Simplifying DMARC deployment and reporting

Print Friendly, PDF & Email

CNET recently reported that the US Department of Homeland Security (DHS) has given federal agencies 90 days to implement HTTPS and DMARC within their organizations.  The deployment of these technologies should provide additional protection for the employees and the public. 

The HTTPS protocol is familiar to most Internet users, especially toward the ‘Cyber Monday' shopping season when online security and safe shopping become frequent topics.  DMARC is still one of the lesser known and/or used technologies, as you can see in this DMARC Adoption by Sector data from the OTA 2017 Honor Roll (pdf):

This DHS announcement is a great opportunity for us to talk about DMARC and why it's so important to our online safety.

What is DMARC

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance, and is designed to prevent domain spoofing with additional verification techniques.  With properly configured DMARC in place, an attempt to impersonate an email from www.paypal.com with something like www.payypal.com would be rejected before reaching the recipient.  In the simplest terms, DMARC makes sure that the domain in the “Mail From:” field of an email is the domain that sent the email.

DMARC does this by working with the older Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) technologies.  SPF and DKIM are also email authentication mechanisms, but they operate independently and cannot communicate the results of an authentication test to parties of an email transaction.  DMARC allows SPF and DKIM to act as intended and then reports the results of those verification checks to other parties in the email message.  DMARC also allows senders and receivers to communicate on how to handle authentication failures and provides aggregate and forensic reporting on email activity. 

In the simplest terms, DMARC makes it easier to determine whether a message is legitimate, and it informs the recipient what to do if the message is a fake.  It also informs the sender if someone is spoofing the sender's domain.

Deploying DMARC

At this point, you may be wondering how to add DMARC to your security, which is what DHS just ordered the federal agencies to do.  DMARC is a freely available specification and deployment can be as simple as publishing a DMARC record.   With DMARC in place across government agencies, the public should see a decline in spear phishing attempts that impersonate the federal government, because these attempts will be rejected by DMARC compliant email systems.  This is why Oregon Senator Ron Wyden wrote to the DHS and specifically requested that DMARC be implemented across all agencies (pdf).

The problem with deploying DMARC is that it's technically difficult to get everything configured correctly.  There are several common issues with deployment:

  • Using values that are not DMARC records:  SPF records like “v=spf1 ip4:200.6.YY.ZZZ +a +mx + ?all” and DKIM records, “v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC…” are often mistaken for DMARC records
  • Not understanding or following the instructions for DMARC records:  For example, inserting the DNS record and the phrase “descriptive text” in this string —  “_dmarc.clementine.XXXXXXXX.fr descriptive text v=DMARC1; p=reject;…”
  • Incorrect formatting or constructs, as seen in the following strings:
    • p=none; v=DMARC1; rua=mailto:mail@XXXXXXXX.com
    • v=DMARC1; fo=1; p=none; rua=mailto:agg@XXXXXXXX.com
    • v=dmarc1; P=Reject; rua=mailto:dmarc_agg_rep@XXXXXXXX.it
    • “v=DMARC1;” “p=quarantine;” “pct=25;” “rua=mailto:postmaster@XXXXXXXX.com”
    • v=DMARC1; p=blocked; rua=mailto:dmarc_agg@auth.returnpath.net; …

Understanding DMARC Results

When deployed correctly, DMARC provides two types of reports.  The Aggregate Report provides information on the Source IP and authentication results of email that was sent using the domain being monitored.  The Forensic Report is generated in real time and includes information on emails that failed SPF and/or DKIM checks.  Some of the details and frequencies of these reports can be configured in the DMARC record. 

Aggregate Reports are sent in XML format and are often difficult to read without additional software.  Here's an example of an Aggregate Report from Google:


<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>http://support.google.com/a/bin/answer.py?answer=2466580</extra_contact_info>
    <report_id>7241837801886321635</report_id>
    <date_range>
      <begin>1431388800</begin>
      <end>1431475199</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>rigweb.ru</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>144.76.154.188</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>site.ru</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>rigweb.ru</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>site.ru</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

Some organizations generate millions of these labor-intensive reports.  Without a good human-friendly solution, the email administrator often gets “data fatigue.”  The report just becomes irrelevant, because it's so difficult and tedious to evaluate. 

Barracuda, DMARC, and spear phishing

Because domain spoofing is a common tactic in a spear phishing attack, many people think that DMARC is a complete spear phishing defense.  Unfortunately, DMARC is not designed to stop spear phishing.  DMARC is only designed to protect against domain spoofing.  So although DMARC could reject an impersonation message like this ‘secure bank message' attack, it would provide no protection from this Office 365 Account Compromise attack.  The difference is that the Office 365 attacks are sent from the victim's own domain, and there is no domain spoofing involved. 

Earlier this year Barracuda launched Barracuda Sentinel, which is a comprehensive artificial intelligence solution that makes extensive use of the DMARC specification.  Because DMARC relies on proper configuration and enforcement, Barracuda Sentinel provides a wizard-based configuration process to deploy DMARC on your domain. 

Using the reporting capabilities of DMARC, Barracuda Sentinel can provide visibility and analysis of your messaging.  This helps administrator ensure the deliverability for legitimate email traffic.  Sentinel also provides reporting that is easy to read and understand, and is accessible through the Barracuda Sentinel web interface:

 

Because DMARC alone cannot fully protect you from spear phishing, Barracuda Sentinel also employs artificial intelligence to identify anomalies, and fraud simulation training to help your users protect themselves. 

Getting started with Barracuda Sentinel

Barracuda Sentinel is a cloud service that requires no hardware or software to install and maintain.  In most cases, it takes only a few minutes to configure and deploy.  If you'd like to give it a shot, visit our Barracuda Sentinel corporate site here

Scroll to top
Tweet
Share
Share