Download - Getting startedwithdmarc5
Getting Started With DMARC page 1 | Share this:
Getting Started With DMARC
Table Of Contents
Part 1: Getting to Know DMARC Page 3
Page 6Part 2: History of DMARC
Page 8Part 3: How DMARC Works
Page 10Part 4: Getting Started with DMARC
Page 12Part 5: What Next?
Page 13Contact
Getting Started With DMARC page 3 | Share this:
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It lets
email senders apply a policy to their sending domains that instructs mailbox providers on what to
do if their email authentication (SPF and DKIM) fails — such as quarantine the message to the junk
folder or reject the email outright from being delivered to the inbox holder, which is joint
customer of both the sender and mailbox provider). It also provides senders with information
about their sending infrastructure to help improve overall email governance and adherence to
best practices.
domain threats, those attacks that are leveraging a domain you own and control, like phishing,
loss to both consumers and brands but also indirect costs associated with the loss of consumer
trust and erosion of brand equity and reputation. Mailbox providers including Gmail, Yahoo!, AOL
Brands need to arm themselves with information and tools to protect their valuable customers
information to protect
brands and consumers from direct-domain threats.
DMARC Helps Senders and Mailbox
Providers
By using DMARC, senders:
1. Protect themselves and their customers
from direct-domain threats.
2. Get valuable feedback about emails that
don’t pass authentication.
3. Can instruct mailbox providers on how
they should handle messages that fail
authentication.
By using DMARC, mailbox providers:
1. Can better identify legitimate mailers
from spammers.
2.
bad emails instead of good ones.
3. Help protect their mailbox holders.
Part 1: Getting to Know DMARC
Getting Started With DMARC page 4 | Share this:
DMARC Matters for Your Email Program
Email is a powerful channel for generating revenue and building strong relationships with
customers. Any company that relies on email to make money needs to ensure their program and
customers are protected. This means taking proactive steps to block fraudulent and mailicious
messages from reaching customers.
It is not a matter of if, but when cybercriminals will spoof your brand. DMARC provides a
mechanism to help block phishing attacks on your valuable customers, which improves
their overall experience with your brand.
I’m a Marketer… Shouldn’t the Security Team Worry About DMARC?
Phishing is a companywide responsibility. Both marketing and security teams need to care about
DMARC as both teams have a vested interest.
Marketers spend a lot of time and effort and resources in promoting brand awareness and email
engagement. A phishing attack could destroy that in a matter of minutes.
Security teams focus on protecting company assets. And the brands’ customer base is likely the
largest asset the company has. Security teams need to partner with Marketing colleagues to
protect valuable customers and the revenue generated through the email channel.
Email brand protection is a joint imperative and both Marketing and Security teams have a shared
interest in protecting the brand and customers from malicious email traffic.
Getting Started With DMARC page 5 | Share this:
DMARC Stats
Mailbox providers rejected
hundreds of millions of
messages each year because
they failed the DMARC
authentication check
100million +
Over 80,000 domains have
deployed domain-wide
policies via the DMARC standard
80thousand
60% of the top sending
domains publishing policy
come from companies
DMARC.org
60%DMARC protects almost
two-thirds of the world’s
consumer mailboxes and
80% of typical US customers–
assuming both the sender
and mailbox provider are
implementing DMARC
Getting Started With DMARC page 6 | Share this:
How DMARC Got Started
Problems with SPF and DKIM
Since 2004, industry and Internet standards groups, senders, mailbox providers, and vendors (such
as Return Path) have been working on establishing email authentication standards to prevent
email fraud.
Adoption of these authentication standards, including SPF and DKIM, became widespread across
the industry, dramatically reducing spammers’ ability to impersonate domains consumers trust.
Even so, this industry consortium noticed a problem with the authentication process: the problem
of what to do with unauthenticated mail.
Private Communications
Before DMARC was established, senders and receivers privately communicated what to do when
authentication failed.
In 2007, PayPal worked privately with Yahoo and Gmail -- telling them what to do with PayPal’s
unauthenticated email. The results of this partnership were great: PayPal experienced a significant
decrease in suspected fraudulent email.
Though these private efforts were successful, they required a lot of manual coordination. The
group streamlined the process and created a public standard to let everyone give directives to
mailbox providers about what to do with unauthenticated mail. This standard became DMARC.
Where DMARC Is Today
Today, many of these same parties form
an unincorporated working group at
DMARC.org. The group is dedicated to
developing Internet standards to reduce
the threat of email phishing and improve
coordination between mailbox providers
and email senders.
