DMARC
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.
Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.
DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From:
field presented to end users; how the receiver should deal with failures – and provides a reporting mechanism for actions performed under those policies.
DMARC is defined in the Internet Engineering Task Force's published document RFC 7489,[1] dated March 2015, as "Informational".[2]
Overview
editA DMARC policy allows a sender's domain to indicate that their email messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as to reject the message or quarantine it. The policy can also specify how an email receiver can report back to the sender's domain about messages that pass and/or fail.[3]
These policies are published in the public Domain Name System (DNS) as text TXT records.
DMARC does not directly address whether or not an email is spam or otherwise fraudulent. Instead, DMARC can require that a message not only pass DKIM or SPF validation, but that it also pass § Alignment. Under DMARC a message can fail even if it passes SPF or DKIM but fails alignment.[4]
Setting up DMARC may improve the deliverability of messages from legitimate senders.[5]
Alignment
editDMARC operates by checking that the domain in the message's From:
field (also called "RFC5322.From"[2]) is "aligned" with other authenticated domain names. If either SPF (specified using the aspf
field) or DKIM (specified using the adkim
) alignment checks pass, then the DMARC alignment test passes.
Alignment may be specified as strict or relaxed. For strict alignment, the domain names must be identical. For relaxed alignment, the top-level "Organizational Domain" must match. The Organizational Domain used to be found by checking a list of public DNS suffixes. The upcoming spec instead specifies a Tree Walk through the parent domains. So, for example, "a.b.c.d.example.com.au" and "example.com.au" have the same Organizational Domain, because _dmarc.example.com.au is the only defined DMARC record among all the subdomains involved, including _dmarc.au. As this allows domain owners to define domain roles, it is deemed to be more accurate than the Public Suffix List.[6]
Like SPF and DKIM, DMARC uses the concept of a domain owner, the entity or entities that are authorized to make changes to a given DNS domain.
SPF checks that the IP address of the sending server is authorized by the owner of the domain that appears in the SMTP MAIL FROM
command. (The email address in MAIL FROM is also called the bounce address, envelope-from or RFC5321.MailFrom.) In addition to requiring that the SPF check passes, DMARC checks that RFC5321.MailFrom aligns with 5322.From.[2]
DKIM allows parts of an email message to be cryptographically signed, and the signature must cover the From field. Within the DKIM-Signature mail header, the d=
(domain) and s=
(selector) tags specify where in DNS to retrieve the public key for the signature. A valid signature proves that the signer is a domain owner, and that the From field hasn't been modified since the signature was applied. There may be several DKIM signatures on an email message; DMARC requires one valid signature where the domain in the d=
tag aligns with the sender's domain stated in the From:
header field.
DNS record
editDMARC records are published in DNS with a subdomain label _dmarc
, for example _dmarc.example.com
. Compare this to SPF at example.com
, and DKIM at selector._domainkey.example.com
.
The content of the TXT resource record consists of name=value
tags, separated by semicolons, similar to SPF and DKIM.
The available tags are:[7]
- adkim, DKIM alignment mode (default
r
for relaxed, alternativelys
for strict) - aspf, SPF alignment mode (default
r
for relaxed, alternativelys
for strict) - fo, failure reporting options (default
0
, alternatively1
,d
, ors
) - p, policy (see below),
- pct, percent of "bad" email on which to apply the policy (default
100
) - rf, format for message-specific failure reports
- ri, requested interval between aggregate reports
- rua, URI to send aggregate reports to
- ruf, URI to send failure/forensic reports to
- sp, subdomain policy (default same as
p
), - v, version,
For example:
"v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com;"
In this example, the entity controlling the example.com DNS domain intends to monitor SPF and/or DKIM failure rates and doesn't expect email to be sent from subdomains of example.com. Note that a subdomain can publish its own DMARC record; receivers must check it out before falling back to the organizational domain record.
Step by step adoption
editThe protocol provides for various ratchets, or transitional states, to allow mail admins to gradually transition from not implementing DMARC at all the way through to an unyielding setup.[8][9][10] The concept of stepwise adoption assumes that the goal of DMARC is the strongest setting, which is not the case for all domains. Regardless of intent, these mechanisms allow for greater flexibility.
Policy
editFirst and foremost, there are three policies:
- none is the entry level policy. No special treatment is required by receivers, but enables a domain to receive feedback reports.
