Hey are you there looking for some information on DMARC? OK –
You are at the right place. As I was also looking for some easy information on
DMARC that my mind can engross. So, I thought of sharing this piece of information
with you all.
First let’s know the full form.
DMARC
stands for Domain-based Message Authentication, Reporting and Conformance.
Now let’s try to know why do we even have DMARC and for
What?
Before getting into that we should know two more things which
are the main principles / elements of DMARC i.e., SPF and DKIM. Yes – you heard
it right. We need to know these two terminologies as that is the bread and
butter of DMARC.
SPF stands
for Sender Policy Framework. Now what’s that, let’s figure out?
SPF is a simple DNS TXT record that specifies which IP
addresses (servers) are allowed to send email from a domain. SPF record is required
for a top-level domain (i.e., any domain @example.com) as top-level domain also
automatically authenticates sub-domains under them (e.g., subdomain.domain.com).
There is a limitation for SPF i.e., 255 characters. SPF is one of the oldest email
authentication standards. Nowadays in a world of cloud computing there are a
numerous number of limitations.
So, to conclude SPF checks “From” field address authenticity
in an email. It will look up the IP address entry against the DNS TXT SPF record
of that domain.
There is an online that we can use to see SPF record for any
domains (i.e., https://Kitterman.com/spf/validate.html)
DKIM
stands for DomainKeys identified mail.
DKIM is also a TXT record. DKIM is in place to prove that content
inside an email has not been tampered and header information of that email not changed
(i.e., FROM address) and sender indeed owns the domain or at least authorized
by the owner of domain. Now you might ask how DKIM do all of these checks?
DKIM uses the concept of cryptography (encryption algorithm)
as we see commonly in digital signatures. This creates a pair of public and
private key. Private key always remains on the mail server itself and public
key is in DNS TXT record (any email service domain that you are using).
OK Great! Now we know those two key terms. We are good to
know what’s a DMARC record.
DMARC is a technical standard for email authentication that
helps all email senders and recipients from SPAM / SPOOFING / and PHISHING.
Please note DMARC itself is not an email authentication protocol as it builds
on key authentication standards i.e., SPF and DKIM.
So, to pass a DMARC check both SPF and DKIM has to pass or
at least any of them must be aligned. For SPF alignment emails “FROM” address
and return-path address must match and for DKIM alignment message’s “FROM”
address and DKIM domain must match.
Emails which are not in alignment to
SPF and DKIM will be rejected or quarantined. However, companies still wish to receive
those suspicious emails in their email security solutions like MS ATP for
further analysis. They will not be going to users mailbox.
I hope this small writeup was able to set a picture of DMARC
working mechanism in your mind or at least how do we use DMARC for email
security. How do I know all of this – I had worked in a phishing program and
have seen how we make these things work to run a phishing campaign successfully
and also read some good articles on SPF, DKIM and DMARC which are there on some
of the DMARC monitoring and Enforcement vendor solutions websites.
Mentioning
websites below that I took in reference:
https://www.valimail.com/email-security-best-practices/
(For reading more on topics)
https://www.youtube.com/watch?v=c9fLp5uIxp8
(For seeing diagrams and working explanation)
No comments:
Post a Comment