How can I tell if DMARC is making a difference?
A day or two after a domain owner publishes the simplest monitoring-mode DMARC record in DNS, they will begin to receive reports from DMARC receivers with statistics about email sent to them using the domain owner’s domain. In other words, if you own or operate example.com and publish a DMARC record requesting reports, you will get statistics on all messages that claim to come from your domain from all DMARC receivers. So, you will suddenly be able to see how many fraudulent messages are using your domain, where they’re coming from, and whether or not they would be stopped by a DMARC “quarantine” or “reject” policy. The report from each receiver is an XML file that includes the following fields:
Every IP address using your domain to send email
A count of messages from each of those IP addresses
What was done with these messages per the DMARC policy shown
SPF results for these messages
DKIM results for these messages
www.dmarcsonar.com client portal provides reports which provide a great deal of insight into the health of your message streams.
DMARC – Usage and limitation
DMARC is a great solution for preventing direct domain spoofing. When an email is sent by an unauthorized sender (whether it is sent by a malicious user, or even an unauthorized user of a department of the company that owns/operates the domain), DMARC can be used to detect the unauthorized activity and (if so configured) request that those messages be blocked or discarded when they are received.
If the owners/operators of website.com use DMARC to protect that domain, it would have no effect on website.net, unless .NET is also DMARCISED
Impersonating a given domain is a common method used for phishing and other malicious activities, there are other attack vectors that DMARC does not address.
DMARC does not address cousin domain attacks (i.e. sending from a domain that looks like the target being abused – e.g. website.com vs websit3.com ), or display name abuse where the “From” field is altered to look as if it comes from the target being abused.
People and companies around the world suffer from the high volume of spam and phishing on the Internet. Over the years several methods have been introduced to try and identify when mail from (for example) myrealcompany.com really is, or really isn’t coming from myrealcompany.com. However:
These mechanisms all work separately and isolated from each other
Each receiver makes own decisions about evaluation of the results
The legitimate domain owner (e.g – myrealcompany) never gets any feedback
DMARC addresses the above short falls by providing coordinated, tested methods for:
Domain owners to:
Signal that they are using email authentication (SPF, DKIM)
Provide an email address to gather feedback about messages using their domain –wether legitimate or not
A policy(report, quarantine, reject) to apply to messages that fail authentication
Email receivers to:
Be sure that a given sending domain is using email authentication
Consistently evaluate SPF and DKIM along with what the end user sees in their inbox
Determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks
Provide the domain owner with feedback about messages using their domain
DMARC is best implemented slowly (have u heard of a tree that has grown in a day 😛 ?)
A domain owner who has deployed email authentication will begin using DMARC in “monitor mode” to collect data from participating receivers. As the data shows that their legitimate traffic is passing authentication checks, they will change their policy to request that failing messages be quarantined. As they grow confident that no legitimate messages are being incorrectly “quarantined”, they will move to a “reject” policy.
What is DMARC and how it can help us?
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.
DMARC makes it easier for email senders and receivers to determine whether or not a given message is the real email from the sender, and what to do if it isn’t. DMARC makes is easier to identify spam and phishing messages, and keep them out of users, customers and email inboxes. DMARC allows email senders and receivers to cooperate in sharing information about the email they send to each other
If you want to remove the threat of direct domain spoofing, prevent spear phishing attacks the you must implement DMARC
What is SPF
Sender Policy Framework (SPF) is an email validation system designed to detect and block forged or spoofed emails. This is done by verifying the sender’s email server before delivering all legitimate email to a recipient’s inbox.
SPF allows an agency to specify which servers are allowed to send emails for their domain and makes this information available for recipients to check.
This is achieved when the network owner creates an SPF entry in the Domain Name System (DNS) record for their domain. The SPF entry will contain a list of domains or valid IP addresses authorized to send emails for their domain. When an email is sent to a network with SPF checking enabled, the recipient email server validates the sender’s domain against the published SPF record. That is, it confirms that the IP address
of the sending server is on the allowed list for the domain; if it does not match, SPF verification will fail. The network owner can decide whether to block, quarantine or tag emails as suspicious after failing SPF verification.