What is DMARC?

    For our Tuesday tech tip, we’re continuing in the email security series and we’re going to talk about DMARC. DMARC is a component of email security. What is DMARC and why should you care? I’m going to warn you that this is going to be probably one of the longest and more technical videos that I make.  There’s going to be some textbook stuff along with a few acronyms that I’m going to explain. DMARC is very technical, but if you’ll hang in there with me, I think you’re going to learn a lot about how email works and how to secure your email for your organization. So stay with me to the end.

    Let’s talk a little bit about how DMARC works. Well, first, it’s a technical specification that describes how email senders can make their email easy to identify using existing free and open technologies. DMARC compliant email is very easy to process, and email receivers have embraced this. DMARC is a common way to figure out the basic identity of an email. It builds upon two existing technologies that have been out there for a long time that can associate a piece of email with a domain. SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) work in different but complementary ways to create a link between the piece of email and the domain.

    This is very important that these three components are in place. DMARC, SPF, and DKIM, by themselves, SPF and DKIM can associate a piece of email with the domain. In the language of SPF and DKIM generate authenticated identifiers. What does this mean? Well, ultimately, DMARC attempts to tie the results of SPF and DKIM. Don’t worry, guys, you’re going to see some subsequent videos, and I’m going to talk about Sender Policy Framework and the DKIM authentication piece, so that you can see how those two pieces are working. Basically what I’m saying here is that DMARC is looking at the results of those two, tying them together. So we get a much more deliverable email and also an email that is much harder to spoof.

    So let’s jump back in here. SPF and DKIM generate authenticated Identifiers. DMARC attempts to tie the results of SPF and DKIM the authenticated Identifiers to the actual content of the mail. Specifically to the domain found in the header of the email. If you look at email, there’s something that’s called the header and these mail servers are reading it and determining a lot about the email. This is how spam filters work. This is how deliverability happens and everything else. So the domain found in the header of a piece of email in the entity that ties together everything is called DMARC processing.

    Let’s look at the D. The D in DMARC stands for domain-based. And hopefully, you can now see which domain the DMARC is concerned with. Now because anyone could buy a domain and put SPF and DKIM in place, including criminals, the results of processing SPF and DKIM that the authenticated Identifiers have to be related to that actual domain found in that DMARC header. This is referred to as Identifier alignment. Getting Identifiers to align ends up being a part of the work of deploying DMARC. To make it possible for someone that owns an actual email domain to accurately deploy SPF and DKIM.

    DMARC describes how feedback can be sent from the domain owner regarding how their email domain is being used across the entire Internet. This feedback can come in two forms: Reports that provide a comprehensive view of all domain traffic as seen by the organization that generates the report and reports that are redacted copies of individual emails that are not 100% compliant with DMARC.

    These comprehensive reports are delivered in what’s called XML. It’s a data format and it includes such messages as message counts, the IP addresses, and the results of processing SPF and DKIM. Although some humans in most Androids can read XML directly, what we have is a system that specializes in processing these reports, identifying what steps need to be taken so that normal people can get DMARC into place without having to become some type of experts on email. The reports redacted copies of individual emails are not generated by all email receivers that participate in DMARC.

    The reason why an email receiver might not generate this type of report spans three major areas:

Privacy concerns as individual emails can include personal identifiable information.

The reports can potentially be extremely high in volume. There are a lot of emails that are passed in the world every day. Like 28 billion I think emails per day.

The reports are sometimes nice to have because there’s a way to have proven to not be required throughout the whole work of doing that. Basically what I’m trying to say is that you’re able to prove what emails have passed and traverse the servers. So that if you ever had to do some forensic work, you’ve got the logs. 

    Quite a few organizations don’t even want to ask for these types of reports as they want to avoid any sort of potential ill that could come from areas of Privacy.

    These reports can shed light on specific types of abuse that a domain might be encountering. What we’re doing is taking these reports and processing them and reporting on them, so that these entities don’t have to exchange their private information. It can be contained in one portal that is secured so the visibility is provided by the feedback reports. When processed by tools like ours gives the owner the ability to deploy SPF and DKIM with a very high degree of accuracy. Once an email domain owner is confident that they’ve deployed SPF and DKIM across all the email streams, the domain owner then can tell the world to act against the email that is not compliant with DMARC.

    In plain words, what that’s going to do if you have your email set up right, is all the servers are going to be talking with all their headers and all this metadata behind it. Then what we’re going to be doing is looking at all of these logs, and we’re going to be determining what our friends are foes. And if the whole world were to set this type of system up, we would be in such a much better place because a lot of this email spoofing and all these things that we’re dealing with would go away.

    So DMARC is a very important part of this process in securing our emails. Now, I know this was very technical. If you have questions if you want to get into the nuts and bolts of how to set up DMARC. Again, a lot of these tools are free. Setting up DMARC is free. Setting up DKIM is free. Most people don’t know how to do it and then tying it back to DMARC So that it can check those logs and make sure that everybody is legit, is another service that this service is watching over that. It’s alerting, it’s reporting it’s collecting data securely, keeping it away from a personal identifiable information standpoint for all parties involved. Then it can report on who is sending mail on your behalf. It can allow only people that are approved to send emails on your behalf.

    I probably ought to talk about what that means, sending an email on your behalf. I’m going to use an example that’s very easy for me. We use HubSpot as a marketing tool. Well, HubSpot is sending on our behalf. Some people use QuickBooks to send out invoices QuickBooks is sending emails on your behalf on their web version and on and on and on. Constant Contact and all types of software that are sending emails are sent on your behalf.

    What you have to do is determine who can send on your behalf. Then using these tools, you allow those and you can even look at rates and everything. If they got hacked and we’re sending way too many emails or whatever, you can get reporting and know that those things are happening. But bigger than that, what you’re going to be able to do is turn the faucet off on all the people that are trying to send emails on your behalf.

    Ultimately, spoofing and all of the crimes and the troubles that come with it it. As well as the deliverability when your email is set up correctly and all these components are in place, email servers, it’s a lot easier for them. And spam filters are looking at all this data. I kind of spoke about that earlier. When all of that is in alignment, you’re going to have yourself a situation where your emails are going to get into the inboxes, not into the junk folders, and not be blocked by spam filters.

    Alright, this is just part two. I know this was long. If you have questions, let me know. I’m going to go into SPF and DKM a little deeper like this just to have the data out there for the people who want to know. At the end of the day, email is a huge opening in your network because you got all your users at varying levels of cyber security awareness that are clicking on things. You need to get this stuff set up correctly. I’m passionate about it if you need help.