Fighting Email Fraud with DMARC: How it Works and Why You Need It

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a technical standard for preventing email spoofing. It is intended to provide email domain owners with the option to safeguard their domain against unauthorized usage, sometimes known as "spoofing."

DMARC is built upon two existing techniques, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and provides a method for receiving mail servers to verify the legitimacy of incoming mail from a domain.

It also allows the domain owner to receive reports regarding communications that pass or fail DMARC review. DMARC enables the domain owner to publish a policy in their DNS records that specifies whether technique (SPF, DKIM, or both) should be used to assess messages and what should be done with messages that do not pass evaluation (e.g. mark them as failed or reject them).

How does DMARC work?

DMARC enables the domain owner to publish a policy in their DNS records that specifies which technique (SPF, DKIM, or both) should be used to assess messages and what should be done with messages that fail evaluation. The receiving mail server checks the message's headers for the presence of a DMARC record in the domain's DNS when a message is sent to a recipient. If a DMARC record is discovered, the server will analyze the message based on the policy provided in the record.

The examination of DMARC entails the following steps:

1. The receiving mail server examines the "From" header information to ascertain the domain from which the message claims to originate.
2. The server then looks up the domain's DMARC record in the DNS.
3. If both SPF and DKIM evaluations are successful, the message is regarded to have passed DMARC review.
4. If either SPF or DKIM evaluation fails, the server will examine the DMARC policy to determine how to handle the message. Depending on the policy, the message will either be marked as failed or refused.
5. Messages that pass or fail DMARC review can be reported to the domain owner.

DMARC has several advantages and disadvantages. Some of the PROS of DMARC include:

• DMARC aids in the prevention of email spoofing by enabling domain owners to safeguard their domain from unauthorized use.
• DMARC provides a means for receiving mail servers to verify the legitimacy of incoming mail, thereby reducing spam and phishing emails.
• DMARC allows domain owners to obtain reports about messages that pass or fail DMARC review, which can help them to discover and address any issues with their email infrastructure.
• DMARC is based on two widely accepted email server technologies, SPF and DKIM.

However, DMARC has certain disadvantages: Some of the CONS include:

• DMARC requires domain owners to make technical and time-consuming modifications to their DNS entries.
• If the DMARC policy is set to strict, legitimate messages sent through third-party mailing systems, such as mailing lists or email marketing platforms, may encounter problems.
• Not all email servers may completely support DMARC, and certain older email clients may not be able to conduct DMARC evaluation.
• DMARC can be ineffective if the attacker uses the domain name substantially similar to the true domain name, commonly known as homograph attacks.

Homograph Attacks

A homograph attack is a sort of phishing attempt that uses characters from different scripts that appear similar to the domain name's characters. These characters may originate from several languages, scripts, or keyboard layouts.

An attacker may, for instance, establish a domain name with the Cyrillic letter a instead of the Latin letter a. Although the two letters are visually quite similar, the domain name is not identical to the legitimate domain name. The attacker might then utilize this domain to send phishing emails that appear to originate from the authentic domain.

The following is an example of an attack in which the attacker uses a domain name that resembles "paypal.com" but is not identical to "paypal.com."

When a victim receives an email from the attacker's domain, they may not recognize the difference between the two letters and thus click on a link or enter their personal information, believing they are communicating with a real site.

To prevent this type of attack, domain owners can employ techniques such as IDN homograph attack prevention, which involves filtering out or converting easily confused characters, or using visual cues such as displaying the domain name in punycode, so that it is not displayed in a format that is easily confused.

It is also crucial for consumers to be aware of this form of assault and to exercise caution when interacting with unfamiliar emails, websites, or links.

Early History and Formation

DMARC was developed by a coalition of email service providers and domain owners in an effort to combat the problem of email spoofing. In 2012, a group known as the DMARC Working Group was established.

The DMARC Working Group included of representatives from AOL, Google, Yahoo, and other companies. They created the DMARC standard so that domain owners could safeguard their domains from illicit use, and so that receiving mail servers could verify that incoming mail was valid.

The DMARC Working Group released the initial version of the DMARC definition in 2011, and it has subsequently undergone many updates and revisions. The most current version of the specification, DMARC 1.1, was released in 2020.

Initially directed by industry giants such as AOL and Yahoo, the DMARC Working Group was later taken over by the Authentication and Authorization for Email (AuthIndicators) Working Group, which created DMARC and other email authentication standards.

Email service providers and domain owners have broadly accepted the DMARC standard, and it is now regarded as a crucial tool for combatting email spoofing and phishing.

The Roadmap for DMARC

There is no publicly defined roadmap for DMARC (Domain-based Message Authentication, Reporting, and Conformance), however the DMARC Working Group is continually refining and updating the standard to handle emerging threats and enhance its capabilities. The most current version of the specification, DMARC 1.1, was released in 2020.

