What is DMARC?

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

I have tested eight Polish government domains to identify the potential lack of DMARC implementation.

  • National Public Prosecutor’s Office
  • Polish Post Office
  • Polish Police
  • Polish President
  • Polish Cyber Military
  • Anti Corruption Unit
  • Ministry of National Defence
  • Polish Intelligence Agency

The results:

As you can see from the results every single email can be easily spoofed as the DMRAC policy was set up as p=none, and the attacker can send malicious phishing emails that look legitimate to the potential targets.

Only Polish intelligence domain DMARC policy was set up as p=quarantine so basically, my spoofed email landed in the spam folder.

DNS record

v=DMARC1; p=quarantine; rua=mailto:soc@aw.gov.pl; ruf=mailto:soc@aw.gov.pl; aspf=s; adkim=s;

However, for the best protection against spoofing DMARC policy should be set up as p=reject

Some of the tested domains also lack SPF/DKIM.

DMARC policies

Policy — The policy you select in your DMARC record will tell the participating recipient email server what to do with mail that doesn’t pass SPF and DKIM, but claims to be from your domain. In this case, the policy is set to “none.” There are 3 types of policies you can set:

  1. p=none — Tell the receiver to perform no actions against unqualified mail, but still send email reports to the mailto: in the DMARC record for any infractions.
  2. p=quarantine — Tell the receiver to quarantine unqualified mail, which generally means “send this directly to the spam folder.”
  3. p=reject — Tell the receiver to completely deny any unqualified mail for the domain. With this enabled, only mail that is verified as 100% being signed by your domain will even have a chance at the inbox. Any mail that does not pass is blackholed — not bounced — so there’s no way to catch false positives.

So Why is DMARC important?

With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more.

Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users.

Users can’t tell a real message from a fake one, and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users. Senders remain largely unaware of problems with their authentication practices because there’s no scalable way for them to indicate they want feedback and where it should be sent. Those attempting new SPF and DKIM deployment proceed very slowly and cautiously because the lack of feedback also means they have no good way to monitor progress and debug problems.

DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse.

What is DMARC, and how does it combat phishing?

DMARC is a way to make it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t. This makes it easier to identify spam and phishing messages and keep them out of peoples’ inboxes.

DMARC is a proposed standard that allows email senders and receivers to cooperate in sharing information about the email they send to each other. This information helps senders improve the mail authentication infrastructure so that all their mail can be authenticated. It also gives the legitimate owner of an Internet domain a way to request that illegitimate messages — spoofed spam, phishing — be put directly in the spam folder or rejected outright.

Does DMARC block all types of phishing attacks?

No. DMARC is only designed to protect against direct domain spoofing. If the owners/operators of example.com use DMARC to protect that domain, it would have no effect on otherdomain.com or example.net (notice the “.net” vs. “.com”).

While impersonating a given domain is a common method used for phishing and other malicious activities, there are other attack vectors that DMARC does not address. For example, DMARC does not address cousin domain attacks (i.e. sending from a domain that looks like the target being abused — e.g. exampl3.com vs. example.com), or display name abuse (i.e. modifying the “From” field to look as if it comes from the target being abused).

What type of illegitimate email does DMARC address?

DMARC is designed to protect against direct domain spoofing. When an email is sent by an unauthorized sender (whether it is sent by a malicious actor, or even an unauthorized or non-participating department of the company that owns/operates the domain), DMARC can be used to detect the unauthorized activity and (if so configured) request that those messages be blocked or discarded when they are received.

How does DMARC work, briefly, and in non-technical terms?

A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes — such as junk or reject the message. DMARC removes the guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

References:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store