DMARC (Domain-based Message Authentication, Reporting and Conformance) DMARC is an email validation protocol which is built upon two globally accepted email authentication protocols namely SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication policy and reporting protocol. When implemented at an enforcement policy, only authorised senders can send email using the domain in the "from" field.
DMARC also includes a reporting mechanism. Email receivers can tell the domain about whether or not the email they have received, passed or failed authentication. These reports let the domain owner or their DMARC vendor see who is using the domain to send email. Domain owners can use this information to fine-tune their email authentication policy to permit only trusted senders to send email on behalf of the domain.
DMARC (Domain-based Message Authentication Reporting and Conformance) is designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cybercrimes. DMARC take the advantage of the existing email authentication techniques, SPF (Sender Policy Framework) & DKIM (Domain Keys Identified Mail).
Email is involved in more than 90% of all network attacks and without DMARC, it can be hard to find out the email is real or fake.
DMARC makes it easier for Internet Service Providers (ISPs) to prevent malicious email practices, such as domain spoofing in orderto phish for recipients' personal information. Essentially, it allows email senders to specify how to handle emails that were not authenticated using SPF or DKIM.
DMARC helps the end user’s mailbox provider to keep spam and phishing messages from reaching their inbox.
Below are the 5 steps to help you successfully implement DMARC in Reject Policy.
1. Setting up a DMARC record to policy none (monitoring):
The first step is to begin monitoring your domain with DMARC. Create a policy and set it to None. This allows you to receive DMARC reports without impacting your mail flow. ProDMARC provides users with DMARC reports, which provide information needed to configure your SPF and DKIM.
2. Monitoring the DMARC reports:
Once you have setup DMARC record for your domain, we suggest you to wait for 1-2 weeks so that you have substantial amount of data to start working. These reports will show the information of the sending servers along with IP address, SPF domain(envelope-from/return-path), SPF alignment staus, DKIM selector and it also shows which emails have passed or failed DMARC.
Based on the DMARC data received, we will have to identify all the authorised senders and then add the IP address of them in our SPF record and enable DKIM signing and public key addition in our DNS.
It’s important to carefully interpret reports. Don’t automatically add all the senders from your DMARC report to your SPF record. It’s likely that some of the “senders” are actually forwarder- email servers that receive email from your senders and then forward it on to another inbox. We at ProDMARC help you identify these kind of things thereby decreasing the time spent in None mode.
3. Move to the Quarantine Policy :
Now that we have made all the genuine senders DMARC compliant, we can move to the second mode i.e Quarantine. A Quarantine policy sends unauthenticated email to spam folder of the end recipient.
We recommend to update the DNS to “quarantine” with small percentages. Starting with 10% and monitor the statistics if nothing weird occurred. Once we are confident that all our authorised senders are fully compliant we can migrate our domain to the final phase of DMARC i.e Reject.
4. Migrating to the Reject policy:
Turning on Reject policy allows the recipient to reject all the emails which fail the DMARC check. Hence before moving to reject we need to ensure all our legitimate mails are delivering to the inboxes of the intented recipients/customers.
5. Active Monitoring:
At this point you reached the 100% reject policy however you are not done yet. In the stage ‘Active Monitoring’ it’s very important to constantly monitor all data. The deployment of new software programs (for instance a new CRM program) can give deliverability issues and result in losing legit emails. Therefore it’s still necessary to consistently monitor your DMARC data.
The focus is stronger on monitoring and detecting abnormal behaviour. This goes from keeping the DNS records to doing analysis on noncompliant sources, which can be spoofing attacks. The core of this stage is to monitor the whereabouts of the email channels, providing insight in the legit and malicious email activity.
On one hand, monitoring the compliance rate and the underlying sources will help to discover authentication issues, false positives and new legit email sources/vendors. On the other hand, monitoring the compliance rate and non-compliant sources will make an organisation aware of ongoing threats, spoofing and phishing attacks.
When you see "No DMARC record found" for your domain, means you have not added the DMARC TXT record in your DNS. Fixing “No DMARC record found” means adding a TXT DNS record in _dmarc.yourdomain.com according to DMARC specification. The basic DMARC record can be as simple as the following:
v=DMARC1; p=none; rua=mailto:abc@yourdomain.com
Using DMARC policies protect your domains against scams and brand abuse. In order to achieve this, your emails need to be DMARC compliant. By setting up DKIM or SPF you can achieve DMARC compliance.
In order to become DMARC compliant, either DKIM or SPF has to be setup correctly and aligned. Note that, when you setup DKIM and SPF and one of the two fails, your email will still be DMARC compliant and pass the DMARC checks. Only setting up DKIM or SPF is not enough. It is important to make sure that DKIM and or SPF alignment, without alignment an email cannot be DMARC compliant.
There is a thin line of difference between Phishing and Spoofing. Spoofing is where the attacker first spoofs or steals the identity of a real-time user, and then contacts the user. The objective of communicating with the end-user is to get their personal and sensitive information from the user. So, basically, the attacker acts like someone who exists in the real world and is a legitimate user. This is an example of identity theft.
This is very risky because attackers typically target big enterprises and large organizations; steal the information and then connect with the target group to hack their systems and steal their personal data. Here too, attackers use the latest software systems to get your email address and ids.
TYPES OF SPOOFING
1. Email Spoofing includes stealing the ‘from address’ in the email so that the email appears genuine.
2. Website spoofing is when attackers take over an existing website and change the address or set up fake websites.
3. IP Spoofing is related to stealing or hiding the IP address to conceal their identity.
4. Caller ID Spoofing involves a phone number. Such numbers look genuine, and the receiver receives the call, and he is asked to reveal his personal information.
5. DNS Server Spoofing is when cybercriminals direct the traffic to an IP address that contains malware.
EXAMPLES OF SPOOFING
1. One of the typical examples is when hackers hack a complete website by changing the IP address of the site .
2. A website that looks like a banking website asks you to log in, but when you do, you realize that your account has been stolen.
To read about Incoming DMARC configuration for Microsoft 365 Exchange Online platform, So download below PDF.
To read about ARC – Authenticated Received
Chain, So download below PDF.