Phishing attacks are a real danger for every business. It can severely damage the brand name, and it can lead to less trust and leaving of clients. The attackers can spam or phish with emails that use your brand logo and looks just like your emails. Even you won’t see a difference between one of these fake emails and the original emails sent from your servers. We have already talked about SPF and how it verifies the outgoing mail server. There is also another DKIM technology for signing emails. Domain-based Message Authentication (DMARC) uses both of them to take pre-defined actions. Double protection for lowering the chances of phishing and report system for better management.
Why SPF and DKIM are not enough?
SPF – Sender Policy Framework has the goal to validate the senders’ servers. The receivers check the SPF record and see the IP address. It should be matching the IP address of the domain of the sender.
A problem with the SPF is that the SPF record applies to the return path of the domains, not to the domain, that shows in the “From” on the user interface. DMARC fixes this flaw with alignment, a match, between the visible “From” and the server authenticated by SPF.
DKIM – DomainKeys Identified Mail. The owner can use DKIM to sign the emails that it sends. The emails will have extra data (encrypted) in the header that can be verified through the DNS. This technology is not flawless too. Many companies don’t rotate the key, and that can be a big problem. This is another thing, DMARC fixes. It provides rotating keys.
DMARC is an authentication, policy and also reporting protocol. It uses both SPF and DKIM and adds linkage to the “From” domain name, policies for handling the incoming email in case of failure and something very important – report for the sender. That way the sender can see if there is a problem, and act on it.
The main purpose of DMARC is to protect against direct domain spoofing. If an attacker tries to send email from not authorized, DMARC will detect it and block it.
How does DMARC works?
We mention already that DMARC uses policies. The administrator sets them, defining the email authentication practices and what should the receiving email server do if an email violates a policy.
When the receiving email server gets a new email, it makes a DNS lookup to check the DMARC. It will look for:
- If the DKIM signature is valid.
- The IP address of the sender, if is one of the allowed by him (SPF record).
- If the header shows proper “domain alignment”.
With all of the above in consideration, the server DMARC policy to accept, reject or flag the email.
In the end, the server will send a message to the sender with a report.
Benefits for the sender of the email
- Shows that the email uses authentication – SPF and DKIM.
- Receives a feedback about the sent email.
- Policy for failed email.
Benefits for the receiver of the email
- Provide authentication for the incoming emails
- Evaluating the SPF and DKIM
- See what the sender prefer – policy
- Returns feedback to the sender
DMARC Record example:
DMARC records are a simple text (TXT) DNS records. They look like this:
V – the version of the protocol. In the example is version 1
Pct – % of the messages that are subject to filtering (pct=20)
Ruf – URI for forensic reports (ruf=mailto:firstname.lastname@example.org)
Rua – URI for aggregate reporting (rua=mailto:email@example.com
P – Policy, organizational domain (p=quarantine)
Sp – Policy, subdomains of the organizational domain (sp=reject)
Adkim – Alignment for DKIM (adkim=s)
Aspf – Alignment for SPF (aspf=r)
Conclusion about DMARC
DMARC can significantly lower the number of fraud emails and spam. It is not 100% bulletproof, but it adds a lot of extra protection in comparison with the other two solutions – SPF and DKIM. The reporting functionality is welcome plus too.