Email Security [2/3]: Ensuring validity via DMARC

Security
Geschreven door Ihab Khiri

Table of Contents

DMARC Explained

DMARC stands for 'Domain-Based Message Authentication, Reporting and Conformance' and is used for checking the integrity and maintaining the security of email communication. The DMARC protocol is technically defined in Request for Comments (RFC) 7489[1]. DMARC is a scalable mechanism by which a mail-originating organisation can express domain-level policies and preferences for message validation, disposition, and reporting that a mail-receiving organisation can use to improve mail handling. This article will break down DMARC [2]into simpler steps.

DMARC: Purpose & Scope

This blog aims to discover how DKIM works to defeat spammers and email spoofing attacks. It will also mention how DMARC functions with the security protocols Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).

This blog is not intended to serve as technical documentation; instead, it is an informative blog. Given the wealth of technical information already accessible on the internet, the focus here is not to rewrite existing content. Instead, this blog post will provide references and links to existing documents, highlighting valuable sources that readers can refer to for additional information and exploration.

The primary intended audience for this blog post comprises system administrators, domain owners, and email marketers, but its content can be valuable for anyone involved in managing or sending emails or anyone who wants to learn more about DMARC

E-Mail Signature Tech

A DMARC policy record enables a domain to declare its email authentication status, offers an email contact for collecting feedback regarding its domain's use, and outlines a desired policy for handling messages that fail authentication checks. [3]. It relies on the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). SPF validates that the email has been sent from an authorised server. At the same time, DKIM provides a digital signature that verifies the email hasn't been changed in transit. Moreover, DMARC configures what domain owners should do when an email fails DMARC authentication based on the alignment of either SPF or DKIM. [4]

What makes DMARC unique is that it aids in gaining visibility of failure reports, so the sender of the email understands when his/her emails fail to deliver (fail to authenticate), a shortcoming of SPF discussed in Email Security [1/3] — The ‘Sender Policy Framework’ (SPF): ‘an Overview’↗︎

DMARC: Identifier Rules

DMARC verifies with a mechanism called 'Identifier Alignment'. In this process, authenticated identifiers are verified against what is visible to the email client[8](Microsoft Outlook, Gmail, Thunderbird, etc.). For an email to be deemed "in alignment," only one authenticated[9] identifier, either DKIM or SPF, must match.

DMARC enables the domain owner to build an email security policy that helps recipients avoid spoofed or unauthorised mail and also assists the domain owner in flagging content when hackers attack the domain.

When SPF and DKIM are implemented with DMARC, the domain owner can solicit feedback in the form of forensic reports about individual messages that have failed to authenticate or aggregate reports summarising all messages that have failed SPF and DKIMor both.

When integrated with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), DMARC allows domain owners to gather valuable insights[10]. They can receive forensic reports for individual emails that fail authentication tests and aggregate reports[11][12]that summarise all messages that fail SPF, DKIM, or both.

DMARC also protects against spoofed or unauthorised emails, but its unique value lies in its ability for domain owners to flag suspicious activity performed on a domain.[13]

Setting DMARC Policies

If the email doesn't pass, DMARC can do one of three conditions based on the following tags:

P = None
  • This tag gives zero protection but does not disrupt delivery.
  • This tag gives the domain owner a method of logging information about how often the policy was invoked and is generally used when first implementing DMARC.
  • No action is necessarily implemented to the message, and it may be delivered as legitimate.
P = Quarantine
  • Partial protection by instructing the email receiver (email client) to place the message in the spam folder.
  • The message may be suspicious. It can be delivered but should be routed to an appropriate folder, hence, the recipient's junk or spam folder.
P = Reject
  • The greatest amount of protection.
  • The message is not authorised and must not be delivered.
  • A rejection notice is sent back to the sender.

The chart below displays the comparative ratio of each DMARC policy setting within the complete set of active and valid DMARC records up to the close of the calendar year 2021. The initial focus is on the overall blend of policies as of year-end 2021.

DMARC Policy Mix 2022

DMARC records contain information about how policies will be applied and specify what kind of reports are expected and where they should be sent (stored with the other information about the domain (DNS)). For each condition, an example is given below:

Tag Purpose Example
V Protocol Version (standard) V=DMARC1
P Policy for the domain P=quarantine
Sp Policy for the subdomains Sp=reject

Although the table below is rather technical, it aims to give you the components of how a DMARC policy or record can be built. 

