Getting Started With DMARC page 1 | Share this:

Getting Started With DMARC

Table Of Contents

Part 1: Getting to Know DMARC Page 3

Page 6Part 2: History of DMARC

Page 8Part 3: How DMARC Works

Page 10Part 4: Getting Started with DMARC

Page 12Part 5: What Next?

Page 13Contact

Getting Started With DMARC page 3 | Share this:

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It lets

email senders apply a policy to their sending domains that instructs mailbox providers on what to

do if their email authentication (SPF and DKIM) fails — such as quarantine the message to the junk

folder or reject the email outright from being delivered to the inbox holder, which is joint

customer of both the sender and mailbox provider). It also provides senders with information

about their sending infrastructure to help improve overall email governance and adherence to

best practices.

domain threats, those attacks that are leveraging a domain you own and control, like phishing,

loss to both consumers and brands but also indirect costs associated with the loss of consumer

trust and erosion of brand equity and reputation. Mailbox providers including Gmail, Yahoo!, AOL

Brands need to arm themselves with information and tools to protect their valuable customers

information to protect

brands and consumers from direct-domain threats.

DMARC Helps Senders and Mailbox

Providers

By using DMARC, senders:

1. Protect themselves and their customers

from direct-domain threats.

2. Get valuable feedback about emails that

don’t pass authentication.

3. Can instruct mailbox providers on how

they should handle messages that fail

authentication.

By using DMARC, mailbox providers:

1. Can better identify legitimate mailers

from spammers.

2.

bad emails instead of good ones.

3. Help protect their mailbox holders.

Part 1: Getting to Know DMARC

Getting Started With DMARC page 4 | Share this:

DMARC Matters for Your Email Program

Email is a powerful channel for generating revenue and building strong relationships with

customers. Any company that relies on email to make money needs to ensure their program and

customers are protected. This means taking proactive steps to block fraudulent and mailicious

messages from reaching customers.

It is not a matter of if, but when cybercriminals will spoof your brand. DMARC provides a

mechanism to help block phishing attacks on your valuable customers, which improves

their overall experience with your brand.

I’m a Marketer… Shouldn’t the Security Team Worry About DMARC?

Phishing is a companywide responsibility. Both marketing and security teams need to care about

DMARC as both teams have a vested interest.

Marketers spend a lot of time and effort and resources in promoting brand awareness and email

engagement. A phishing attack could destroy that in a matter of minutes.

Security teams focus on protecting company assets. And the brands’ customer base is likely the

largest asset the company has. Security teams need to partner with Marketing colleagues to

protect valuable customers and the revenue generated through the email channel.

Email brand protection is a joint imperative and both Marketing and Security teams have a shared

interest in protecting the brand and customers from malicious email traffic.

Getting Started With DMARC page 5 | Share this:

DMARC Stats

Mailbox providers rejected

hundreds of millions of

messages each year because

they failed the DMARC

authentication check

100million +

Over 80,000 domains have

deployed domain-wide

policies via the DMARC standard

80thousand

60% of the top sending

domains publishing policy

come from companies

DMARC.org

60%DMARC protects almost

two-thirds of the world’s

consumer mailboxes and

80% of typical US customers–

assuming both the sender

and mailbox provider are

implementing DMARC

Getting Started With DMARC page 6 | Share this:

How DMARC Got Started

Problems with SPF and DKIM

Since 2004, industry and Internet standards groups, senders, mailbox providers, and vendors (such

as Return Path) have been working on establishing email authentication standards to prevent

email fraud.

Adoption of these authentication standards, including SPF and DKIM, became widespread across

the industry, dramatically reducing spammers’ ability to impersonate domains consumers trust.

Even so, this industry consortium noticed a problem with the authentication process: the problem

of what to do with unauthenticated mail.

Private Communications

Before DMARC was established, senders and receivers privately communicated what to do when

authentication failed.

In 2007, PayPal worked privately with Yahoo and Gmail -- telling them what to do with PayPal’s

unauthenticated email. The results of this partnership were great: PayPal experienced a significant

decrease in suspected fraudulent email.

Though these private efforts were successful, they required a lot of manual coordination. The

group streamlined the process and created a public standard to let everyone give directives to

mailbox providers about what to do with unauthenticated mail. This standard became DMARC.

Where DMARC Is Today

Today, many of these same parties form

an unincorporated working group at

DMARC.org. The group is dedicated to

developing Internet standards to reduce

the threat of email phishing and improve

coordination between mailbox providers

and email senders.

