Demystifying DMARC: A guide to preventing email spoofing

DMARC can stop spoofed spam and phishing from reaching you and your customers, protecting your information security and your brand. However, complexity and misconceptions deter many organizations from ever deploying it. Part mythbusting session, part implementation guide, this talk explains the shortcomings of SPF and DKIM, what DMARC is, how to deploy DMARC properly, and how to respond to DMARC reports – all without the need for an additional vendor, thanks to open source software!

Direct link to presentation

DMARC alignment

DMARC ensures that SPF and DKM authentication mechanisms actually authenticate against the same domain that the end user sees.

A message passes a DMARC check by passing DKIM or SPF, as long as the related indicators are also in alignment.

DKIMSPF
PassingThe signature in the DKIM header is validated using a public key that is published as a DNS record of the domain name specified in the signatureThe mail server’s IP address is listed in the SPF record of the domain in the SMTP envelope’s mail from header
AlignmentThe signing domain aligns with the domain in the message’s from headerThe domain in the SMTP envelope’s mail from header aligns with the domain in the message’s from header

Deployment steps

  1. Configure email gateways to honor DMARC records and send aggregate DMARC reports
  2. Inventory domains
  3. Deploy SPF
  4. Deploy DKIM
  5. Set up mailbox for receiving DMARC reports
  6. Deploy DMARC DNS records
  7. Monitor incoming DMARC reports
  8. Adjust SPF, DKIM signing, and DMARC policies as needed

What if a third party sender can’t support DMARC?

  1. Some vendors don’t know about DMARC yet; ask about SPF and DKIM/email authentication.
    Check if they can send through your email relays instead of theirs.
  2. Do they really need to spoof your domain? Why not use the display name instead?
  3. Worst case, have that vendor send email as a specific subdomain of your domain (e.g. noreply@news.example.com), and then create separate SPF and DMARC records on news.example.com, and set p=none in that DMARC record.

Do not alter the p or sp values of the DMARC record on the Top-Level Domain (TLD) – that would leave you vulnerable to spoofing of your TLD and/or any subdomain.

Further reading on this problem

DMARC deployment guides

SPF and DMARC record validators

  • trustymail – By DHS; checks for compliance with BOD 18-01, including SPF, DMARC, and STARTTLS
  • checkdmarc – A Python module and CLI tool I wrote to validate and parse SPF and DMARC records

DMARC report processing services

DMARC adoption

DMARC compliant email relay services

Constant Contact

Elastic Email

Reasonably priced, fully DMARC compliant marketing and transactional email.

HubSpot

Good option if a full CRM is needed.

MailChimp

Extremely cheap bulk marketing email; extremely expensive transactional email.

Mandrill

A MailChimp add-on service for transitional email

Mailgun

Mailjet

Email and SMS marketing.

Salesforce Marketing Cloud

SendGrid

Sendinblue

Not as cheap as Elastic Email, but cheaper than SendGrid and Mandrill, with options for SMS.

Services that must use your SMTP relays to be fully DMARC compliant

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.