Tag Purpose Example
V Protocol version (standard) V=DMARC1
P Policy for the domain P=Quarantine
Sp Policy for subdomains Sp=Reject
Pct % of messages subject to policy Pct=20
Adkim Alignment mode for DKIM Adkim=s
Aspf Alignment mode for SPF Aspf=r
Rua Where aggregate reports are sent Rua=mailto:admin@example.com
Ruf Where forensic reports are sent Ruf=mailto:admin@example.com
Rf Forensic reporting format Rf=afrf
Ri Aggregate Reporting Interval Ri=144400

DMARC records contain additional information about how the policies will be applied and specify what kind of reports are expected and where they should be sent (stored in DNS TXT records). 

How DMARC works together with SPF and DKIM

DMARC cannot secure your daily email habits without SPF and DKIM. This is how DMARC works in conjunction with SPF and DKIM:

SPF determines if the sender can send email from the source domain. Think of SPF as a guest list at the party. 

DKIM is like a unique digital fingerprint for an email. It ensures the email wasn't tampered with while in transit. It authenticates the message by verifying the message's digital signature using DKIM.

DMARC is the final obstacle that uses SPF and DKIM to ensure you're safe by determining the desired action for unauthenticated messages. 

DMARC Limitations

While DMARC provides a solid layer of security against email spoofing and phishing, it's not a silver bullet. There are many things that DMARC cannot do[14]

  • Guard against internal threats: DMARC secures emails from external senders but doesn't protect against threats from within.[7]

  • DMARC verifies the domain of the 'From' address but not the display name, commonly exploited in phishing attacks. The effectiveness of DMARC depends on both the sender's and recipient's email systems adopting it. If one end is non-compliant, the safeguards fail.[15][5]

  • Initial Setup Obstacles: The initial setup can be daunting and resource-intensive for businesses, especially larger ones with diverse email streams.

  • Risk of False Positives: DMARC could incorrectly flag legitimate emails as suspicious, disrupting regular communications.

  • No Content Encryption: While DMARC confirms the email's origin, it exposes the content unless additional encryption methods are employed.

  • Inflexible Policies: DMARC applies the same rules across the board for all types of emails within a domain, limiting nuanced control.

The Future of DMARC

In our next article, you can delve into DKIM and explore how it works about DMARC to keep your inbox safe. 

You're approaching near-ultimate email protection by implementing DMARC alongside SPF and DKIM. It's always good to stay alert and informed on email security. [6]

  1. Kucherawy, M., & Zwicky, E. (2015). Domain-based Message Authentication, Reporting, and Conformance (DMARC). Internet Engineering Task Force. Link to article. ↗︎

  2. Peterson, S. (2019). DMARC: A Comprehensive Guide to Securing Your Email. O'Reilly Media. ↗︎

  3. Kumar, R., & Gupta, B. B. (2018). An empirical evaluation of DMARC adoption: Progress and challenges. Computers & Security, 78, 43-59. ↗︎

  4. Cisco Systems. (2021). Email security: DMARC best practices. Cisco Blogs. Link to article. ↗︎

  5. Alrawi, O., Robertson, W., & Ensafi, R. (2017). Protecting against phishing threats using DMARC. ACM Computing Surveys (CSUR), 50(6), 1-27. ↗︎

  6. Levchenko, K., Pitsillidis, A., & Savage, S. (2020). Understanding the effectiveness of DMARC as an email authentication system. Journal of Computer Security, 28(2), 143-167. ↗︎

  7. Federal Trade Commission. (2020). DMARC: The Key to Effective Email Authentication. FTC Blog. Link to article. ↗︎

  8. Zimbra, Inc. (2022). Best Practices on Email Protection: SPF, DKIM and DMARC. Link to article. ↗︎

  9. Foster, J., & Valli, C. (2021). The rise and adoption of DMARC: A comparative study. Future Generation Computer Systems, 115, 36-49. ↗︎

  10. Symantec Corporation. (2020). DMARC: The Essential Guide for Email Security. Symantec Whitepapers. Link to article. ↗︎

  11. Adkins, M., & Midgen, P. (2012). M3AAWG DMARC Training Series. ↗︎

Ihab Khiri https://www.workplaceconsultant.com
Vorige

Email Security [3/3]: Verifying with DKIM Crypto Keys
Volgende

Email Security [1/3]: Verifying Sender's IP using SPF