Part 2: History of DMARC
Getting Started With DMARC page 7 | Share this:
How DMARC Solved Problems for SPF and DKIM
Though SPF and DKIM helped reduce fraud, they did not turn out to be the silver bullet for
phishing. Lack of standard use and enforcement by ISPs and the high risk of blocking legitimate
email stalled progress.
Problems with SPF and DKIM
SPF works by publishing a record authorizing the IP addresses allowed to send on behalf of a
domain. SPF does not survive email forwarding, so it can be easily broken. DKIM attempted to
resolve this problem by cryptographically signing an email. Though DKIM survives forwarding
and is difficult to forge, it is expensive and difficult to adopt due to the computational overhead,
complexity, configuration errors, and more.
DMARC to the Rescue
DMARC resolves most of these issues by not only using both SPF and DKIM, but by providing
reports on authentication failures and giving policy control to the sender on how to handle
failures by doing nothing, quarantining the failure, or blocking it. As a result, SPF, DKIM and
DMARC greatly reduce the false positive issue.
Getting Started With DMARC page 8 | Share this:
DMARC doesn’t directly address whether
or not an email is fraudulent. Instead,
messages are considered aligned if the
RFC 5322
DMARC record conforms to the domain
In SPF’s case, the MFROM domain has to
exactly match the organizational domain
of the RFC5322 From domain. In DKIM’s
case, the organizational domain of the d=
value in the DKIM signature has to match
the RFC5322 From domain. Only one
the email to be considered in alignment.
Relaxed vs. Strict Alignment
Senders can specify a strict or relaxed
alignment; relaxed alignment is the
default.
Relaxed alignment allows for partial
matches between SPF and/or DKIM
record(s) and the RFC 5322. For instance,
subdomains of a given domain can
be considered aligned. An example of
relaxed alignment is: facebook.com
and groups.facebook.com.
Strict alignment requires exact matches.
An example of strict alignment is:
facebook.com and facebook.com.
DMARC lets senders indicate within their DNS record that their email is protected by SPF and/or
DKIM -- and tells mailbox providers what to do if that authentication fails.
Part 3: How DMARC Works
Why Does DMARC check the RFC5322
From Domain?
The RFC5322 From domain (1) is highly
visible (2) is the domain email users come
into contact with most easily, (3) is one of
the most-forged parts of the email body,
(4) is the only one that is guaranteed to be
present, and (5) is displayed by MUAs in
a way that strongly suggests it is the true
originator of the message.
NOTE: An organizational domain is the brand or registered domain. For example, facebook.com is
an organizational domain while groups.facebook.com is a sub-domain.
Getting Started With DMARC page 9 | Share this:
Who Uses Relaxed or Strict Alignment
Relaxed alignment can be useful for senders who contract the handling of certain mail streams
(such as bounce processing) to third-parties. These senders can both use third-parties and deploy
DMARC without having any negative impact.
Generally, financial institutions or other high-profile organizations may be most interested in strict
alignment.
Reporting
With DMARC, senders can receive reports that include data about authentication issues they are
having with their email streams. This reporting feedback loop makes the email ecosystem a safer
place by allowing senders and receivers to communicate automatically about potential abuse.
Senders can choose to receive two types of reporting: aggregate and/or message-level (forensic).
The reports include information to give senders insight into their authentication results so they can
take action on any needed corrections, and calibrate an appropriate DMARC policy.
Receivers will send aggregate reports for all emails. Receivers who support forensic reporting will
send forensic reports only if either SPF or DKIM do not pass.
These reports can be difficult to understand and an in-house solution to parse the data must be
built or there are third-party solutions like Return Path that display the DMARC reporting data
in an easy-to-use portal so that efforts can be focused on policy enforcement and correcting
authentication issues.
Getting Started With DMARC page 10 | Share this:
Before you start blocking suspected
fraudulent messages, you need to gain
visibility in to all of your company’s
outbound mail streams.
Conduct an audit to ensure that all IPs,
domains, and sending environments are
accounted for and are properly being
authenticated.
Aggregate and Forensic Reports
Mailbox providers send both types of
ruf:mailto= or rua:mailto= tags).
3 sections:
Information about the mailbox provider that
sent the report
A description of your DMARC Record
A summary of authentication results. Look
for the areas that show neutral, none, or
failed results.
Forensic report are sent in AFRF or IODEF
in the “rf” tag.
By default, it’s AFRF.
You’ll get per-message reports on individual
messages that fail SPF and/or DKIM. Make
sure you don’t click on any links. Use the
email headers to help your investigation.
