What is DMARC and How to Configure it?

Created by Abderrahim Ibnou el kadi, Modified on Mon, 13 Jan, 2020 at 3:00 PM by Jason Carreiro


Phishing attacks are widespread more than even before as it rose by over 100% between 2010 and 2014. Around the globe it is estimated to cost over 4.5 billion dollars every year to organizations.

Email is very easy to spoof and criminals found spoofing to be proven way to exploit user’s naivety. In majority recipient users can’t distinguish from legit and fake messages, senders are also unaware of problems with their authentication because there is no way for them to get feedback reports, therefore deployment of SPF and DKIM are cautiously deployed. 

DMARC is a counterpart as it addresses these issues and helps the senders and recipients to work together and monitor progress and debug problems to better secure email flow and protect their organizations from havoc doing.

DMARC (Domain-based message authentication, reporting and conformance) is utmost tool in the market which combines the effect of DKIM and SPF while it provides a full monitoring report and also, if requested, an aggregate and forensic report.

So how does DMARC work?

In general explanation:    DMARC allows the sender to prove that their message is protected by SPF and /or DKIM and gives a choice to the recipient to decide what to do incase neither of those authentications methods passes. DMARC also provides a way, to the received to report back to the sender, messages that are success or fail DMARC evaluation in order to correct the situation.

In a technical explanation: To pass DMARC, the incoming message(s) must pass SPF verification and SPF alignment and/or DKIM authentication and DKIM alignment. 

 A message will fail DMARC if it fails both:

  • 1-  SPF or SPF alignment  and 
  • 2-  DKIM or DKIM alignment

SPF alignment is when matching the “header from” (i.e.: FROM :) name with the “envelope from” “i.e.: return path or MAIL FROM:” domain name during an SPF check. 

Whereas the DKIM alignment is when matching the “header from” domain name with the “d=domain name” in the DKIM signature.

 

How to configure DMARC:

 

First of all and before starting working on DMARC setup we must set up the two main ingredients that constitute DMARC. Of course I am talking about SPF and DKIM records.

So the full steps in adding a DMARC record are:

  1. Create an SPF record
  2. Create a DKIM record
  3. Verify your alignment I.e.: 

The Envelope FROM (i.e., Return Path or Mail From: )

The “Friendly” FROM (i.e., “Header” From)

The d=domain in the DKIM-Signature’

As per verification if your domain is aligned then you can continue configuring your DMARC with the option to reject any malicious mail by the mailbox providers. Otherwise you still can proceed with the creation of your DMARC by configuring it with monitoring mode “p=none”, meanwhile you can work with your IT department to sort the alignment issue out.

  1. DMARC doesn’t require all the tags to function but only few are mandatory, below are explanation to few tags that are must to be used with DMARC:
  2. Tag v=DMARC1, this must be the first tag to start with and DMARC1 must be in upper case.
  3. Tag p=value must be the second value to set and it Defines the policy (None, Quarantine, Reject) the sending MTA advises the receiving MTA to follow.
  4. Tag pct=value% defines the percentage of mail to which DMARC policy applies. If not present it defaults to pct=100% and in this case all mail is subjected to DMARC
  5. Tag rua=mailto:[email protected] you basically specify the email address you want to receive DMARC report. Make sure to use a separate email address as you might get flooded with email reports
  6. Tag ruf=mailto:[email protected] us the email address to receive the aggregated report. Again must use a separate email address as you might get flooded with email report

 

The other tags are all implicit and can use as needed.

  • a.  Email fraud defense

Email fraud is continuously rising and costing companies billions, In depth we find that 30% of recipients open phishing messages and 12% Click /open attachments. 

Email fraud defense helps distinguish the importance of email authentication via SPF, DKIM and DMARC. Leveraging it will protect your organization from all phishing attacks and spoofing trusted domains.

Our Email fraud defense provides clear visibility on who is sending email athwart your organization and gives you the ability to authorize legitimate and block all fraudulent messages before they reach employees and business partners.

When email fraud defense is deployed with other mechanisms it makes a complete suite of email security and quashes an entire class of impostors email fraud.

Email fraud defense consists on using DMARC (Domain-based Message Authentication Reporting & Conformance) as a method of email authentication using a reporting interface that extracts results for all email traffic In and Out of your organization. This report displays:

  • Report of All email traffic Inbound or Outbound
  • Precisely distinguishes between legitimate and none legitimate email that failed authentication
  • Clarification for each email authentication failure