Getting startedwithdmarc5
- 1. Getting Started With DMARC page 1 | Share this: Getting Started With DMARC
- 2. Table Of Contents Part 1: Getting to Know DMARC Page 3 Part 2: History of DMARC Page 6 Part 3: How DMARC Works Page 8 Part 4: Getting Started with DMARC Page 10 Part 5: What Next? Page 12 Contact Page 13
- 3. What is DMARC? DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It lets email senders apply a policy to their sending domains that instructs mailbox providers on what to do if their email authentication (SPF and DKIM) fails — such as quarantine the message to the junk folder or reject the email outright from being delivered to the inbox holder, which is joint customer of both the sender and mailbox provider). It also provides senders with information about their sending infrastructure to help improve overall email governance and adherence to best practices. Getting Started With DMARC page 3 | Share this: domain threats, those attacks that are leveraging a domain you own and control, like phishing, loss to both consumers and brands but also indirect costs associated with the loss of consumer trust and erosion of brand equity and reputation. Mailbox providers including Gmail, Yahoo!, AOL Brands need to arm themselves with information and tools to protect their valuable customers information to protect brands and consumers from direct-domain threats. DMARC Helps Senders and Mailbox Providers By using DMARC, senders: 1. Protect themselves and their customers from direct-domain threats. 2. Get valuable feedback about emails that don’t pass authentication. 3. Can instruct mailbox providers on how they should handle messages that fail authentication. By using DMARC, mailbox providers: 1. Can better identify legitimate mailers from spammers. 2. bad emails instead of good ones. 3. Help protect their mailbox holders. Part 1: Getting to Know DMARC
- 4. DMARC Matters for Your Email Program Email is a powerful channel for generating revenue and building strong relationships with customers. Any company that relies on email to make money needs to ensure their program and customers are protected. This means taking proactive steps to block fraudulent and mailicious messages from reaching customers. Getting Started With DMARC page 4 | Share this: It is not a matter of if, but when cybercriminals will spoof your brand. DMARC provides a mechanism to help block phishing attacks on your valuable customers, which improves their overall experience with your brand. I’m a Marketer… Shouldn’t the Security Team Worry About DMARC? Phishing is a companywide responsibility. Both marketing and security teams need to care about DMARC as both teams have a vested interest. Marketers spend a lot of time and effort and resources in promoting brand awareness and email engagement. A phishing attack could destroy that in a matter of minutes. Security teams focus on protecting company assets. And the brands’ customer base is likely the largest asset the company has. Security teams need to partner with Marketing colleagues to protect valuable customers and the revenue generated through the email channel. Email brand protection is a joint imperative and both Marketing and Security teams have a shared interest in protecting the brand and customers from malicious email traffic.
- 5. 80 thousand 60% Getting Started With DMARC page 5 | Share this: DMARC Stats 100 million + Mailbox providers rejected hundreds of millions of messages each year because they failed the DMARC authentication check Over 80,000 domains have deployed domain-wide policies via the DMARC standard 60% of the top sending domains publishing policy come from companies DMARC.org DMARC protects almost two-thirds of the world’s consumer mailboxes and 80% of typical US customers– assuming both the sender and mailbox provider are implementing DMARC
- 6. How DMARC Got Started Problems with SPF and DKIM Since 2004, industry and Internet standards groups, senders, mailbox providers, and vendors (such as Return Path) have been working on establishing email authentication standards to prevent email fraud. Getting Started With DMARC page 6 | Share this: Adoption of these authentication standards, including SPF and DKIM, became widespread across the industry, dramatically reducing spammers’ ability to impersonate domains consumers trust. Even so, this industry consortium noticed a problem with the authentication process: the problem of what to do with unauthenticated mail. Private Communications Before DMARC was established, senders and receivers privately communicated what to do when authentication failed. In 2007, PayPal worked privately with Yahoo and Gmail -- telling them what to do with PayPal’s unauthenticated email. The results of this partnership were great: PayPal experienced a significant decrease in suspected fraudulent email. Though these private efforts were successful, they required a lot of manual coordination. The group streamlined the process and created a public standard to let everyone give directives to mailbox providers about what to do with unauthenticated mail. This standard became DMARC. Where DMARC Is Today Today, many of these same parties form an unincorporated working group at DMARC.org. The group is dedicated to developing Internet standards to reduce the threat of email phishing and improve coordination between mailbox providers and email senders. Part 2: History of DMARC
- 7. Getting Started With DMARC page 7 | Share this: How DMARC Solved Problems for SPF and DKIM Though SPF and DKIM helped reduce fraud, they did not turn out to be the silver bullet for phishing. Lack of standard use and enforcement by ISPs and the high risk of blocking legitimate email stalled progress. Problems with SPF and DKIM SPF works by publishing a record authorizing the IP addresses allowed to send on behalf of a domain. SPF does not survive email forwarding, so it can be easily broken. DKIM attempted to resolve this problem by cryptographically signing an email. Though DKIM survives forwarding and is difficult to forge, it is expensive and difficult to adopt due to the computational overhead, complexity, configuration errors, and more. DMARC to the Rescue DMARC resolves most of these issues by not only using both SPF and DKIM, but by providing reports on authentication failures and giving policy control to the sender on how to handle failures by doing nothing, quarantining the failure, or blocking it. As a result, SPF, DKIM and DMARC greatly reduce the false positive issue.
