Professional Documents
Culture Documents
Email Service
Provider
Sending directly
to customers
Unknown
Senders
3rd Party
Support
8
Malicious Email Erodes Trust
Customers Employees
Unauthorized Account Access Unauthorized Network Access
Fraud Losses Data Losses Network
Lower NPS Intrusions Malware &
Brand Damage Infections
! Eroded Trust
9
Email Attack Types
email frauds
o Phishing
o Ransomware
• Cousin Domain Attacks o Business email compromise
o Data breach
o Scams
• Display Name Abuse
10
Clarifying the Scope of DMARC Protection
✓DMARC Does:
• Protect senders from spoofed email abusing their domains.
• Enables receivers to identify spoofed domain email.
• Authorizes receivers to take action on email that fails to verify.
• Provide visibility into email flows.
11
The Value ofThe Value
DMARC of DMARC
Senders Receivers
Improves resiliency of Decreases spam
email authentication Lowers risk of hijacking
infrastructure Enables new forms of
Provides control over brand communications over
in email channel email
Lowers risk of hijacking
Enables new forms of
communication over email
Sender Policy Framework (SPF) – Identifies Authorized Sending Servers
Single Server
Range of Servers
Specified Servers
What about no
SPF record?
Domain-Key Identified Mail (DKIM) – Identifies Authorized Sending Servers
Signature Verified
What about no
DKIM signature?
Fully Authenticating Email using SPF + DKIM + DMARC
Problem: A primary vector for attacking customers and employees involves spoofing email.
The results of an attack include ATOs, fraud losses, and corporate infiltration.
Solution: SPF + DKIM + DMARC = Authenticate email so spoofed email is rejected.
DMARC
• Consistency – A method to leverage the best of SPF and DKIM
Solution Stack
SPF DKIM
• Authenticates Message Path • Authenticates Message Content
• Authorized senders in DNS • Public encryption keys in DNS
• Very low deployment cost • Requires cryptographic operation
16
Fully Authenticating Email using SPF + DKIM + DMARC
17
DMARC in action
Adoption
Computer
Certificate
Manufactu OS Vendors ISPs Browser Makers Mailbox Providers Large Sites
Authorities
rers
ECMA
TLS DNS TCP/IP DKIM MIME SMTP HTTP HTML
script (JS) Standards
IETF W3C FIDO ITU/ISO ICANN IGF ITU CABF MAAWG APWG OTA
Governance
Governance
Standards Bodies Trade Associations
Orgs
Cybercrime
ISP Filtering Privacy Laws Data Sharing Guidance Requirements
Treaties
Public Policy
National Laws International Agreements Regulators 18
DMARC Deployment Checklist
20
Sample DNS resource records
Yahoo.com
DNS record
Policy to apply to email that fails the DMARC check. Can be "none", "quarantine", or "reject". "none" is used to
p reject
collect feedback and gain visibility into email streams without impacting existing flows.
Policy to apply to email from a sub-domain of this DMARC record that fails the DMARC check. This tag allows
sp none
domain owners to explicitly publish a "wildcard" sub-domain policy.
The percentage tag tells receivers to only apply policy against email that fails the DMARC check X amount of the
pct 100 time. For example, "pct=25" tells receivers to apply the "p=" policy 25% of the time against email that fails the
DMARC check. NOTE: you must have a policy of "quarantine" or "reject" for the percentage tag to do anything.
The list of URIs for receivers to send XML feedback to. NOTE: this is not a list of email addresses, as DMARC
mailto:dmarc-yahoo-rua@yahoo-inc.com,
rua requires a list of URIs of the form "mailto:address@example.org". External destination verification is tested if
mailto:dmarc_y_rua@yahoo.com
applicable (DMARC Spec section7.1).
DMARC – ALIGNMENT - DKIM
DMARC – ALIGNMENT - DKIM
DMARC – ALIGNMENT - DKIM
Mail Header
By Sushil Singh
@sushilsin
DMARC – ALIGNMENT – SPF -- DMARC
Sample aggregated report