JRB - Fotolia
Many large email providers are adding or expanding on their use of DMARC policy to combat email fraud. How does DMARC protect against email threats, and how strict should an enterprise DMARC policy be?
Even though there have been various methods introduced over the years to try and identify email from spoofed addresses, email fraud still remains a big problem. Spam filters are somewhat effective, but always lag behind the ever-changing tactics of spammers. Furthermore, domain administrators never know how many legitimate messages fail to arrive, or are blocked by these filters. Mechanisms such as Sender Policy Framework (SPF), Sender ID and DomainKeys Identified Mail (DKIM) have also helped to reduce email fraud by providing greater assurance of the message sender's identity, but they work in isolation from each other, which reduces their overall effectiveness. SPF allows system administrators to specify which hosts are allowed to send mail from their domains, allowing receiving systems to check whether a message has been sent from an authorized source or not. DKIM adds a digital signature to an email, which can be validated by the recipient using the sender's public key published in the domain's domain name system (DNS) records. While these technologies make life harder for spammers, domain administrators still have no way of knowing to what extent their domains are being abused by spammers.
Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol developed by the Trusted Domain Project that builds on the SPF and DKIM protocols, but incorporates a reporting function that allows email and service providers to share information about the validity of emails they send to each other. This includes the ability to tell mailbox providers what to do if a domain's emails aren't protected and verified by SPF and/or DKIM. Actions can vary from moving the message directly into the spam folder or rejecting it outright. Information about messages that pass or fail DMARC evaluation can be fed back into the DMARC register; this provides intelligence to the sender about messages being sent from their domain and can identify email systems being used by spammers. A DMARC policy is published in the DNS and indicates that messages are protected by SPF and/or DKIM, and tells a receiver what to do if either of those authentication methods fail.
DMARC is already used by many organizations and has successfully stopped large-scale campaigns targeting well-known domains. Google and Yahoo have both recently announced that they are extending DMARC protection to cover more of their Internet domains. Enterprises considering deploying DMARC should first use it in monitor mode to collect data from participating receivers to ensure legitimate traffic is correctly passing through DMARC authentication checks. The DMARC policy can then be changed to request how failing messages should be handled. This could mean putting them in a junk folder, adding a tag to the message before delivery or holding them back for more detailed review. Only when no legitimate messages are being incorrectly quarantined should the policy be set to reject all messages that do not fully pass the DMARC checks -- otherwise, some users may be adversely affected.
Google will be moving Gmail to a strict DMARC policy of rejecting all messages that fail the authentication checks, which is a big step not only in the battle against spoofed email, but in how Gmail works. Google will be supporting the Authenticated Received Chain (ARC) protocol to help legitimate mailing list operators and those that send mail from a valid Gmail account, but not through Gmail servers. ARC preserves the initial email authentication results across any subsequent intermediary hops that modify the message and would cause DMARC authentication to fail when the message reaches its final destination.
Everyone suffers from spam -- and its more sinister relative, phishing emails -- and although DMARC isn't a perfect solution to the problem yet, hopefully, if it is adopted globally, email users won't be waking up to an inbox full of spam every day.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Read more on the security benefits of DMARC email authentication
Find out about the security risks of personal email servers
Discover ways to secure enterprise email while abroad
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading