The VRC Newsletter (October 8)

Building a Cyber Strong America: DMARC + BEC Playbooks You Can Deploy This Week

Author

Junie Talisay
October 08, 2025

In partnership with

Email Authentication:
Stops Spoofing and Wins Trust

October is Cybersecurity Awareness Month and this year’s theme, Building a Cyber-Strong America, is more than just a slogan. It’s a call to action for every organization to harden their defenses where it matters most: identity and access. And nothing’s more foundational than locking down your email domain.

Every year, Business Email Compromise (BEC) and spoofed-domain phishing continue to lead in financial loss and data breaches, according to the FBI’s IC3 and industry breach reports. Staff and customers are still being tricked by lookalike domains. Why? Because many domains still aren’t authenticated. Remember: Pause - Verify - Report. Always take a moment to Think Before You Click!

If you’re not sure whether you’ve enabled SPF, DKIM, and DMARC, here’s your do-this-week checklist and how VanRein Compliance can help you get it right the first time.

🚨 This Matters Now

  • Spoofed emails using your domain still get past filters—without authentication, receiving servers can’t reliably tell real from fake.

  • BEC losses remain a top cybercrime category in recent FBI IC3 reporting.

  • Inbox provider rules: Google & Yahoo require authenticated mail for bulk senders (2024), with Microsoft policies ramping in 2025. Email auth is now table stakes.

Deploy These Auditable Fixes This Week

SPF (Sender Policy Framework)

  • Authorize every legitimate sender (marketing platform, CRM, support/helpdesk, invoicing, newsletter).

  • Keep it lean: avoid +all, minimize nested include:s, and stay under DNS lookup limits (10).

  • Document it: capture the final TXT record and a sender inventory (service, envelope-from, Return-Path).

DKIM (DomainKeys Identified Mail)

  • Sign all outbound mail from each platform; use strong keys and rotate periodically.

  • Align selectors/sub-senders: one selector per platform/domain where practical; verify that the d= domain aligns with your visible From: domain.

  • Document it: store public key TXT records, selector names, and last rotation date.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

  • Start with p=none to collect reports without impacting delivery.

  • Fix alignment (SPF or DKIM needs to align with the From: domain) and add missing senders.

  • Raise enforcement: move to quarantine (partial) → reject (full) as alignment improves.

  • Strengthen policy: add rua= (aggregate), optionally ruf= (forensics), set pct= for gradual rollout, and aspf/adkim to “s” (strict) when ready.

Reports → Actions (Make It Operational)

  • Parse aggregate DMARC reports to spot unauthorized sources, misconfigurations, or third-party tools you forgot to authorize.

  • Remediate by adding/repairing SPF includes, enabling DKIM on platforms, or retiring legacy services.

  • Prove it: maintain a short remediation log (date, issue, fix, owner) and keep weekly snapshots of alignment rates—auditors love this.

Regulated Teams Should Care

  • Security intent: Reduces social-engineering and account-takeover risk across HIPAA, SOC 2, and ISO 27001 control families (access control, integrity, monitoring).

  • Customer trust: Authenticated mail reduces impersonation of your brand and protects clients from fraudulent invoices/reset links.

  • Auditability: DNS records + DMARC reports + remediation log = clean evidence of due diligence and continuous improvement—exactly what examiners want.

VanRein Compliance: Your Security Partner

At VanRein Compliance, we help you map senders, publish the right records, interpret first-week DMARC reports, and draft the SOPs that keep it working.

  • Phishing Simulation and Awareness Training

  • Incident Response Tabletop

  • Policy & Playbooks

  • Vendor Governance Support

  • Evidence Pack & Audit Prep

Bottom Line

Email is still the front door for fraud. When your domain is authenticated and your team knows the signals, you cut off spoofing at the source and make it harder for attackers to weaponize trust. These are measurable basics that protect customers, shorten audits, and move your organization closer to the CAM goal—building a Cyber-strong America. Start this week, show your work, and make domain trust part of your security culture.

👉 Schedule a Discovery Call Today to discuss how VanRein Compliance can deploy your SPF/DKIM/DMARC plan and strengthen your defenses fast.

Go from AI overwhelmed to AI savvy professional

AI keeps coming up at work, but you still don't get it?

That's exactly why 1M+ professionals working at Google, Meta, and OpenAI read Superhuman AI daily.

Here's what you get:

  • Daily AI news that matters for your career - Filtered from 1000s of sources so you know what affects your industry.

  • Step-by-step tutorials you can use immediately - Real prompts and workflows that solve actual business problems.

  • New AI tools tested and reviewed - We try everything to deliver tools that drive real results.

  • All in just 3 minutes a day

Quishing: The QR-Code Phish
That Slips Past Filters

Attackers are hiding malicious links inside QR codes—in PDFs, marketing emails, and even stickers on doors, kiosks, and parking meters. People scan with their phones and land on look-alike login pages that steal credentials or push fake MFA prompts. Because the URL is embedded in an image, traditional email link scanners often miss it.

What’s Happening

  • QR links skirt scanners: Many secure email gateways can’t reliably pre-resolve or rewrite QR-embedded links inside images/PDFs.

  • Real-world targets: Quishing is popping up in ticketing, parking, delivery, MFA reset prompts, and “account verification” notices.

  • Hybrid attacks: Physical sticker swaps are common—bad actors place a QR over your legit code (or add one where none existed) and redirect to credential harvesters.

Defend in 3 Moves

1) Teach the habit: Pause → Verify → Report

  • Don’t scan unknown QR codes especially from unsolicited emails or public signage.

  • Verify the source before logging in (type the URL or use a saved bookmark).

  • Inspect the full URL after scanning; if shortened or off-brand, stop.

  • Report suspicious emails/codes via your “Report Phish” button or ticket channel.

2) Harden the stack (Email & Identity)

  • Safe-link preview for email platforms; show destination where possible.

  • Block external auto-forwarding and alert on new mailbox rules (attackers auto-hide warnings).

  • Conditional access & MFA everywhere; prefer authenticator apps/security keys over SMS.

  • Flag QR-heavy PDFs for extra review; add heuristics for image-only messages.

  • Browser isolation/detonation for first-time domains—especially from QR scans.

3) Publish a QR Code Policy

  • When your org uses QR codes (events, signage, training, auth links) and who owns each code.

  • Where they’re posted (physical/digital) and how they’re versioned/retired.

  • Tamper checks: routine inspections; replacement SOP if a code is compromised.

  • User guidance: never embed login, reset, or payment links in public QR codes; route to your root domain or app.

Bottom Line

Quishing works because it hijacks a trusted behavior—scan and go—and hides where filters are weakest: images. Pair a clear habit (Pause → Verify → Report) with mailbox-rule controls and a formal QR policy, and you take the wind out of this attack. Add simulations that mirror real scenarios, and your people will spot the trap before they scan.

📅 Partner with VanRein Compliance today to see how we can roll out your phishing program and incident playbooks—fast, practical, and audit-ready.

Reply

or to participate.