- 8. Getting Started With DMARC page 8 | Share this: DMARC lets senders indicate within their DNS record that their email is protected by SPF and/or DKIM -- and tells mailbox providers what to do if that authentication fails. DMARC doesn’t directly address whether or not an email is fraudulent. Instead, messages are considered aligned if the RFC 5322 DMARC record conforms to the domain In SPF’s case, the MFROM domain has to exactly match the organizational domain of the RFC5322 From domain. In DKIM’s case, the organizational domain of the d= value in the DKIM signature has to match the RFC5322 From domain. Only one the email to be considered in alignment. Relaxed vs. Strict Alignment Senders can specify a strict or relaxed alignment; relaxed alignment is the default. Relaxed alignment allows for partial matches between SPF and/or DKIM record(s) and the RFC 5322. For instance, subdomains of a given domain can be considered aligned. An example of relaxed alignment is: facebook.com and groups.facebook.com. Strict alignment requires exact matches. An example of strict alignment is: facebook.com and facebook.com. Part 3: How DMARC Works Why Does DMARC check the RFC5322 From Domain? The RFC5322 From domain (1) is highly visible (2) is the domain email users come into contact with most easily, (3) is one of the most-forged parts of the email body, (4) is the only one that is guaranteed to be present, and (5) is displayed by MUAs in a way that strongly suggests it is the true originator of the message. NOTE: An organizational domain is the brand or registered domain. For example, facebook.com is an organizational domain while groups.facebook.com is a sub-domain.
- 9. Who Uses Relaxed or Strict Alignment Relaxed alignment can be useful for senders who contract the handling of certain mail streams (such as bounce processing) to third-parties. These senders can both use third-parties and deploy DMARC without having any negative impact. Generally, financial institutions or other high-profile organizations may be most interested in strict alignment. Getting Started With DMARC page 9 | Share this: Reporting With DMARC, senders can receive reports that include data about authentication issues they are having with their email streams. This reporting feedback loop makes the email ecosystem a safer place by allowing senders and receivers to communicate automatically about potential abuse. Senders can choose to receive two types of reporting: aggregate and/or message-level (forensic). The reports include information to give senders insight into their authentication results so they can take action on any needed corrections, and calibrate an appropriate DMARC policy. Receivers will send aggregate reports for all emails. Receivers who support forensic reporting will send forensic reports only if either SPF or DKIM do not pass. These reports can be difficult to understand and an in-house solution to parse the data must be built or there are third-party solutions like Return Path that display the DMARC reporting data in an easy-to-use portal so that efforts can be focused on policy enforcement and correcting authentication issues.
