great advancements, it has been historically difficult to remedy an inherent security weakness that came with the democratization of email: anyone can create an email account and send emails under a false identity as well as a false domain. Countless reputable educational institutions have been exploited by criminals to execute phishing and BEC attacks. Any association with criminal phishing campaigns can be devastating for a school — especially when it could have been prevented by enforcing stricter security standards like DMARC.

How to be DMARC Compliant

Now that you understand why DMARC is important for your educational organization, let’s get started on the how to ace DMARC deployment. To achieve maximum return on your DMARC investment, educational institutions must complete the necessary steps to correctly implement DMARC. Domain owners must kick-off and manage a DMARC project which includes discovering all of your owned domains, learning what legitimate services are sending email on your behalf, properly configuring those services from an SPF and DKIM perspective, and of course, publishing a DMARC record (try our DMARC Record Generator). DMARC Analyzer offers different levels of tailored services to help guide your organization through the process. Though DMARC is a key part of any cybersecurity program, it is not a standard that can be deployed, configured, activated, and then forgotten. It’s imperative that after DMARC has been successfully implemented – set to “reject” for all of your domains – that your organization establishes a program of ongoing monitoring, as DMARC is not a set-it-and-forget-it standard. In 2020, Mimecast embarked on its own journey to use DMARC across all of our owned domains. The project was documented in a three-part blog series for other organizations to use as a resource.