DMARC is an email authentication framework that builds upon SPF and DKIM. It enables email recipients to validate the authenticity of emails and determine what to do with emails that do not conform to the domain owner's SPF and DKIM policies. DMARC implementation should occur in four stages: 1) gain visibility of all email sending scenarios and IPs, 2) configure SPF and enable DKIM, 3) implement a quarantine policy, and 4) implement a reject policy and enable forensic reports. Each stage helps validate that legitimate emails are not impacted before moving to more restrictive policies.
2. Introduction
to DMARC:
DMARC, Domain-based Message Authentication Reporting and Conformance, is an
email security framework introduced in 2014.
It is a reporting mechanism built upon two existing public DNS records, SPF and DKIM.
Furthermore, it enables recipients to send back aggregate reports every 24 hours and
forensics report on each spoof attempt. In addition, the sender can define their policy
within the DNS record on what they want the recipient to do with their emails that do
not conform to SPF and DKIM
SPF, Sender Policy Framework, is
a mechanism which allows the
recipient of your emails to verify
that your email was sent out by
your authorized IPs. This
information is published as part
of your public DNS stating which
IP addresses your emails are
allowed to be sent from.
DKIM, DomainKeys
Identified Mail, is a
framework which allows your
emails to be digitally signed
before being sent out,
adding a layer of integrity
and authenticity.
Brief SPF and DKIM description
DMARC should be implemented in four stages.
The first stage is to gain visibility of all scenarios and relevant IPs that are being used to
send out your emails. This stage may last from one to four weeks or even more based on
your email volume and the number of email outgoing scenarios where other parties may
be involved.
The second stage is to configure/enhance the SPF and enable DKIM based on the
information gathered from stage one. This stage may take a day to a week based on who
is managing your DNS record and what change management policy you have in place.
Once you have configured rightly the SPF and DKIM, stage three is about taking the
DMARC policy to quarantine. This is where you want the recipient to still accept your SPF
and DKIM non-conform emails but with caution. The purpose is to further ensure that you
may not have missed any scenarios of your genuine emails. This stage may last from 2 to 8
weeks depending on the volume of your outgoing emails.
Stage three ensured no impact by the DMARC policy on your legitimate emails, enabling
us to implement the reject policy in stage four with caution over a period of one to four
weeks. This takes you to %100 DMARC compliant.
https://www.dmarc360.com/
3. Importance
DMARC has two major purposes:
Gives you visibility of your outgoing emails by defining to the recipient where to send
back aggregate or forensics reports of what happened when they received your email.
The information on the reports includes where your email came from (IP), if it was
authorized by your SPF, and if it had the digital signature (DKIM) on it. From this
information, you can further understand your genuine email outgoing environment and
accordingly enhance your overall outgoing email setup of SPF and DKIM.
Enables you to define your policy for the action you want the recipient to take on emails
that do not pass SPF and DKIM checks.
of DMARC despite having SPF and DKIM implemented:
Why do I need this first stage of implementation?
The purpose of this first stage is to ensure that there is no impact on your email delivery
along with getting visibility and understanding of your outgoing email delivery points.
https://www.dmarc360.com/
4.
5. Stages
DMARC should be implemented in four stages.
The first stage is to gain visibility of all scenarios and relevant IPs that are being used to
send out your emails. This stage may last from one to four weeks or even more based on
your email volume and the number of email outgoing scenarios where other parties may
be involved.
The second stage is to configure/enhance the SPF and enable DKIM based on the
information gathered from stage one. This stage may take a day to a week based on who
is managing your DNS record and what change management policy you have in place.
Once you have configured rightly the SPF and DKIM, stage three is about taking the
DMARC policy to quarantine. This is where you want the recipient to still accept your SPF
and DKIM non-conform emails but with caution. The purpose is to further ensure that you
may not have missed any scenarios of your genuine emails. This stage may last from 2 to 8
weeks depending on the volume of your outgoing emails.
Stage three ensured no impact by the DMARC policy on your legitimate emails, enabling
us to implement the reject policy in stage four with caution over a period of one to four
weeks. This takes you to %100 DMARC compliant.
to DMARC implementation:
https://www.dmarc360.com/
6. Is there any confidential data in the DMARC aggregate report?
No, it does not contain any confidential data such as the header, subject, body or any form of
attachment of that email.
