• Subscribe   
  • Subscribe   

Authentication blog series: Part 3 - DMARC

DMARC what it is and how it works

In this final post of my authentication blog series I focus on DMARC and how it uses SPF and DKIM to close the loop on email authentication.

What is Domain-based Message Authentication, Reporting and Conformance (DMARC)?

DMARC basically standardizes how email receivers perform email authentication using SPF and DKIM, enabling consistent results for the sender’s messages.

Most of the major webmail providers: AOL, Gmail, Hotmail, Yahoo would use this authentication reporting tool.

High-level principles of DMARC:

  • Senders opt-in by publishing a DMARC policy
  • Receivers provide feedback so that Senders can close gaps (and identify phishing attempts)
  • Senders increase the level of authenticated email being delivered
  • Receivers can identify and block unauthenticated email (as published by the Sender’s DMARC policy)

How DMARC works:

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if one or both authentication methods fail. The policy will direct the receiver to mark non-compliant emails as spam, proceed to quarantine or reject the email.

DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the end user’s exposure to potentially fraudulent or harmful messages.

DMARC also provides a way for the email Receiver to report back to the sender about emails that pass or fail DMARC evaluation.

A real world example:

Joe works at My Company. My Company has a very security conscious domain administrator who has previously implemented SPF and DKIM on all of the company’s mailservers. He now decides to implement DMARC.

DMARC Illustration of the whole process

1. My Company’s domain administrator gets his list of domains that send on behalf of the company (Including external vendors/marketers). This list contains the IP addresses of all servers that send emails on MyCompany’s behalf.

2. The domain administrator sets up an email address that will receive all of My Company’s reports regarding DMARC activity.

3. The domain administrator deploys a DMARC DNS record for every domain on his list. When he sets up the configuration, he will specify the following:

a. What email address the reports need to be sent to

b. The policy directive on how to handle emails that fail SPF or DKIM or both, i.e.

i. None – this will deliver to the end user and report back to the domain owner only

ii. Quarantine/Spam – this will deliver to the end users spam folder

iii. Reject – Cancels the email and does not deliver to end user

c. The percentage of messages affected. This is used when the domain owner has not set up policies on all domains, as he is ramping up the deployment of DMARC i.e. he expects only 70% of emails from the organization to pass these tests. This means that only when more than 30% of messages fail, will the DMARC policy be applied. Ultimately, the domain owner should aim at having this policy applied to 100% of emails.

Joe decides to send an email to Mike. He is using a My Company Mailserver that has DMARC set up;

DMARC Illustration

1. Mike’s mailserver receives the connection from the MyCompany Domain. It performs the SPF validation which passes.

2. Mike’s mailserver then retrieves the DMARC policies for the email from the My Company domain and then downloads the full email from the MyCompany mailserver.

3. Mike’s mailserver then does the DKIM check which passes the checksum validation.

4. As both SPF and DKIM have passed, the DMARC policy states that the email can be delivered to the end user (Mike’s mailbox)

5. A report is sent to the email address for the My Company domain (usually set up as a daily report) stating that the emails to Mike’s mailserver where successful.

A phisher tries to send Mike an email, pretending to be from [email protected]

DMARC Illustration Phishing

1. Mike’s mailserver receives the connection from the MyCompany Domain. It performs the SPF validation which passes.

2. Mike’s mailserver then retrieves the DMARC policies for the email from the My Company domain and then downloads the full email from the MyCompany mailserver.

3. Mike’s mailserver then does the DKIM check which passes the checksum validation.

4. As both SPF and DKIM have passed, the DMARC policy states that the email can be delivered to the end user (Mike’s mailbox)

5. A report is sent to the email address for the My Company domain (usually set up as a daily report) stating that the emails to Mike’s mailserver where successful.

A phisher tries to send Mike an email, pretending to be from [email protected]

Improve the customer experience with secure document delivery today

 

By submitting your details via this form, you are consenting that we receive and store your information for the exclusive purpose of contacting you.
  • We will not share or publish your information or process it for any other reason.
  • Once your request is fulfilled, we will either delete your information or request your consent for further processing.
  • Please find additional information in our Privacy policy.
View our Terms of use | Protected by reCAPTCHA.

Striata Communications

Striata Communications

Solutions Architect at Striata, South Africa

Michelle is a Solutions Architect at Striata SA, focusing on developing solutions that deliver all aspects of electronic document delivery, including paperless adoption, deliverability and security consulting.

Michelle has 10 years experience in mobile and messaging related positions.- initially as Channel Head of Mobile at Standard Bank South Africa, and then Head of eBilling at Striata.

Michelle has extensive experience in executing the delivery of large IT projects within complex organisational structures. She is passionate about mobile technology, social media, digital innovation, customer experience management and driving adoption of digital customer communications.

Read more of Michelle’s blog posts here or connect with her on the following social channels: