What is DMARC and why it’s important?
Spam, phishing, and spoofing emails are sent daily and in large numbers by cybercriminals. Such fraudulent or falsified emails try to disguise themselves as real messages from legitimate senders and to deceive the email recipients. Manipulated e-mails with falsified sender data (spoofing) or falsified content (phishing) have become a serious problem in e-mail communication because they cause great damage to the recipients and compromise e-mail services and honest senders. Setting and enforcing a strict DMARC policy helps solve this security problem.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance; RFC 7489) is a technical standard that effectively protects e-mail senders and recipients from phishing, spoofing, and spam and effectively reduces attempts to misuse e-mail.
With DMARC you can:
- Define and register the e-mail authentication methods;
- Define the actions to be taken if the authentication checks of an incoming mail fail;
- Enable logging, reporting and statistics on the application of DMARC policies.
SPF, DKIM, DMARC
DMARC is not an independent email authentication protocol, but is based on the well-known authentication standards SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) and uses the DNS protocol. SPF records are configured in public DNS using an SPF tool.
SPF and DKIM are used in DMARC as the basic protocols for email authentication, authorization, and identity checking. Based on SPF and DKIM, DMARC technology enables a recipient server to decide whether a mail is to be delivered, moved to spam, or rejected. DMARC sends summary reports to the email domain administrator of problems with message screening and delivery.
SPF, DKIM, and DMARC are the three standards that work in a bundle, enable various functions of e-mail authentication and authorization, and contribute to increasing e-mail security by supporting and complementing each other. Each of these standards solves its specific tasks. With SPF, senders can specify from which IP addresses senders can send their e-mails for a specific recipient domain. DKIM offers an encryption method and a digital signature that is used to verify that incoming mail messages have not been forged or manipulated. The digital DKIM signature ensures the integrity of the mail and the authenticity of the sender, similar to the S/MIME or PGP signature.
DMARC integrates the SPF and DKIM authentication mechanisms in a common framework and enables domain owners to declare how e-mails from the respective domain will be handled if a security check fails.
How does DMARC work?
With DMARC rules, domain owners are automatically notified of misuse of their domain. The entering mails are verified for integrity and legitimacy using the SPF and DKIM parameters. Automatic reports with status reports, error messages, and statistics are also sent to the stored e-mail addresses. This information helps to control and improve the protection mechanisms.
DMARC does not offer any new spam filters but helps to identify and analyze abuse. The domain owner registers a policy in the DNS that specifies what should happen to falsified emails. Protection against forged emails works with DMARC in the following steps:
- The sender sends an email.
- The sender’s mail server signs the mail with DKIM.
- The mail is sent to the recipient’s mail server.
- The incoming mail is subjected to a standard security check (blacklists, rate limits, virus check, etc.) on the recipient’s mail server.
- After the standard check of the mail has been successfully completed, the mail is checked for legitimacy using the DMARC policy:
- The valid DKIM domains are extracted from the mail;
- SPF is checked;
- An appropriate DMARC action is applied: “Check successful” (OK) / “Spam” (a suspicious mail) / “Delete” (an incorrect or illegal mail).
- If the mail has passed the DMARC check, it is checked for legitimacy using other standard methods (antispam filter, etc.).
- The recipient receives the mail.
The introduction of DMARC
DMARC requires the authorization of all legitimate mail. To do this, it is not only necessary to use the authorization methods SPF and DKIM, but also to ensure that the authorization takes place for all legitimate emails from the respective sender domain. Therefore, the introduction of DMARC should start with the following approach:
1. Analyze and categorize the legitimate email traffic from your domain and subdomains. For each category of mail, you have to implement SPF and find out the possibilities of signing mail with DKIM.
2. Implement SPF for the domain and subdomains. The sender must configure SPF data records and the public DKIM key for the shipping domains (DMARC Policy Domain) considered. It is advised to use the denial policy for domains that are specially security-relevant. Although many recipients do not block mail on SPF even when strict guidelines are posted, they use SPF to classify their weight. In practice, it is precisely this SPF mode that is used most frequently and corresponds to the recommendations of the standard.