- 10. Getting Started With DMARC page 10 | Share this: Before you start blocking suspected fraudulent messages, you need to gain visibility in to all of your company’s outbound mail streams. Conduct an audit to ensure that all IPs, domains, and sending environments are accounted for and are properly being authenticated. Aggregate and Forensic Reports Mailbox providers send both types of ruf:mailto= or rua:mailto= tags). 3 sections: Information about the mailbox provider that sent the report A description of your DMARC Record A summary of authentication results. Look for the areas that show neutral, none, or failed results. Forensic report are sent in AFRF or IODEF in the “rf” tag. By default, it’s AFRF. You’ll get per-message reports on individual messages that fail SPF and/or DKIM. Make sure you don’t click on any links. Use the email headers to help your investigation. Congratulations, you are about to join the elite group of top senders that have already published a DMARC policy. Follow the steps below to get started! 2 Open the email headers from the emails you send. Identify the following: • Return Path/MFrom/Envelope From domain • Friendly From domain • DKIM-Signature (look for the “d=” tag) Make sure the domains are aligned Part 4: Getting Started with DMARC 1 Identify and Authenticate Verify Alignment 3 Learn the DMARC tags There are numerous DMARC tags available, but you don’t have to use them all. Focus on the v, p, rua, and ruf tags. 4 Create an Entry Create an entry in DNS for the zone “v=DMARC1; p=none; rua=mailto:report@ example.com”
- 11. Getting Started With DMARC page 11 | Share this: 5 Set Policy to p=”none” Quarantine Though you can specify three types of policy: reject, quarantine, or none, set the mailbox providers not to take action if the DMARC check fails -- allowing you to work out any kinks with your records. Start collecting reports to see if anyone is to receive the daily aggregate reports using the rua tag from the mailbox providers by specifying your email address. Request aggregate reports in the beginning, (ruf ) challenging to fully understand due to the magnitude of data that is included. Senders can quickly get inundated with the DMARC reports. Return Path’s email brand protection solutions can help with both issues though data collection and reporting that can help you make sense of it. Go here for more information. that all of your outbound mail streams are authenticating properly, take the next step and set the DMARC DNS record ‘p=’ tag to “quarantine.” An example record is: “v=DMARC1; p=quarantine; rua=mailto:dmarc_agg@auth.returnpath.net; ruf=mailto:dmarc_afrf@auth.returnpath.net” During this time, diligently check your reports within the Domain Secure solution user interface. errors, set the DMARC DNS record ‘p=’ tag to “reject.” An example DMARC record is: “v=DMARC1; p=reject; rua=mailto:dmarc_agg@auth.returnpath.net; ruf=mailto:dmarc_afrf@auth.returnpath.net” Place your domains on Return Path’s Registry. This instructs the mailbox providers to block suspected fraudulent messages. 6 Monitor 7 8 Block
- 12. Getting Started With DMARC page 12 | Share this: Part 5: What Next? Use Return Path to Analyze DMARC Though DMARC is a public standard, Return Path’s email brand protection solutions show the results of DMARC reporting in a format that is easy to read and understand so that you can focus on making important policy decisions on a domain by domain basis. The solution also analyzes and extracts data to identify trends, phishing outbreaks, authentication failures, and authentication failure resolutions. Enhance DMARC Data with Private Data Return Path receives more email data from major ISPs than anyone else in the world. Return Path email brand protection customers get access to this data, which provides the greatest visibility and insight available into email brand abuse. Use the Return Path Registry DMARC is not the only mechanism through which policy can be asserted. With either the Domain Protect or Domain Secure solution, clients can also choose to place their domains on Return Path’s Registry. Path publishes to mailbox providers in our private channel. The Registry allows Return Path clients to specify what they would like mailbox providers to do with their unauthenticated mail. Protect your brand and your customers from email brand abuse Do your part in the war against phishing and brand abuse by educating yourself on the full-spectrum of threats, the capabilities and limitations of DMARC, authenticating your outbound mail using SPF and DKIM, and working collaboratively with your marketing and security teams to implement DMARC as customers. Sources: http://googleonlinesecurity.blogspot.com/2013/12/internet-wide-efforts- to-fight-email.html http://www.returnpath.com/solution-content/dmarc-support/ http://www.techsneeze.com/how-parse-dmarc-reports https://github.com/linkedin/dmarc-msys/ https://github.com/thinkingserious/sendgrid-python-dmarc-parser http://www.trusteddomain.org/opendmarc/ http://landing.returnpath.com/dmarc
- 13. About Return Path Return Path is the worldwide leader in email intelligence. We analyze more data about email than anyone else in the world and use that data to power products that ensure that only emails people want and expect reach the inbox. Our industry-leading email intelligence solutions utilize the world’s most comprehensive set of data to maximize the performance and accountability of email, build trust across the entire email ecosystem and protect users from spam and other abuse. We help businesses build better relationships with their customers and improve their email ROI; and we help ISPs and other mailbox providers enhance network performance and drive customer retention. Information about Return Path can be found at: returnpath.com USA (Corporate Headquarters) rpinfo@returnpath.com Australia rpinfo-australia@returnpath.com United Kingdom rpinfo-uk@returnpath.com Brazil rpinfo-brazil@returnpath.com Canada rpinfo-canada@returnpath.com Germany rpinfo-germany@returnpath.com France rpinfo-france@returnpath.com