- quarantine asks receivers to treat messages that fail DMARC check with suspicion. Different receivers have different means to implement that, for example flag messages or deliver them in the spam folder.
- reject asks receivers to outright reject messages that fail DMARC check.
The policy published can be mitigated by applying it to only a percentage of the messages that fail DMARC check. Receivers are asked to select the given percentage of messages by a simple Bernoulli sampling algorithm. The rest of the messages should undergo the lower policy; that is, none if p=quarantine
, quarantine if p=reject
. If not specified, pct defaults to 100% of messages. The case p=quarantine; pct=0;
is being used to force mailing list managers to rewrite the From: field, as some don't do so when p=none
.[11]
Finally, the subdomain policy, sp=
and the newly added no-domain policy, np=
[12] allow tweaking the policy for specific subdomains.
Reports
editDMARC is capable of producing two separate types of reports. Aggregate reports are sent to the address specified following the rua
. Forensic reports are emailed to the address following the ruf
tag. These mail addresses must be specified in URI mailto format (e.g. mailto:worker@example.net ). Multiple reporting addresses are valid and must each be in full URI format, separated by a comma.[13]
Target email addresses can belong to external domains. In that case, the target domain has to set up a DMARC record to say it agrees to receive them, otherwise it would be possible to exploit reporting for spam amplification. For example, say receiver.example
receives a mail message From: someone@sender.example
and wishes to report it. If it finds ruf=mailto:some-id@thirdparty.example
, it looks for a confirming DNS record in the namespace administered by the target, like this:
sender.example._report._dmarc.thirdparty.example IN TXT "v=DMARC1;"
Aggregate reports
editAggregate Reports are sent as XML files, typically once per day. The subject mentions the "Report Domain", which indicates the DNS domain name about which the report was generated, and the "Submitter", which is the entity issuing the report. The payload is in an attachment with a long filename consisting of bang-separated elements such as the report-issuing receiver, the begin and end epochs of the reported period as Unix-style time stamps, an optional unique identifier and an extension which depends on the possible compression (used to be .zip
).[14]
For example:
example.com!example.org!1475712000!1475798400.xml.gz
.
The XML content consists of a header, containing the policy on which the report is based and report metadata, followed by a number of records. Records can be put in a database as a relation and viewed in a tabular form. The XML schema is defined in Appendix C of specifications[15] and a raw record is exemplified in dmarc.org.[16] Here we stick with a relational example, which better conveys the nature of the data. DMARC records can also be directly transformed in HTML by applying an XSL stylesheet.
Source IP | Count | Disposition | SPF | DKIM | Header from | SPF domain (result) | DKIM domain (result) | |
---|---|---|---|---|---|---|---|---|
192.0.2.1 | 12 | none | ✓ Pass | ✓ Pass | example.org | example.org (✓ Pass) | example.org (✓ Pass) | |
192.0.2.1 | 1 | none | ✓ Pass | ✗ Fail | example.org | example.org (✓ Pass) | example.org (✗ Fail) | |
192.0.2.28 | 42 | none | ✗ Fail | ✓ Pass | example.org | example.org (✗ Fail) | example.org (✓ Pass) | forwarder.example (✓ Pass) |
192.0.2.82 | 21 | none | ✗ Fail | ✗ Fail | example.org | discusslist.example (✓ Pass) | example.org (✗ Fail) | discusslist.example (✓ Pass) |
... |
Rows are grouped by source IP and authentication results, passing just the count of each group. The leftmost result columns, labelled SPF and DKIM show DMARC-wise results, either pass or fail, taking alignment into account. The rightmost ones, with similar labels, show the name of the domain which claims to participate in the sending of the message and (in parentheses) the authentication status of that claim according to the original protocol, SPF or DKIM, regardless of Identifier Alignment. On the right side, SPF can appear at most twice, once for the Return-Path:
test and once for the HELO
test; DKIM can appear once for each signature present in the message. In the example, the first row represents the main mail flow from example.org, and the second row is a DKIM glitch, such as signature breakage due to a minor alteration in transit. The third and fourth rows show typical failures modes of a forwarder and a mailing list, respectively. DMARC authentication failed for the last row only; it could have affected the message disposition if example.org had specified a strict policy.