3. Publish a DMARC record with policy “p=none” for the primary domain and subdomains.
4. Deploy DKIM. It is recommended to use a key length of 1024 or 2048 bits. With fo=1 in the DMARC guideline, you can receive detailed reports on all problems with SPF and DKIM, even for emails that have passed DMARC authorization.
5. Switch to a real DMARC policy. In the DMARC policy, you determine how to proceed with unauthenticated mails (if the authentication check has not been passed). Do not use the “quarantine” policy for longer periods of time, as this can mask existing problems and you may only find out about the problems that have occurred from aggregated reports, the receipt of which can take more than a day. You can start by enabling the rejection policy by approximately 10% (p = reject; pct = 10) to track potential delivery failure issues. However, it is not recommended to maintain such a policy for a longer period of time: the quarantine policy is applied to the remaining 90% and individual problems can thus be overlooked.
6. Optimization of DMARC guidelines. You can use the following DMARC parameters for optimization:
- p – DMARC policy;
- sp – policy for subdomains that do not publish their own policy;
- pct – the percentage of mail to which the respective policy applies;
- rua – the email address to which statistical reports will be sent;
- call – the email address to which forensic reports will be sent;
- fo – send notifications in the event of violations (fo = 1) or not send (fo = 0)
- adkim – DKIM domain compliance verification mode
- aspf – Domain Compliance Check Mode SPF and From
There are various tools for visualizing DMARC reports. Dmarcian offers paid and free services (for smaller amounts of email) as well as a handy free XML viewer for viewing DMARC reports. Even Proofpoint and Agari provide commercial services to implement and support DMARC.
Conclusion
Private individuals, companies, and organizations try to filter spam, malware, and phishing out of their mail traffic. Before DMARC, checking incoming emails for authenticity and ensuring their integrity was a difficult task. However, if the automatic filters of the mail server fail and cannot distinguish real mail from spam and fraud, the task of the end-user as the e-mail recipient is to reliably identify and delete such dangerous mail. Many inexperienced users open unfamiliar mail to read the messages and thus take high-security risks. That’s why email accounts for more than 90% of all Internet attacks.
DMARC intends to provide the sending domain with aggregated and legal feedback on the performance of their email authentication strategy. The main goal of DMARC is to prematurely filter out and block spoofed mail on mail servers and to block them before they reach the recipient. For email security, DMARC is a required protection measure, but not an easy task. Only, at first sight, it seems to be sufficient to publish an entry in the DNS. In order to exclude misuse with regard to DMARC reporting, an authentication and verification system must be implemented in accordance with RFC 7489.
DMARC encourages senders to fully authenticate their outgoing email, which makes the email service safe and reliable. DMARC is particularly effective and increases the security level of e-mail services if DMARC is used together with other security technologies and protection mechanisms such as S/MIME, PGP/OpenPGP, and TLS-based protocols (HTTPS, SMTPS, IMAPS, POP3S, etc.).
- What is a Servlet?
- What Is JUnit Testing?
- What is Email and How Does it Work?
- What is MQTT?
- What is JavaScript?
- What is ITIL?
- What Is SAP CS (Customer Services)?
- What is SAP QM (Quality Management)?
- What is Apache Kafka?
- What Is An Application Framework?
- What Is Digitization?
- What is Kotlin?
- What Is a Service Mesh?
- What Is AJAX?
- What is a VPN and how does it work?
- What is DMARC and why it’s important?
- What is MySQL?
- What is a Turing machine?
- What is Ruby?
- What is Application Lifecycle Management (ALM)?
- IT Security & Data Protection: Similarities and Differences
- What is SAP Fiori?
- What Is A Binary System?
- What is PHP and how can I learn it?
- What is an IT Service Desk?
- What is virtualization?
- What is Container-Based Virtualization?
- What is Paravirtualization?
- What is Hardware Virtualization?
- What is Hardware Emulation?
- What is a Proxy Server?
- What is framework? Definition & Explanation