Among the additional features added to DMARC are the following:

• The "DMARC Aggregate XML Reports" is a means for receivers to give domain owners with feedback regarding messages that passed or failed DMARC evaluation.
• The "DMARC Forensic Reports," which provide domain owners with additional information about communications that failed DMARC review, such as the message's headers and the results of SPF and DKIM evaluation.
• The "DMARC Failure Reports" provides domain owners with additional information about communications that failed DMARC examination, such as the message's headers and the results of SPF and DKIM evaluation.
• "DMARC Alignment", which allows domain owners to declare that specific parts of the message, such as the "From" header field, must be aligned with the domain name in the DMARC record in order for the message to pass DMARC review.

In addition, the DMARC working group is investigating methods to enhance the standard by adding new tags to the DMARC record and allowing domain owners greater freedom in how they utilize DMARC to secure their domain. In addition, enhancing DMARC's scalability and efficiency, and making it more compatible with other email-related standards, such as email encryption.

It is crucial to highlight that the DMARC working group is always researching and developing new ways to enhance the standard, although it is impossible to predict DMARC's future.

How to Implement - the Code

Implementing DMARC requires several steps, including the creation of a DMARC record, the publication of the record in the DNS, and the configuration of your email server to check for the DMARC record. Example of creating and publishing a DMARC record for the domain "example.com"

1. Create a DMARC record:
   v=DMARC1; p=none; sp=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:forensic.dept@example.com
   • The "v" tag specifies the version of DMARC being used (in this case, DMARC1).
   • The "p" tag specifies the policy for the domain (in this case, "none" means that messages that fail DMARC evaluation will be accepted, but marked as failed).
   • The "sp" tag specifies the policy for subdomains of the domain (in this case, "quarantine" means that messages that fail DMARC evaluation will be moved to the recipient's spam folder).
   • The "rua" tag specifies the email address where aggregate DMARC reports should be sent.
   • The "ruf" tag specifies the email address where forensic DMARC reports should be sent.
2. Publish the record in the DNS:
   example.com. IN TXT "v=DMARC1; p=none; sp=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:forensic.dept@example.com"

   This will add a TXT record to the example.com domain's DNS with the DMARC record.

3. Configure your email server to check for the DMARC record:

   This step is dependent on the email server software you're employing. To check for the DMARC record, you would need to install and configure the opendmarc library if you are using Postfix.

Setting up opendmarc on Postfix

Installing the opendmarc library, configuring Postfix to utilize opendmarc, and configuring opendmarc to check for DMARC data are required to configure opendmarc with Postfix. The following is an example of how to configure opendmarc with Postfix on a Linux-based system:

1. Install the opendmarc library:
   sudo apt-get update sudo apt-get install opendmarc

   This will install the opendmarc library on your system.

2. Configure Postfix to use opendmarc:

   Add the following line to the Postfix main.cf configuration file:

   milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8893 non_smtpd_milters = inet:localhost:8893

   This instructs Postfix to use the opendmarc library for incoming mail and to listen for connections from opendmarc on port 8893.

3. Configure opendmarc to check for DMARC records:

   Edit the opendmarc.conf configuration file, and make sure that the following line is included:

   AuthservID example.com

   This tells opendmarc to use the domain "example.com" in the DMARC record.

4. Restart the Postfix and opendmarc services:
   sudo service postfix restart sudo service opendmarc restart

This is a simplified example; when setting up opendmarc with Postfix in a production context, many additional factors must be considered. It is also crucial to remember that the location and names of configuration files and commands may vary based on your system and settings. Depending on the email server software and environment, extra steps may be required to configure DMARC validation.

Validate your DMARC

Unless the DMARC record is genuine and well-formed, it may not be handled properly.

Using online tools such as https://dmarcian.com/dmarc-inspector/ or https://tools.ietf.org/html/rfc7489#appendix-C, you can validate your DMARC record to ensure that it is well-formed and to identify any potential errors.

DMARC - Get Started!

Implementing DMARC is essential for preventing unauthorized usage of your domain and preserving the integrity of your email communications. With DMARC, you may provide receiving mail servers with a mechanism to verify the legitimacy of incoming mail, and you can receive information about messages that pass or fail DMARC review, which can help you detect and resolve any issues with your email infrastructure.

Setting up DMARC may seem like a difficult undertaking, but it can be accomplished fast and easily with the correct tools and resources. There are numerous guides and videos available that will bring you through the procedure step by step.

Once you've implemented DMARC, you can rest easy knowing that your domain is protected and that you're actively combating email spoofing and phishing. Fear of the unknown should not prevent you from taking this crucial step. The benefits of DMARC considerably outweigh the time and effort required to implement it.