The disposition reflects the policy published actually applied to the messages, none, quarantine, or reject. Along with it, not shown in the table, DMARC provides for a policy override. Some reasons why a receiver can apply a policy different from the one requested are already provided for by the specification:
- forwarded
- while keeping the same bounce address, usually doesn't break DKIM,
- sampled out
- because a sender can choose to only apply the policy to a percentage of messages only,
- trusted forwarder
- the message arrived from a locally known source
- mailing list
- the receiver heuristically determined that the message arrived from a mailing list,
- local policy
- receivers are obviously free to apply the policy they like, it is just cool to let senders know,
- other
- if none of the above applies, a comment field allows to say more.
Forensic reports
editForensic Reports, also known as Failure Reports, are generated in real time and consist of redacted copies of individual messages that failed SPF, DKIM or both based upon what value is specified in the fo
tag. Their format, an extension of Abuse Reporting Format, resembles that of regular bounces in that they contain either a "message/rfc822" or a "text/rfc822-headers".
Forensic Reports also contain the following:
- Source of Sending IP Address
- From email address
- Recipient email address
- Email subject line
- SPF and DKIM authentication results
- Received time
- Email message headers which include the sending host, email message ID, DKIM signature, and any other custom header information.[17]
Compatibility
editForwarders
editThere are several different types of email forwarding, some of which may break SPF.[18] This is one of the reasons why email forwarding can affect DMARC authentication results. [19]
Mailing lists
editMailing lists are a frequent cause of legitimate breakage of the original author's domain DKIM signature, for example by adding a prefix to the subject header. A number of workarounds are possible,[20][21] and mailing list software packages are working on solutions.[22]
Turn off all message modifications
editThis workaround keeps the standard mailing list workflow, and is adopted by several large mailing list operators, but precludes the list adding footers and subject prefixes.[23] This requires careful configuration of mailing software to make sure signed headers are not reordered or modified. A misconfigured email server may put List-id in its DKIM of messages sent to a mailing list, and then the list operator is forced to reject it or do From: rewriting.
From:
rewriting
edit
One of the most popular and least intrusive workarounds consists of rewriting the From:
header field. The original author's address can then be added to the Reply-To:
field.[24] Rewriting can range from just appending .INVALID
[note 1] to the domain name, to allocating a temporary user ID where a modified version of the user's address is used, or an opaque ID is used, which keeps the user's "real" email address private from the list. In addition, the display name can be changed so as to show both the author and the list (or list operator).[25] Those examples would result, respectively, in one of the following:
From: John Doe <user@example.com.INVALID>
From: John Doe <user@example.com.dmarc.fail>
From: John Doe <243576@mailinglist.example.org>
From: John Doe via MailingList <list@mailinglist.example.org>
Reply-To: John Doe <user@example.com>
The last line, Reply-To:
, has to be designed in order to accommodate reply-to-author functionality, in which case reply-to-list functionality is covered by the preceding change in the From:
header field. That way, the original meaning of those fields is reversed.
Altering the author is not fair in general, and can break the expected relationship between meaning and appearance of that datum. It also breaks automated use of it. There are communities which use mailing lists to coordinate their work, and deploy tools which use the From:
field to attribute authorship to attachments.[26]
Other workarounds
editWrapping the message works nicely, for those who use an email client which understands wrapped messages. Not doing any change is perhaps the most obvious solution, except that they seem to be legally required in some countries, and that routinely losing SPF authentication may render overall authentication more fragile.[27]
Sender field
editMaking changes to the From:
header field to pass DKIM alignment may bring the message out of compliance with RFC 5322 section 3.6.2: "The 'From:' field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message." Mailbox refers to the author's email address. The Sender:
header is available to indicate that an email was sent on behalf of another party, but DMARC only checks policy for the From domain and ignores the Sender domain.[note 2]
Both ADSP and DMARC[4] reject using the Sender field on the non-technical basis that many user agents do not display this to the recipient.
History
editA draft DMARC specification has been maintained since 30 January 2012.[28]
In October 2013, GNU Mailman 2.1.16 was released with options to handle posters from a domain with the DMARC policy of p=reject
.[22] The change tried to anticipate the interoperability issues expected in case restrictive policies were applied to domains with human users (as opposed to purely transactional mail domains).
In April 2014, Yahoo changed its DMARC policy to p=reject
, thereby causing misbehavior in several mailing lists.[29][30] A few days later, AOL also changed its DMARC policy to p=reject
.[31] Those moves resulted in a significant amount of disruption, and those mailbox providers have been accused of forcing the costs of their own security failures onto third parties.[32] As of 2020, the FAQ in the official DMARC wiki contains several suggestions for mailing lists to handle messages from a domain with a strict DMARC policy,[33] of which the most widely implemented is the mailing list changing the “From” header to an address in its own domain.
An IETF working group was formed in August 2014 in order to address DMARC issues, starting from interoperability concerns and possibly continuing with a revised standard specification and documentation.[34] Meanwhile, the existing DMARC specification had reached an editorial state agreed upon and implemented by many. It was published in March 2015 on the Independent Submission stream in the "Informational" (non-standard) category as RFC 7489.[35]
In March 2017, the Federal Trade Commission published a study on DMARC usage by businesses.[36] Out of 569 businesses, the study found about a third implemented any DMARC configuration, fewer than 10% used DMARC to instruct servers to reject unauthenticated messages, and a majority had implemented SPF.
Contributors
editThe contributors of the DMARC specification include:[37][38]
- Receivers: AOL, Comcast, Google (Gmail), Mail.Ru, Microsoft (Outlook.com, Hotmail),[39] Netease (163.com, 126.com, 188.com, yeah.net), XS4ALL, Yahoo, Yandex
- Senders: American Greetings, Bank of America, Facebook, Fidelity Investments, JPMorganChase, LinkedIn,[40] PayPal, Twitter[41]
- Intermediaries & Vendors:[42] Agari (Founder/CEO Patrick R. Peterson),[42] Cloudmark,[42] DMARC Advisor,[42] Red Sift,[42] ReturnPath,[42] Trusted Domain Project,[42] ProDMARC, [42]
Commercial services
editPopular services that perform DMARC analysis and/or record validation include Valimail, Dmarcian and EasyDmarc.[43]
See also
editNotes
editReferences
edit- ^ RFC 7489
- ^ a b c Murray Kucherawy; Elizabeth Zwicky (18 March 2015). Domain-based Message Authentication, Reporting, and Conformance (DMARC). IETF. doi:10.17487/RFC7489. RFC 7489.
- ^ Terry Zink (27 September 2016). "How we moved microsoft.com to a p=quarantine DMARC record". MSDN blog.
If that sounds like a lot of work, that's because it was
- ^ a b Kucherawy, M.; Zwicky, E. (15 July 2013). "Domain-based Message Authentication, Reporting and Conformance (DMARC) [draft 01]". IETF. Appendix A.3, Sender Header Field. Retrieved 24 May 2016.
- ^ "Bulk Senders Guidelines – Gmail Help". support.google.com. Retrieved 24 April 2015.
- ^ Dave Crocker (24 November 2020). "Doing a tree walk rather than PSL lookup". dmarc-ietf (Mailing list).
- ^ RFC 7489. sec. 6.3. doi:10.17487/RFC7489.
- ^ "Tutorial: Recommended DMARC rollout". google.com.
- ^ "Implementation Guidance: Email Domain Protection". cyber.gc.ca. 12 August 2021.
- ^ "User Guide for Cisco Domain Protection" (PDF). cisco.com. 25 May 2021.
- ^ Jonathan Kamens (9 October 2018). ""p=none" vs. "p=quarantine; pct=0"" (Mailing list).
- ^ Scott Kitterman (26 July 2021). Tim Wicinski (ed.). Experimental Domain-Based Message Authentication, Reporting, and Conformance (DMARC) Extension for Public Suffix Domains. IETF. doi:10.17487/RFC9091. RFC 9091.
- ^ "RUA vs RUF - Different DMARC Report Types Explained". Progist.net. 14 December 2023. Retrieved 14 December 2023.
- ^ "What is the rationale for choosing ZIP for the aggregate reports?". DMARC.org. 2012. Retrieved 3 April 2019.
Once GZIP is registered as a MIME application type with IANA, the DMARC group will consider it as inclusion in the draft
- ^ Murray S. Kucherawy; Elizabeth Zwicky, eds. (March 2015). "DMARC XML Schema". Domain-based Message Authentication, Reporting, and Conformance (DMARC). IETF. sec. C. doi:10.17487/RFC7489. RFC 7489. Retrieved 3 March 2019.
