A CISO’s guide to DMARC

A UK Government published report for Cyber Security Breaches found that around 40% of UK businesses had identified a cyber-attack in the past 12 months. The report revealed that the vast majority of those security breaches originated from email communicaton with 87% of businesses experiencing an email phishing attack and 27% experiencing an impersonation attack. Things like insufficient security protocols, domain spoofing, phishing and social engineering, and lack of employee awareness can make it harder to guard against email-based threats such as phishing. Tools like DMARC can help you prevent email breaches by safeguarding you against spoofing and phishing. DMARC can also prevent false-positives by avoiding legitimate messages being marked as spam.

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is an email protocol that, when published for a domain, controls what happens if a message fails authentication tests. DMARC is a great way of signalling to recipients of your emails that the messages coming from you are legitimate.

Proving your email’s legitimacy is more important than you think. Your email reputation matters. When you send emails, you want them to be received and trusted by the recipients. DMARC helps ensure your messages are legitimate and increases their likelihood of reaching inboxes, not spam folders. An increasing number of email providers are requiring that a sender has a DMARC record, particularly for bulk senders. In particular, Yahoo and Google have introduced the requirement this year (2024).

So, if you want to ensure mail delivery, you need to ensure that DMARC is correctly set up for your domain.

DMARC, SPF and DKIM

DMARC is reliant on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) DNS records. Both of these protocols have gaps that DMARC aims to fill. SPF is a widely used email authentication protocol that has been around for nearly 20 years, documented in IETF rfc 7208, however it has its limitations. Two of the biggest issues are forwarding and the number of DNS lookups involved in resolving SPF records.

The issue with forwarding is that it changes the IP address that the email comes from, causing SPF to fail and potentially causing that email to be rejected.

The SPF specification includes a requirement that no more than 10 DNS lookups are made for a domain. When we used to have on-premise mail servers or used a small local ISP for our email service, DNS lookups weren’t so much of an issue. With the increased use of different cloud services, this limit can easily be reached. So best practice is to validate your SPF record. Sendmarc has a useful service that we use called SPF Lookup Tool.

DKIM can be similarly ‘broken’ when messages are forwarded or reformatted via some forwarding services and mailing lists. DNS failure can also cause issues and there are several other issues which can cause DKIM to fail. That being said, you are more likely to see SPF failures than DKIM. DMARC can help overcome these shortcomings when properly configured by authorising the delivery of email if either SPF or DKIM passes verification.

DMARC Configuration and Reports

So what does DMARC do? The DMARC record contains several options that instruct the receiving mail server on how you would like the message to be treated. This could be to allow the message regardless, quarantine the message, or block its delivery.

Another option is to send a report via email. There are two report options:

• Aggregate Reports: These reports give you an overview of the received messages. These are typically sent every 24 hours but can be requested for other timeframes.
• Forensic Reports: These are more detailed reports for each failed message – this is very useful when first setting up DMARC.

Reporting is a really useful addition in DMARC, both when you are first configuring the service and for ongoing review of your mail delivery. On the downside, the reports are sent in XML format which is not particularly user friendly.

Please also note that the receiving server doesn’t have to comply with the DMARC request. It can still deliver the message even if it is set to block or it can ignore a request to send reports.

So what else is available in the DMARC record? Well, there are 11 ‘tags’ available – check them out here – IETF RFC 7489.

DMARC-as-a-Service

DMARC can be a little complicated to implement and this complexity, I believe, has contributed to its historically slow adoption. As a result, there’s been a rise in companies specialising in DMARC, offering setup assistance and user-friendly portal services. There are many companies to choose from. At Softwerx, we’ve partnered with Sendmarc.

Sendmarc simplifies and accelerates the DMARC setup process. After setting up your domain(s) the ‘Smart Import’ function will import your current DNS DMARC and SPF settings. DKIM keys can also be imported with some limitations that may need manual interaction. The settings will be checked and suggestions made on how to improve them.

You will be able to delegate the DNS records for DMARC, SPF and DKIM to Sendmarc so that automatic updates to records can be applied – of course, you don’t need to do this if you want to maintain control via your DNS provider, but it’s a good option.

The end goal for DMARC is to enable the ‘reject’ status – but don’t be too hasty. A better way is to move from ‘none’ to ‘quarantine’ to ‘reject’ over a number of weeks so as to ensure a smooth transition.

Each of these settings still generate reports that allow you to validate and adjust your records to suit your needs – all with prompts to nudge you in the right direction.

The Sendmarc Dashboard provides an overview of a selectable time frame.

But you may want to dig deeper into the reports. As you can see from the below image, the DKIM and SPF successes and failures are logged, helping you to identify sources that should be allowed as well as those that should be blocked but are not. This is especially useful in the initial setup before moving to the ‘reject’ stage.

Each of these sources can be further explored.

Drilling down further into each IP Address gives more detail.

And finally, if you want to turn on forensic reporting, you can find a lot more detail.

Other services to complement DMARC

Beyond SPF, DKIM and DMARC there are other protocols that you should investigate.

ARC is one example which stands for ‘Authenticated Received Chain’. This protocol complements DMARC by addressing a specific issue with DKIM, where forwarded emails can fail DKIM validation and consequently fail DMARC checks. It does this by allowing intermediatory servers (such as mailing lists or forwarding services) to sign an email’s original authentication results.

Then there is also BIMI which stands for ‘Brand Indicators for Message Identification’. This is another email standard designed to enhance brand visibility and improve email security. With BIMI, you can display your logo(s) alongside your email messages, providing recipients with a visual indicator of authenticity. This helps to prevent spoofing and impersonation while strengthening brand recognition. BIMI works together with DMARC, DKIM and SPF – and, yes, Sendmarc can host the records for you.

MTA-STS – ‘SMTP MTA Strict Transport Security’. Although secure SMTP connections have been available for a long time now, they haven’t been enforced by most providers. MTA-STS is a mechanism to announce the ability of the mail service provider to support secure connections (via TLS), but also to specify whether the sending server should refuse to deliver to hosts that don’t offer TLS with a trusted certificate. This can be very useful if you have concerns with encryption, authentication, or the integrity of your mail messages.

A quick recap

Overall, DMARC is a helpful protocol because it enhances email security, protects brand reputation, and ensures that recipients can trust the authenticity of your emails.

DMARC allows domain owners to protect their domains from unauthorised use such as spoofing, phishing and email compromise. As a result, enforcing DMARC discourages bad actors from using your domain.

With Yahoo and Gmail now requiring DMARC and other email providers preparing to follow suite, it makes sense to take steps now to make sure your domains are compliant.

DMARC is the email authentication standard that all organisations should embrace and using a service such as Sendmarc will help provide pain-free initial onboarding and ongoing reporting and management.

Learn more about Sendmarc and start your DMARC journey today- get in touch to book a demo on our website live chat or enquire via our contact page: Contact Us | Softwerx

References

Architecture and configuration – NCSC.GOV.UK

Cyber Security Breaches Survey 2022 – GOV.UK (www.gov.uk)