Part 2: History of DMARC

Getting Started With DMARC page 7 | Share this:

How DMARC Solved Problems for SPF and DKIM

Though SPF and DKIM helped reduce fraud, they did not turn out to be the silver bullet for

phishing. Lack of standard use and enforcement by ISPs and the high risk of blocking legitimate

email stalled progress.

Problems with SPF and DKIM

SPF works by publishing a record authorizing the IP addresses allowed to send on behalf of a

domain. SPF does not survive email forwarding, so it can be easily broken. DKIM attempted to

resolve this problem by cryptographically signing an email. Though DKIM survives forwarding

and is difficult to forge, it is expensive and difficult to adopt due to the computational overhead,

complexity, configuration errors, and more.

DMARC to the Rescue

DMARC resolves most of these issues by not only using both SPF and DKIM, but by providing

reports on authentication failures and giving policy control to the sender on how to handle

failures by doing nothing, quarantining the failure, or blocking it. As a result, SPF, DKIM and

DMARC greatly reduce the false positive issue.

Getting Started With DMARC page 8 | Share this:

DMARC doesn’t directly address whether

or not an email is fraudulent. Instead,

messages are considered aligned if the

RFC 5322

DMARC record conforms to the domain

In SPF’s case, the MFROM domain has to

exactly match the organizational domain

of the RFC5322 From domain. In DKIM’s

case, the organizational domain of the d=

value in the DKIM signature has to match

the RFC5322 From domain. Only one

the email to be considered in alignment.

Relaxed vs. Strict Alignment

Senders can specify a strict or relaxed

alignment; relaxed alignment is the

default.

Relaxed alignment allows for partial

matches between SPF and/or DKIM

record(s) and the RFC 5322. For instance,

subdomains of a given domain can

be considered aligned. An example of

relaxed alignment is: facebook.com

and groups.facebook.com.

Strict alignment requires exact matches.

An example of strict alignment is:

facebook.com and facebook.com.

DMARC lets senders indicate within their DNS record that their email is protected by SPF and/or

DKIM -- and tells mailbox providers what to do if that authentication fails.

Part 3: How DMARC Works

Why Does DMARC check the RFC5322

From Domain?

The RFC5322 From domain (1) is highly

visible (2) is the domain email users come

into contact with most easily, (3) is one of

the most-forged parts of the email body,

(4) is the only one that is guaranteed to be

present, and (5) is displayed by MUAs in

a way that strongly suggests it is the true

originator of the message.

NOTE: An organizational domain is the brand or registered domain. For example, facebook.com is

an organizational domain while groups.facebook.com is a sub-domain.

Getting Started With DMARC page 9 | Share this:

Who Uses Relaxed or Strict Alignment

Relaxed alignment can be useful for senders who contract the handling of certain mail streams

(such as bounce processing) to third-parties. These senders can both use third-parties and deploy

DMARC without having any negative impact.

Generally, financial institutions or other high-profile organizations may be most interested in strict

alignment.

Reporting

With DMARC, senders can receive reports that include data about authentication issues they are

having with their email streams. This reporting feedback loop makes the email ecosystem a safer

place by allowing senders and receivers to communicate automatically about potential abuse.

Senders can choose to receive two types of reporting: aggregate and/or message-level (forensic).

The reports include information to give senders insight into their authentication results so they can

take action on any needed corrections, and calibrate an appropriate DMARC policy.

Receivers will send aggregate reports for all emails. Receivers who support forensic reporting will

send forensic reports only if either SPF or DKIM do not pass.

These reports can be difficult to understand and an in-house solution to parse the data must be

built or there are third-party solutions like Return Path that display the DMARC reporting data

in an easy-to-use portal so that efforts can be focused on policy enforcement and correcting

authentication issues.

Getting Started With DMARC page 10 | Share this:

Before you start blocking suspected

fraudulent messages, you need to gain

visibility in to all of your company’s

outbound mail streams.

Conduct an audit to ensure that all IPs,

domains, and sending environments are

accounted for and are properly being

authenticated.

Aggregate and Forensic Reports

Mailbox providers send both types of

ruf:mailto= or rua:mailto= tags).

3 sections:

Information about the mailbox provider that

sent the report

A description of your DMARC Record

A summary of authentication results. Look

for the areas that show neutral, none, or

failed results.

Forensic report are sent in AFRF or IODEF

in the “rf” tag.

By default, it’s AFRF.

You’ll get per-message reports on individual

messages that fail SPF and/or DKIM. Make

sure you don’t click on any links. Use the

email headers to help your investigation.

Congratulations, you are about to join the elite group of top senders that have already

published a DMARC policy. Follow the steps below to get started!