Congratulations, you are about to join the elite group of top senders that have already
published a DMARC policy. Follow the steps below to get started!
Open the email headers from the emails
you send. Identify the following:
• Return Path/MFrom/Envelope From
domain
• Friendly From domain
• DKIM-Signature (look for the “d=” tag)
Make sure the domains are aligned
Part 4: Getting Started with DMARC
Identify and Authenticate Verify Alignment 1
There are numerous DMARC tags
available, but you don’t have to use them
all. Focus on the v, p, rua, and ruf tags.
Learn the DMARC tags3
Create an entry in DNS for the zone
“v=DMARC1; p=none; rua=mailto:report@
example.com”
Create an Entry4
2
Getting Started With DMARC page 11 | Share this:
Though you can specify three types of
policy: reject, quarantine, or none, set the
mailbox providers not to take action if the
DMARC check fails -- allowing you to work
out any kinks with your records.
Start collecting reports to see if anyone is
to receive the daily aggregate reports using
the rua tag from the mailbox providers by
specifying your email address.
Request aggregate reports in the beginning,
(ruf ) challenging to fully understand due to
the magnitude of data that is included.
Senders can quickly get inundated with the
DMARC reports. Return Path’s email brand
protection solutions can help with both issues
though data collection and reporting that can
help you make sense of it. Go here for more
information.
that all of your outbound mail streams are
authenticating properly, take the next step
and set the DMARC DNS record ‘p=’ tag to
“quarantine.”
An example record is: “v=DMARC1; p=quarantine;
rua=mailto:[email protected];
ruf=mailto:[email protected]”
During this time, diligently check your reports
within the Domain Secure solution user
interface.
errors, set the DMARC DNS record ‘p=’ tag to “reject.”
An example DMARC record is: “v=DMARC1; p=reject; rua=mailto:[email protected];
ruf=mailto:[email protected]”
Place your domains on Return Path’s Registry. This instructs the mailbox providers to block
suspected fraudulent messages.
Set Policy to p=”none” Quarantine 5
Monitor6
7
Block8
Getting Started With DMARC page 12 | Share this:
Part 5: What Next?
Use Return Path to Analyze DMARC
Though DMARC is a public standard,
Return Path’s email brand protection
solutions show the results of DMARC
reporting in a format that is easy to read
and understand so that you can focus on
making important policy decisions on a
domain by domain basis.
The solution also analyzes and extracts
data to identify trends, phishing
outbreaks, authentication failures, and
authentication failure resolutions.
Enhance DMARC Data with Private Data
Return Path receives more email data
from major ISPs than anyone else in the
world. Return Path email brand protection
customers get access to this data, which
provides the greatest visibility and insight
available into email brand abuse.
Use the Return Path Registry
DMARC is not the only mechanism
through which policy can be asserted.
With either the Domain Protect or
Domain Secure solution, clients can also
choose to place their domains on Return
Path’s Registry.
Path publishes to mailbox providers in
our private channel. The Registry allows
Return Path clients to specify what they
would like mailbox providers to do with
their unauthenticated mail.
Protect your brand and your customers
from email brand abuse
Do your part in the war against phishing
and brand abuse by educating yourself
on the full-spectrum of threats, the
capabilities and limitations of DMARC,
authenticating your outbound mail
using SPF and DKIM, and working
collaboratively with your marketing and
security teams to implement DMARC as
customers.
:secruoS
http://googleonlinesecurity.blogspot.com/2013/12/internet-wide-efforts-to-fight-email.html
http://www.returnpath.com/solution-content/dmarc-support/
http://www.techsneeze.com/how-parse-dmarc-reports
https://github.com/linkedin/dmarc-msys/
https://github.com/thinkingserious/sendgrid-python-dmarc-parser http://www.trusteddomain.org/opendmarc/
http://landing.returnpath.com/dmarc
returnpath.com
About Return PathReturn Path is the worldwide leader in email intelligence. We analyze more data about email than anyone else in the world and use that data to power products that ensure that only emails people want and expect reach the inbox. Our industry-leading email intelligence solutions utilize the world’s most comprehensive set of data to maximize the performance and accountability of email, build trust across the entire email ecosystem and protect users from spam and other abuse. We help businesses build better relationships with their customers and improve their email ROI; and we help ISPs and other mailbox providers enhance network performance and drive customer retention. Information about Return Path can be found at:
USA (Corporate Headquarters) [email protected]
Australia [email protected]
Brazil [email protected]
Canada [email protected]
France [email protected]
Germany [email protected]
United Kingdom [email protected]