Have you heard about DMARC?
Last week, a group of some of the largest email service providers (Gmail, Yahoo, AOL), together with organizations like Facebook and Paypal, jointly announced the release of a new method of email authentication. The new standard, called DMARC, is a way for email senders and receivers to better work together to increase email security by protecting email recipients from malicious phishing attacks and domain spoofing.
How does it work?
Essentially, email senders can now publish a DMARC record that indicates
1. which authentication tests they have in place (i.e. DKIM, SPF) and
2. what action the email service provider should undertake when an incoming email fails these tests (i.e. spam folder or outright rejection).
This provides the mailbox provider with greater certainty about the origin and identity of messages, thus taking the guesswork out of filtering incoming email. The mailbox provider sends a report back to the email sender containing information about all incoming emails claiming to be from that sender, and whether or not they were actually delivered to recipients.
What are the implications for Kenscio clients?
There are no immediate consequences for clients who do not yet have a DMARC record in place. However, given the size and importance of the players involved in the development of this standard (Gmail! Facebook!), its consequences on the email industry are likely to be of growing importance.
The new standard provides many clear benefits, especially for Kenscio clients where data security is a high priority, such as banks. However, in effect any company can benefit from publishing a DMARC record, if for no other reason than to receive the DMARC reports, which provide visibility and information about a domain’s email and any potential authentication issues.
We are currently beta-testing this with selected client systems, to get a better understanding about the impact this has. Also note, there are some circumstances in which it will not be possible to support DMARC (multi-domain systems, in some cases personalized from-addresses).
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. DMARC is a new technical specification that was created in order to help reduce email abuse, especially Phishing attacks. DMARC standardizes how email receivers perform email authentication using the existing SPF and DKIM mechanisms.
When a sender publishes a DMARC policy, the sender clearly indicates to the mailbox provider whether the sender’s emails are protected by SPF and/or DKIM. The sender also specifically tells the mailbox provider what to do if an incoming email fails the SPF and DKIM authentication tests – i.e. block the message or divert it to the spam folder. The mailbox provider no longer has to guess how to respond to incoming mail that fails authentication tests, because DMARC clearly tells the mailbox provider how to handle such messages. Furthermore, the mailbox provider can report back to the email sender about whether incoming emails pass or fail the evaluation process.
As a result of DMARC, email senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC.
How does it work?
A DMARC policy for a particular sender is published in the DNS as text (TXT) resource records (RR).
When the mailbox provider receives an incoming mail, it checks the results of the SPF and DKIM tests. It also accesses the DMARC policy for that sender. This policy defines what an email receiver should do with incoming mail when that mail does not pass the SPF and DKIM tests.
If the mailbox provider determines that the results of the SPF and DKIM authentication tests do not correspond to the standards of the published DMARC, it either rejects the incoming message or categorize it as spam, depending on the instructions of the sender as defined in the DMARC. In DMARC terms, this is referred to as a “non-aligned” email.
The mailbox provider reports back to the email sender about all non-aligned incoming emails.
DMARC focuses its analysis on the domain in the “from address”. This identifier is used in conjunction with the results of the underlying authentication technologies (at the moment SPF and DKIM).
The most critical factor is that the domain used for DKIM and SPF must have the same “organisation domain” as the domain in the “from address”.
With DMARC, there is essentially no difference between an email signed with the wrong DKIM and an email with no DKIM signature! (For more information on DKIM, please see DKIM signature).
Using DMARC: Set-up steps
If you are interested in creating and publishing a DMARC policy for your Kenscio’s eC-m system, please contact your Kenscio representative. The DMARC policy for your system will be created together with our team of dedicated, in-house deliverability experts.
The basic steps for setting up a DMARC process for your system are:
1. It is first necessary to have DKIM and/or SPF policies in place!
2. Publish a DMARC record indicating which policies you use and requesting reports from mailbox provider.
3. Analyze the data and modify your mail streams as appropriate.
4. Gradually modify your DMARC policy flags from “monitor” to “quarantine” to “reject” to improve control.