Understanding DMARC aggregate report:
As part of the DMARC framework, the recipients of emails (other parties) that have enabled
DMARC check will send back to the sender (you) one email (report) every 24 hours that
provides you with information regarding the total number of emails that the other party
received, claiming to be from you. This report also includes information:
• About the IP from which these mails were sent out (originated).
• If that IP is part of your authorized IP as stated in your public DNS SPF record.
• If the mail did have your digital signature as stated in your public DNS record.
Why do I need this first stage of implementation?
The purpose of this first stage is to ensure that there is no impact on your
email delivery along with getting visibility and understanding of
your outgoing email delivery points.
FAQs
Stage one - Enabling Aggregate Reports:
https://www.dmarc360.com/
7. What if the receiver is not checking the DMARC record?
The mail will be treated in a normal manner without any DMARC validation.
At this stage will any of my emails get blocked by the receiver?
No, there is no impact or blockage to any of your emails
Understanding DMARC policy
This policy is published as part of your public DNS record. The objective of this policy is to
inform the receiver on what they should do with your emails in case the email they re-
ceived do not have your digital signature, whereas it is claiming to be from you.
One of the example scenarios that we may identify is that your organization is using third
parties such as marketing vendors, who may be sending out emails on your behalf.
This first stage enables us to move on to stage 2, by accurately identifying all email
delivery points to enable digital signatures on all those points. Once we have identified
those points, we will also ensure to publish those points (IPs) in your public DNS SPF
record, for the receiver to verify the legitimacy of your emails.
As part of the first stage of DMARC implementation, your emails do not have any digital
signatures thereby the policy of ‘none’ means that the receiver should accept the mail in
a normal manner. Hence there is no impact (block) of your emails by any receiver who
has enabled a DMARC check.
What is the quarantine policy?
DMARC quarantine policy tells the recipient of your emails that if both SPF and DKIM checks
fail, accept the email, but mark it as spam.
Will this policy impact all my emails?
No, it will not.
We only move to stage 3 once we have high confidence that we have identified all the email
outgoing points (IPs) and accordingly have configured the authorized IPs, and digital
signatures for all those points.
For this stage, we will incrementally (in stages) increase the percentage of emails that will be
impacted by this policy if they fail BOTH, the SPF and DKIM check. There is a low probability
of any legitimate emails being impacted by this policy.
Which means we will set the rule of this policy on only 10% of your outgoing emails that will
fail both the SPF and DKIM checks, which leads to 90% of emails that fail both the checks
being accepted by the recipient as genuine. This gives us an overview of what emails are
being affected by this policy and allows us to verify that no legitimate emails are being
quarantined. if any legitimate emails do get impacted by this policy then this needs to be
addressed by fixing/enhancing the SPF and DKIM records.
https://www.dmarc360.com/
8. Have any email service providers enabled DMARC check on incoming emails?
Most of the common email service providers used by a large number of organizations
have enabled the DMARC check by default.
List of Email Service Providers with default DMARC check:
• Google
• Yahoo
• Messagelabs
• Microsoft Outlook
• Zoho Mail
• AOL Mail
Once you initiate stage 1, you will know this
fact by the daily number of reports that
you will receive.
Stage Two - Enhancing SPF & Configuring DKIM:
What does enhancing SPF record mean from an IP perspective?
After stage 1, we will have more clarity as to which of your email provider’s
(IPs) are being used to send out your Emails. The first step in this stage is to
review your current process on outgoing Emails and identify any
recommended changes. This would reflect by modifying IPs that may or may
not be involved as your Email outgoing IPs. With that information, we can
configure those IPs in the DNS record to reflect as your authorized IPs to send
out your Emails.
What is the Reject policy of DMARC?
DMARC reject policy tells the recipient of your emails that if both SPF and
DKIM checks fail, reject the email.
Will this policy impact all my emails?