Open the email headers from the emails

you send. Identify the following:

• Return Path/MFrom/Envelope From

domain

• Friendly From domain

• DKIM-Signature (look for the “d=” tag)

Make sure the domains are aligned

Part 4: Getting Started with DMARC

Identify and Authenticate Verify Alignment 1

There are numerous DMARC tags

available, but you don’t have to use them

all. Focus on the v, p, rua, and ruf tags.

Learn the DMARC tags3

Create an entry in DNS for the zone

“v=DMARC1; p=none; rua=mailto:report@

example.com”

Create an Entry4

2

Getting Started With DMARC page 11 | Share this:

Though you can specify three types of

policy: reject, quarantine, or none, set the

mailbox providers not to take action if the

DMARC check fails -- allowing you to work

out any kinks with your records.

Start collecting reports to see if anyone is

to receive the daily aggregate reports using

the rua tag from the mailbox providers by

specifying your email address.

Request aggregate reports in the beginning,

(ruf ) challenging to fully understand due to

the magnitude of data that is included.

Senders can quickly get inundated with the

DMARC reports. Return Path’s email brand

protection solutions can help with both issues

though data collection and reporting that can

help you make sense of it. Go here for more

information.

that all of your outbound mail streams are

authenticating properly, take the next step

and set the DMARC DNS record ‘p=’ tag to

“quarantine.”

An example record is: “v=DMARC1; p=quarantine;

rua=mailto:dmarc_agg@auth.returnpath.net;

ruf=mailto:dmarc_afrf@auth.returnpath.net”

During this time, diligently check your reports

within the Domain Secure solution user

interface.

errors, set the DMARC DNS record ‘p=’ tag to “reject.”

An example DMARC record is: “v=DMARC1; p=reject; rua=mailto:dmarc_agg@auth.returnpath.net;

ruf=mailto:dmarc_afrf@auth.returnpath.net”

Place your domains on Return Path’s Registry. This instructs the mailbox providers to block

suspected fraudulent messages.

Set Policy to p=”none” Quarantine 5

Monitor6

7

Block8

Getting Started With DMARC page 12 | Share this:

Part 5: What Next?

Use Return Path to Analyze DMARC

Though DMARC is a public standard,

Return Path’s email brand protection

solutions show the results of DMARC

reporting in a format that is easy to read

and understand so that you can focus on

making important policy decisions on a

domain by domain basis.

The solution also analyzes and extracts

data to identify trends, phishing

outbreaks, authentication failures, and

authentication failure resolutions.

Enhance DMARC Data with Private Data

Return Path receives more email data

from major ISPs than anyone else in the

world. Return Path email brand protection

customers get access to this data, which

provides the greatest visibility and insight

available into email brand abuse.

Use the Return Path Registry

DMARC is not the only mechanism

through which policy can be asserted.

With either the Domain Protect or

Domain Secure solution, clients can also

choose to place their domains on Return

Path’s Registry.

Path publishes to mailbox providers in

our private channel. The Registry allows

Return Path clients to specify what they

would like mailbox providers to do with

their unauthenticated mail.

Protect your brand and your customers

from email brand abuse

Do your part in the war against phishing

and brand abuse by educating yourself

on the full-spectrum of threats, the

capabilities and limitations of DMARC,

authenticating your outbound mail

using SPF and DKIM, and working

collaboratively with your marketing and

security teams to implement DMARC as

customers.

:secruoS

http://googleonlinesecurity.blogspot.com/2013/12/internet-wide-efforts-to-fight-email.html

http://www.returnpath.com/solution-content/dmarc-support/

http://www.techsneeze.com/how-parse-dmarc-reports

https://github.com/linkedin/dmarc-msys/

https://github.com/thinkingserious/sendgrid-python-dmarc-parser http://www.trusteddomain.org/opendmarc/

http://landing.returnpath.com/dmarc

returnpath.com

About Return PathReturn Path is the worldwide leader in email intelligence. We analyze more data about email than anyone else in the world and use that data to power products that ensure that only emails people want and expect reach the inbox. Our industry-leading email intelligence solutions utilize the world’s most comprehensive set of data to maximize the performance and accountability of email, build trust across the entire email ecosystem and protect users from spam and other abuse. We help businesses build better relationships with their customers and improve their email ROI; and we help ISPs and other mailbox providers enhance network performance and drive customer retention. Information about Return Path can be found at:

USA (Corporate Headquarters) rpinfo@returnpath.com

Australia rpinfo-australia@returnpath.com

Brazil rpinfo-brazil@returnpath.com

Canada rpinfo-canada@returnpath.com

France rpinfo-france@returnpath.com

Germany rpinfo-germany@returnpath.com

United Kingdom rpinfo-uk@returnpath.com