Let's know DMARC - Information Security

Exclusive

Post Top Ad

"Be Aware, Be Secure"

Post Top Ad

"Information Security is everyone's Job"

Monday, November 07, 2022

Let's know DMARC

 

Hey are you there looking for some information on DMARC? OK – You are at the right place. As I was also looking for some easy information on DMARC that my mind can engross. So, I thought of sharing this piece of information with you all.

First let’s know the full form.

DMARC stands for Domain-based Message Authentication, Reporting and Conformance.




Now let’s try to know why do we even have DMARC and for What?

Before getting into that we should know two more things which are the main principles / elements of DMARC i.e., SPF and DKIM. Yes – you heard it right. We need to know these two terminologies as that is the bread and butter of DMARC.

SPF stands for Sender Policy Framework. Now what’s that, let’s figure out?

SPF is a simple DNS TXT record that specifies which IP addresses (servers) are allowed to send email from a domain. SPF record is required for a top-level domain (i.e., any domain @example.com) as top-level domain also automatically authenticates sub-domains under them (e.g., subdomain.domain.com). There is a limitation for SPF i.e., 255 characters. SPF is one of the oldest email authentication standards. Nowadays in a world of cloud computing there are a numerous number of limitations.

So, to conclude SPF checks “From” field address authenticity in an email. It will look up the IP address entry against the DNS TXT SPF record of that domain.

There is an online that we can use to see SPF record for any domains (i.e., https://Kitterman.com/spf/validate.html)

DKIM stands for DomainKeys identified mail.

DKIM is also a TXT record. DKIM is in place to prove that content inside an email has not been tampered and header information of that email not changed (i.e., FROM address) and sender indeed owns the domain or at least authorized by the owner of domain. Now you might ask how DKIM do all of these checks?

DKIM uses the concept of cryptography (encryption algorithm) as we see commonly in digital signatures. This creates a pair of public and private key. Private key always remains on the mail server itself and public key is in DNS TXT record (any email service domain that you are using).

 

OK Great! Now we know those two key terms. We are good to know what’s a DMARC record.

DMARC is a technical standard for email authentication that helps all email senders and recipients from SPAM / SPOOFING / and PHISHING. Please note DMARC itself is not an email authentication protocol as it builds on key authentication standards i.e., SPF and DKIM.

So, to pass a DMARC check both SPF and DKIM has to pass or at least any of them must be aligned. For SPF alignment emails “FROM” address and return-path address must match and for DKIM alignment message’s “FROM” address and DKIM domain must match.

Emails which are not in alignment to SPF and DKIM will be rejected or quarantined. However, companies still wish to receive those suspicious emails in their email security solutions like MS ATP for further analysis. They will not be going to users mailbox.

 

I hope this small writeup was able to set a picture of DMARC working mechanism in your mind or at least how do we use DMARC for email security. How do I know all of this – I had worked in a phishing program and have seen how we make these things work to run a phishing campaign successfully and also read some good articles on SPF, DKIM and DMARC which are there on some of the DMARC monitoring and Enforcement vendor solutions websites.


Mentioning websites below that I took in reference:

https://www.valimail.com/email-security-best-practices/  (For reading more on topics)

https://www.youtube.com/watch?v=c9fLp5uIxp8 (For seeing diagrams and working explanation)

 

No comments:

Post a Comment

Post Top Ad

"Cyber Security= Expect the UNEXPECTED"