Yes, it will impact all your emails
The quarantine policy percentage levels help verify that no legitimate email is impacted by
the DMARC policy. In other words, your SPF and DKIM records are properly configured with
all your email sending points authorized. This enables the implementation of the reject
policy on 100% of your emails, which will make you DMARC compliant.
https://www.dmarc360.com/
9. If I have SPF, why do I need DKIM?
There are two major reasons why you need a digital signature (DKIM) even though you
have published authorized IPs (SPF) and the receiver can know if the Email came from
those IPs.
1: An attacker can send out a forged email pretending to be from your IP Address
(known as IP spoofing)
2: When an organization have any third party,e.g marketing companies, forwarding
emails on their behalf, these emails will be perceived as fraud emails since they are not
authorized in the SPF record. You may get over this issue byincluding theirs Email
sending IPs in your authorized IPs list. At times when they change their IPs for their own
reasons, it may be challenging to maintain their IP list in your SPF configuration.
What does enhancing SPF record mean from syntax perspective?
An SPF record has an additional parameter on top of your authorized IP. This parameter is
the message to the recipient of your emails on what you want them to do if they receive
an email that did not come from one of your authorized IPs. Normally in this stage the
confidence level of ensuring identification of all your authorized IP is low, thereby your
message to recipients is that they should accept the Email anyway but treat it with
caution.
Following are the three options that you may provide in the SPF record to the
recipient of your emails
https://www.dmarc360.com/
10. One of the example scenarios that we may identify is that your organization is using third
parties such as marketing vendors, who may be sending out emails on your behalf.
This first stage enables us to move on to stage 2, by accurately identifying all email
delivery points to enable digital signatures on all those points. Once we have identified
those points, we will also ensure to publish those points (IPs) in your public DNS SPF
record, for the receiver to verify the legitimacy of your emails.
What is the quarantine policy?
DMARC quarantine policy tells the recipient of your emails that if both SPF and DKIM checks
fail, accept the email, but mark it as spam.
Will this policy impact all my emails?
No, it will not.
We only move to stage 3 once we have high confidence that we have identified all the email
outgoing points (IPs) and accordingly have configured the authorized IPs, and digital
signatures for all those points.
For this stage, we will incrementally (in stages) increase the percentage of emails that will be
impacted by this policy if they fail BOTH, the SPF and DKIM check. There is a low probability
of any legitimate emails being impacted by this policy.
Which means we will set the rule of this policy on only 10% of your outgoing emails that will
fail both the SPF and DKIM checks, which leads to 90% of emails that fail both the checks
being accepted by the recipient as genuine. This gives us an overview of what emails are
being affected by this policy and allows us to verify that no legitimate emails are being
quarantined. if any legitimate emails do get impacted by this policy then this needs to be
addressed by fixing/enhancing the SPF and DKIM records.
Stage Three - The Quarantine Policy:
https://www.dmarc360.com/
11. Have any email service providers enabled DMARC check on incoming emails?
Most of the common email service providers used by a large number of organizations
have enabled the DMARC check by default.
List of Email Service Providers with default DMARC check:
• Google
• Yahoo
• Messagelabs
• Microsoft Outlook
• Zoho Mail
• AOL Mail
What will qualify me for applying this policy on all my emails?
As mentioned we will incrementally increase the percentage of emails being impacted by
this policy. At a low percentage level, if NO legitimate emails get quarantined, we can move
onto a higher percentage until we reach 100%. At each percentage level, the impact on
emails is analyzed to verify that the legitimate emails are NOT being quarantined, eventually
leading up to Quarantine Policy on 100% of the emails. This will enable us to move on to
Stage 4 of DMARC.
What is the Reject policy of DMARC?
DMARC reject policy tells the recipient of your emails that if both SPF and
DKIM checks fail, reject the email.
Will this policy impact all my emails?
Yes, it will impact all your emails
The quarantine policy percentage levels help verify that no legitimate email is impacted by
the DMARC policy. In other words, your SPF and DKIM records are properly configured with
all your email sending points authorized. This enables the implementation of the reject
policy on 100% of your emails, which will make you DMARC compliant.
Stage Four - Reject Policy & Forensic Reports:
https://www.dmarc360.com/