DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Thursday, 01 March 2018 15:07

Using DMARC Effectively

Implementing DMARC is one thing. Making the commitment to implement DMARC in its most aggressive configuration is another.

Conceptually, Domain-based Message Authentication, Reporting, and Conformance (DMARC) is simple. DMARC provides a mechanism for email receivers to validate the source and integrity of inbound email. DMARC also specifies what receivers should do with messages that are not valid based on criteria pre-configured by senders. DMARC is designed to protect against direct domain spoofing, so it isn’t a complete solution to phishing. That said, DMARC has the potential, when deployed in an aggressive configuration, to take a page out of a hacker’s or spammer’s playbook.

DMARC is the result of a collaborative effort between leading organizations who originally came together in 2011 to provide senders and receivers with a tool to fight against fraudulent email activity. The remainder of this post provides an overview the mechanisms that enable DMARC, explores DMARC’s deployable configurations, and provides an overview of obstacles preventing wider adoption and/or more effective use of DMARC.

DMARC is built upon two existing standards, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). SPF enables an email sender to specify the servers from which email will come and provides instructions for how an email receiver should handle a message that does not originate from a specified server. DKIM, on the other hand, enables senders to include a digital signature on their messages, enabling receivers to verify that the message has not be altered in transit by a third-party.

DMARC brings these two mechanisms together in a powerful manner by allowing senders to specify a policy that tells receivers what to do with email messages that fail to pass SPF and/or DKIM validation. DMARC also enables senders to receive data back from receivers, providing insight into fraudulent email patterns. Before DMARC, there was not an effective feedback channel for failed email, so senders were largely in the dark on email once messages left their servers. There are only three DMARC policies that a sender can specify, and thus, three deployable configurations for DMARC: