DMARC (Domain-based Message Authentication, Reporting and Conformance) DMARC is an email validation protocol which is built upon two globally accepted email authentication protocols namely SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
Frequently Ask Question
What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication policy and reporting protocol. When implemented at an enforcement policy, only authorised senders can send email using the domain in the "from" field.
DMARC also includes a reporting mechanism. Email receivers can tell the domain about whether or not the email they have received, passed or failed authentication. These reports let the domain owner or their DMARC vendor see who is using the domain to send email. Domain owners can use this information to fine-tune their email authentication policy to permit only trusted senders to send email on behalf of the domain.
DMARC (Domain-based Message Authentication Reporting and Conformance) is designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cybercrimes. DMARC take the advantage of the existing email authentication techniques, SPF (Sender Policy Framework) & DKIM (Domain Keys Identified Mail).
How to fix "No DMARC record found"?
When you see "No DMARC record found" for your domain, means you have not added the DMARC TXT record in your DNS. Fixing “No DMARC record found” means adding a TXT DNS record in _dmarc.yourdomain.com according to DMARC specification. The basic DMARC record can be as simple as the following:
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org
How to implement a DMARC Reject policy on your domain
Below are the 5 steps to help you successfully implement DMARC in Reject Policy.
1. Setting up a DMARC record to policy none (monitoring):
The first step is to begin monitoring your domain with DMARC. Create a policy and set it to None. This allows you to receive DMARC reports without impacting your mail flow. ProDMARC provides users with DMARC reports, which provide information needed to configure your SPF and DKIM.
2. Monitoring the DMARC reports:
Once you have setup DMARC record for your domain, we suggest you to wait for 1-2 weeks so that you have substantial amount of data to start working. These reports will show the information of the sending servers along with IP address, SPF domain(envelope-from/return-path), SPF alignment staus, DKIM selector and it also shows which emails have passed or failed DMARC.
Based on the DMARC data received, we will have to identify all the authorised senders and then add the IP address of them in our SPF record and enable DKIM signing and public key addition in our DNS.
It’s important to carefully interpret reports. Don’t automatically add all the senders from your DMARC report to your SPF record. It’s likely that some of the “senders” are actually forwarder- email servers that receive email from your senders and then forward it on to another inbox. We at ProDMARC help you identify these kind of things thereby decreasing the time spent in None mode.
3. Move to the Quarantine Policy :
Now that we have made all the genuine senders DMARC compliant, we can move to the second mode i.e Quarantine. A Quarantine policy sends unauthenticated email to spam folder of the end recipient.
We recommend to update the DNS to “quarantine” with small percentages. Starting with 10% and monitor the statistics if nothing weird occurred. Once we are confident that all our authorised senders are fully compliant we can migrate our domain to the final phase of DMARC i.e Reject.
4. Migrating to the Reject policy:
Turning on Reject policy allows the recipient to reject all the emails which fail the DMARC check. Hence before moving to reject we need to ensure all our legitimate mails are delivering to the inboxes of the intented recipients/customers.
5. Active Monitoring:
At this point you reached the 100% reject policy however you are not done yet. In the stage ‘Active Monitoring’ it’s very important to constantly monitor all data. The deployment of new software programs (for instance a new CRM program) can give deliverability issues and result in losing legit emails. Therefore it’s still necessary to consistently monitor your DMARC data.
The focus is stronger on monitoring and detecting abnormal behaviour. This goes from keeping the DNS records to doing analysis on noncompliant sources, which can be spoofing attacks.
The core of this stage is to monitor the whereabouts of the email channels, providing insight in the legit and malicious email activity.
On one hand, monitoring the compliance rate and the underlying sources will help to discover authentication issues, false positives and new legit email sources/vendors. On the other hand, monitoring the compliance rate and non-compliant sources will make an organisation aware of ongoing threats, spoofing and phishing attacks.
WHAT IS PHISHING?
When Phishing is involved, the objective is to gather personal and confidential information of the user. The attacker usually sends an electronic communication like an email asking for sensitive data like credit card details, bank details, debit card PIN, Social Security Number, date of birth, passwords, or user ids.
It is imperative to have in-depth knowledge about this latest threat so that personal and financial details and information can be safeguarded.
What makes it dangerous is that the communication looks trustworthy because it appears to come from a legitimate source, a known or trusted person or organization.
The email usually contains links or attachments, which, when clicked by the recipient, instantly leads to the download of malware. So, the intent of the email is malicious to extract your financial or personal information.
