DMARC Email Protection

Fraudsters and scammers often send email by falsifying the sender’s address.  If the sender appears to be trustworthy then the recipient is more likely to read a message and to act on it.  The protocol used to send email (SMTP) includes the name and address of the sender within the header of the message.  These are commonly picked up by the email client programme but the information is in clear text and can easily be forged before any message is sent.  Emails can be sent line by line (including any header details typed in) through Telnet.  More sophisticated tools are available but the security issue is that sender information within an email header does not need to reflect the actual sender.  Recipients’ email clients on the other hand will tend to highlight this unreliable address.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is designed to stop this attack vector.  DMARC is linked to domain name records and ideally needs to run on the sender and recipient servers.  The sender tags the message as being valid and the receiver verifies the message.  If it fails the email will be rejected or sent to SPAM.

DMARC is essentially a wrapper for 2 other email protection protocols, Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).  To get a fully working DMARC system up and running requires setting up SPF and (ideally but not essential) DKIM in that order before starting on DMARC.  These all need access to DNS records to set up.   Proofpoint is one of several on-line tools that will show the current status of DMARC and SPF settings on any domain.

SPF is the simpler protocol and will work to a limited degree without DMARC.  It is used to check that an email comes from the domain that it appears to be from.  The sender’s DNS records will include the name of the domain authorised to send mail.  This will either be the same as the sender’s domain or will specify some authorised 3rd party sender.  Optionally the IP addresses of authorised mail servers can also be added.  This is best practice where an organisation is running its own mail servers ‘in-house’.

DKIM is a public-private key based authentication system. The sender creates a hash of part of the email header or body and encrypts it using their private key.  This is included with the DKIM tagged message.  The recipient unencrypts this encrypted text data with the matching public key (obtained from DNS records).  If the unencrypted hash matches that sent with the message the recipient knows that it has not been altered since the original encryption.

Major web email providers such as Google enforce DMARC.  As DMARC becomes more widespread it is increasingly likely that any email that is not itself DMARC compliant will fail checks and either not be accepted or redirected to SPAM.  This trend makes DMARC roll out an essential step for any organisation.  Not only will spoof emails be minimised; genuine emails will be less likely to be refused by recipients.

More from Security

13/05/2024

eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post

08/05/2024

Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post

23/04/2024

UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post

25/03/2024

Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories