(DMARC) Overview

Domain based Message Authentication, Reporting, and Conformance

By Sushil Singh @sushilsin

7
Email, Email Everywhere (from Anywhere)

Email Service
Provider

Sending directly
to customers

Unknown
Senders
3rd Party
Support

8
Malicious Email Erodes Trust

We all rely on email being a trusted channel of communication, and

malicious email erodes trust when it attacks customers & employees.

Customers Employees
Unauthorized Account Access Unauthorized Network Access
Fraud Losses Data Losses Network
Lower NPS Intrusions Malware &
Brand Damage Infections

! Eroded Trust

9
Email Attack Types

• Spoofed Domain Attacks

email frauds
o Phishing
o Ransomware
• Cousin Domain Attacks o Business email compromise
o Data breach
o Scams
• Display Name Abuse

10
Clarifying the Scope of DMARC Protection

✓DMARC Does:
• Protect senders from spoofed email abusing their domains.
• Enables receivers to identify spoofed domain email.
• Authorizes receivers to take action on email that fails to verify.
• Provide visibility into email flows.

✗ DMARC Does Not:

• Address whether or not the content is unwanted or malicious.
• Require receivers to obey the sender policy record (e.g. local policy overrides).
• Address “cousin domain” and “display name” abuse vectors.

11
The Value ofThe Value
DMARC of DMARC

Senders
Improves resiliency of
email authentication
infrastructure
Provides control over brand
in email channel
Lowers risk of hijacking
Enables new forms of
communication over email
Receivers
Decreases spam
Lowers risk of hijacking
Enables new forms of
communications over
email
Sender Policy Framework (SPF) – Identifies Authorized Sending Servers

Single Server

Range of Servers

Specified Servers

What about no
SPF record?
Domain-Key Identified Mail (DKIM) – Identifies Authorized Sending Servers

Signature Verified

Signed Email Public Key

What about no
DKIM signature?
Fully Authenticating Email using SPF + DKIM + DMARC

Problem: A primary vector for attacking customers and employees involves spoofing email.
The results of an attack include ATOs, fraud losses, and corporate infiltration.
Solution: SPF + DKIM + DMARC = Authenticate email so spoofed email is rejected.

DMARC
• Consistency – A method to leverage the best of SPF and DKIM
Solution Stack

• Visibility – Reports on how receivers process inbound email

• Policy – Senders declare how to process unauthenticated email

SPF DKIM
• Authenticates Message Path • Authenticates Message Content
• Authorized senders in DNS • Public encryption keys in DNS
• Very low deployment cost • Requires cryptographic operation

16
Fully Authenticating Email using SPF + DKIM + DMARC

17
DMARC in action

DMARC - Domain based Message Authentication, Reporting & Conformance

Swimlane: Sender to Receiver
Swimlane: Sender to Receiver
DMARC Ecosystem
Firmware Secure SPF +
Auto- Internet Public HSTS CSP Email STS +
Security Operating DKIM + Reporting
Patching Filtering Audit Support Support AuthN CSP
Support Systems DMARC

Adoption
Computer
Certificate
Manufactu OS Vendors ISPs Browser Makers Mailbox Providers Large Sites
Authorities
rers

PKI DNSSEC IPSEC SPF DMARC ARF CSP CORS HSTS

ECMA
TLS DNS TCP/IP DKIM MIME SMTP HTTP HTML
script (JS) Standards

Core Email Web

IETF W3C FIDO ITU/ISO ICANN IGF ITU CABF MAAWG APWG OTA

Governance
Governance
Standards Bodies Trade Associations
Orgs
Cybercrime
ISP Filtering Privacy Laws Data Sharing Guidance Requirements
Treaties

Public Policy
National Laws International Agreements Regulators 18
DMARC Deployment Checklist

1. Deploy a DMARC “none” Policy to Receive Reports

2. Review DMARC Reports
3. Develop Comprehensive Email Security Guidelines
4. Catalog All Known Sending Flows
5. Deploy SPF or Review Existing SPF Records
6. Deploy DKIM or Review Signing Practices
7. Review DMARC Reports & Adjust as Necessary
8. Increase DMARC Policy Protection (e.g. through “quarantine” to “reject”) Require
Vendors Follow Similar Email Security Guidelines

20
Sample DNS resource records

Yahoo.com
DNS record

tag value explanation

Policy to apply to email that fails the DMARC check. Can be "none", "quarantine", or "reject". "none" is used to
p reject
collect feedback and gain visibility into email streams without impacting existing flows.

Policy to apply to email from a sub-domain of this DMARC record that fails the DMARC check. This tag allows
sp none
domain owners to explicitly publish a "wildcard" sub-domain policy.

The percentage tag tells receivers to only apply policy against email that fails the DMARC check X amount of the
pct 100 time. For example, "pct=25" tells receivers to apply the "p=" policy 25% of the time against email that fails the
DMARC check. NOTE: you must have a policy of "quarantine" or "reject" for the percentage tag to do anything.

mailto:dmarc-yahoo-rua@yahoo-inc.com,
rua
mailto:dmarc_y_rua@yahoo.com
The list of URIs for receivers to send XML feedback to. NOTE: this is not a list of email addresses, as DMARC
requires a list of URIs of the form "mailto:address@example.org". External destination verification is tested if
applicable (DMARC Spec section7.1).
DMARC – ALIGNMENT - DKIM
DMARC – ALIGNMENT - DKIM
DMARC – ALIGNMENT - DKIM
Mail Header

By Sushil Singh
@sushilsin
DMARC – ALIGNMENT – SPF -- DMARC
Sample aggregated report