TYPES OF PHISHING
1. Email Phishing – the attacker uses emails to attack online via email.
2. Phone Phishing – this is done through the phone.
3. Clone Phishing – is a whaling attack that is targeted at senior executives of a firm.
4. Spear Phishing – This is a sophisticated type of phishing attack where a harmful email is sent to a specific person.
5. Angler Phishing – this is done through social media. – either data posted on social media is stolen with malice intent, or users are tricked into divulging their personal information.
6. Smishing and Vishing – in this case, telephones are used for communication. Smishing involves sending text messages, while vishing is about engaging in a telephone conversation.
EXAMPLES OF PHISHING
1. An email asking the user to verify personal data – the text could be that ‘we couldn’t verify your information – click on the link to verify the same.
2. Click here is a common term that such emails will contain.
3. Emails or phone calls that appear to be from your bank asking for OTP or bank PIN.
4. An email claiming that the payment done on Amazon has failed.
WHAT IS SPOOFING?
There is a thin line of difference between Phishing and Spoofing. Spoofing is where the attacker first spoofs or steals the identity of a real-time user, and then contacts the user. The objective of communicating with the end-user is to get their personal and sensitive information from the user. So, basically, the attacker acts like someone who exists in the real world and is a legitimate user. This is an example of identity theft.
This is very risky because attackers typically target big enterprises and large organizations; steal the information and then connect with the target group to hack their systems and steal their personal data. Here too, attackers use the latest software systems to get your email address and ids.
TYPES OF SPOOFING
1. Email Spoofing includes stealing the ‘from address’ in the email so that the email appears genuine.
2. Website spoofing is when attackers take over an existing website and change the address or set up fake websites.
3. IP Spoofing is related to stealing or hiding the IP address to conceal their identity.
4. Caller ID Spoofing involves a phone number. Such numbers look genuine, and the receiver receives the call, and he is asked to reveal his personal information.
5. DNS Server Spoofing is when cybercriminals direct the traffic to an IP address that contains malware.
EXAMPLES OF SPOOFING
1. One of the typical examples is when hackers hack a complete website by changing the IP address of the site .
2. A website that looks like a banking website asks you to log in, but when you do, you realize that your account has been stolen.
Phishing: How to send a Spoofed Email ?
Sending an email from an email account that you don’t control is called email spoofing. The problem with spoofed messages compared to other phishing messages is that spoofed emails impersonate someone's email ID that3 the recipient trusts.
Choose a method :There are multiple methods you can use to send a spoof email. The simplest method of spoofing a domain is using a website which are very famous for sending a spoof mails. You just need to do a google search.
Select a target :The target of your spoofed email is the domain that you are impersonating. For example : email@example.com. The target domain needs to be a registered domain, you can’t spoof a domain that doesn’t exist. In addition, it needs to be a domain that’s not using a DMARC Quarantine or Reject policy.
Select a victim :The victim of your spoofed email is the recipient of your message.
Write your message :Write a message based on the email your spoofing.
Send your spoofed email :Now you have draft your spoofed email and added the recipient, send the mail.
How long do DNS updates take?
DNS propagation is the time frame it takes for DNS changes to be updated across the Internet.
Each time you update DNS (Domain Name System) records in your domain's zone file, the rest of the Internet must catch up to the changes. This period of catching up is known as propagation. Usually DNS changes will propagate within a few hours, but it can take up to 48 hours for everything to propagate across the Internet.
Many things affect propagation time, including your TTL, your ISP and your domain's registry.
Your TTL (Time to Live) settings :Every DNS record has a TTL setting. TTL is the amount of time servers cache the information for your DNS records. For example, if you set the TTL for a particular record to one hour, servers store the information for that record locally for an hour before retrieving updated information from your nameservers. Shorter TTL settings may increase propagation speed. However, they can also increase the number of times your nameserver is queried, decreasing your site's performance.
Your ISP (Internet Service Provider) :Your ISP caches DNS records by storing the data locally rather than retrieving fresh data from your DNS server. This speeds up web browsing and reduces traffic, but may slow your propagation time. Some ISPs ignore TTL settings and only update their cached records every two to three days.
Your domain's registry :When you change the nameservers on your domain, we send your change request to the domain registry within minutes, and they publish your NS (nameserver) records to their root zone. Most registries update their zones promptly, but some can take several hours or even days.
In most cases, your DNS updates will propagate within a few hours. Due to these factors out of our control, however, you should allow up to 48 hours for any DNS changes to fully propagate across the Internet. If it's been more than 48 hours and your changes aren't reflecting correctly, there may be a different cause of the issue, such as incorrect DNS settings.
DMARC Status About Your Domain
DMARC (Domain-based Message
Authentication, Reporting and
Conformance) is an email validation protocol which is built upon two globally accepted email authentication protocols namely SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).