- ^ "I need to implement aggregate reports, what do they look like?". DMARC.org. Retrieved 26 May 2016.
- ^ "The Ultimate Guide to DMARC Reporting in 2022". 23 August 2019.
- ^ Franck Martin; Eliot Lear; Tim Draegen; Elizabeth Zwicky; Kurt Andersen, eds. (September 2016). "Alias". Interoperability Issues between Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Indirect Email Flows. IETF. sec. 3.2.1. doi:10.17487/RFC7960. RFC 7960. Retrieved 14 March 2017.
- ^ "How does email forwarding affect DMARC authentication results?". progist.net. 6 January 2023.
- ^ Anti-Spam Research Group. "Mitigating DMARC damage to third party mail".
- ^ dmarc.org wiki
- ^ a b Mark Sapiro (16 October 2013). "Mailman and DMARC". list.org. Retrieved 13 August 2015.
- ^ "Upcoming changes for lists.debian.org". lists.debian.org.
- ^ Al Iverson (9 April 2014). "Spam Resource: Run an email discussion list? Here's how to deal with DMARC". spamresource.com. Retrieved 18 April 2014.
- ^ "How Threadable solved the DMARC problem". Threadable Blog. Retrieved 21 May 2016.
- ^ Theodore Ts'o (18 December 2016). "Realistic responses to DMARC". IETF-Discussion (Mailing list). Retrieved 14 March 2017.
The fact that the from field is not rewritten is IMPORTANT because rewriting the from field would break the 'git am' command, since it uses the From: field to fill in the git commit's from field
- ^ John Levine (31 May 2014). "Mitigating DMARC damage to third party mail". wiki. ASRG. Retrieved 1 June 2014.
- ^ "History", dmarc.org
- ^ Lucian Constantin (8 April 2014). "Yahoo email anti-spoofing policy breaks mailing lists". PC World. Retrieved 15 April 2014.
- ^ Laura Atkins (12 April 2014). "Yahoo Statement on DMARC policy". wordtothewise.com.
- ^ Vishwanath Subramanian (22 April 2014). "AOL Mail updates DMARC policy to 'reject'". AOL. Archived from the original on 13 August 2015. Retrieved 13 August 2015.
- ^ John Levine (13 August 2016). "DMARC and ietf.org". IETF (Mailing list). Retrieved 10 October 2016.
- ^ "FAQ in DMARC wiki". Retrieved 15 July 2020.
- ^ "WG Action: Formed Domain-based Message Authentication, Reporting & Conformance (dmarc)". IETF-Announce (Mailing list). 11 August 2014. Retrieved 10 October 2016.
- ^ "DMARC FAQ". dmarc.org.
- ^ "Businesses Can Help Stop Phishing and Protect their Brands Using Email Authentication" (PDF). Federal Trade Commission. 3 March 2017.
- ^ Kucherawy, Murray; Zwicky, Elizabeth. "Acknowledgements". Domain-based Message Authentication, Reporting, and Conformance (DMARC). sec. E. I-D draft-kucherawy-dmarc-base-01.
- ^ DMARC Contributors (PDF)
- ^ Vitaldevara, Krish (10 December 2012). "Outlook.com increases security with support for DMARC and EV certificates". Outlook Blog. Microsoft. Retrieved 12 December 2012.
- ^ Martin, Franck (20 September 2012). "DMARC: a new tool to detect genuine emails". LinkedIn Engineering Blog. Linkedin. Retrieved 17 August 2013.
- ^ Josh Aberant (21 February 2013). "Introducing DMARC for Twitter.com emails". twitter.com. Retrieved 10 April 2014.
- ^ a b c d e f g h "History – dmarc.org". dmarc.org. Retrieved 23 September 2020.
- ^ Hureau, Olivier; Bayer, Jan; Duda, Andrzej; Korczyński, Maciej (2024). Richter, Philipp; Bajpai, Vaibhav; Carisimo, Esteban (eds.). "Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARC". Passive and Active Measurement. Cham: Springer Nature Switzerland: 232–261. doi:10.1007/978-3-031-56249-5_10. ISBN 978-3-031-56249-5.
External links
edit- Official website
- The Anti Spam Research Group wiki: Mitigating DMARC damage to third party mail