DMARC can stop spoofed spam and phishing from reaching you and your customers, protecting your information security and your brand. However, complexity and misconceptions deter many organizations from ever deploying it. Part mythbusting session, part implementation guide, this talk explains the shortcomings of SPF and DKIM, what DMARC is, how to deploy DMARC properly, and how to respond to DMARC reports – all without the need for an additional vendor, thanks to open source software!
DMARC ensures that SPF and DKM authentication mechanisms actually authenticate against the same domain that the end user sees.
A message passes a DMARC check by passing DKIM or SPF, as long as the related indicators are also in alignment.
|Passing||The signature in the DKIM header is validated using a public key that is published as a DNS record of the domain name specified in the signature||The mail server’s IP address is listed in the SPF record of the domain in the SMTP envelope’s mail from header|
|Alignment||The signing domain aligns with the domain in the message’s from header||The domain in the SMTP envelope’s mail from header aligns with the domain in the message’s from header|
- Configure email gateways to honor DMARC records and send aggregate DMARC reports
- Inventory domains
- Deploy SPF
- Deploy DKIM
- Set up mailbox for receiving DMARC reports
- Deploy DMARC DNS records
- Monitor incoming DMARC reports
- Adjust SPF, DKIM signing, and DMARC policies as needed
What if a third party sender can’t support DMARC?
- Some vendors don’t know about DMARC yet; ask about SPF and DKIM/email authentication.
Check if they can send through your email relays instead of theirs.
- Do they really need to spoof your domain? Why not use the display name instead?
- Worst case, have that vendor send email as a specific subdomain of your domain (e.g. email@example.com), and then create separate SPF and DMARC records on news.example.com, and set p=none in that DMARC record.
Do not alter the p or sp values of the DMARC record on the Top-Level Domain (TLD) – that would leave you vulnerable to spoofing of your TLD and/or any subdomain.
Further reading on this problem
DMARC deployment guides
- DMARC Overview
- DMARC video how to for Proofpoint
- DMARC guide for G Suite
- DMARC guide for Office 365
- DMARC guide for Cisco gateways
- Generic DMARC Deployment guide – Dmarcian
- List of DMARC Support Status of SaaS Services – Dmarcian
- DMARC Guide for 3rd Party Senders – Dmarcian
- Solutions to common problems – Dmarcian
- Reference library by OnDMARC
- SPF Deployment Guide – MSDN
- RFC 7489
SPF and DMARC record validators
- trustymail – By DHS; checks for compliance with BOD 18-01, including SPF, DMARC, and STARTTLS
- checkdmarc – A Python module and CLI tool I wrote to validate and parse SPF and DMARC records
DMARC report processing services
- Agari – Most popular provider to federal agencies, partners with NH-ISAC and others – “Contact us” pricing
- Dmarcian – Public, straightforward pricing, free public reference guides
- OnDMARC – Low cost services, extensive free public reference guides
- Proofpoint Email Fraud Defense – “Contact us” pricing; most useful for current Proofpoint customers
- Valimail – Offers “automated enforcement“; specifics unclear
- parsedmarc – Open source self-hosted DMARC report processing and analytics
- Email Authentication Policy and Deployment Strategy for Financial Services Firms (BITS/The Financial Services Roundtable – Feb. 2013)
- DHS Binding Operational Directive (BOD) 18-01 (Oct. 2017)
- Fifty-Seven Percent of Email “From” Healthcare Industry is Fraudulent (NH-ISAC – Nov. 2017)
DMARC compliant email relay services
Reasonably priced, fully DMARC compliant marketing and transactional email.
Good option if a full CRM is needed.
Extremely cheap bulk marketing email; extremely expensive transactional email.
A MailChimp add-on service for transitional email
- Set SMTP envelope sender for SPF alignment in the Mandrill dashboard
Settings -> Domains -> Tracking and Return Path Domain
Email and SMS marketing.
Salesforce Marketing Cloud
Not as cheap as Elastic Email, but cheaper than SendGrid and Mandrill, with options for SMS.