Help protect your mail domain with DMARC


2014/12/22

Spam email that purports to be from your domain is not just annoying for the recipient. It can also cause other sites to have less trust in anything sent from your domain. There are several things that you can deploy to help combat this. One is DKIM, which adds a digital signature to outgoing mail. That signature proves that you sent the email. It's simple to setup in Kerio; see the links at end. The other tool is SPF, where you publish a DNS text record that says which IP addresses are allowed to send mail from your domain. This is again easy to configure.

If everyone implemented these correctly and every receiving server checked against those methods, forged email would become much more difficult. However, not only does everyone NOT use these, but those that do may make errors. For example, you may have set these up, but have remote users sending mail out using their ISP's mail servers. Those won't have a DKIM signature and they won't match your SPF record. If a receiving server checks either or both, what should they do? Should they ignore the discrepancy, treat the email as spam or reject it outright? No matter what they do, you'll never know because you get no notice of such errata.

DMARC

This is where DMARC can help. What it is from your point of view is just a DNS text record. Here's mine:

_dmarc  v=DMARC1; p=quarantine; rua=mailto:[email protected];ruf=mailto:[email protected];
 

By the way, the reports have to go to an address in your domain unless the place you want to send them publishes a special "report" record that says it is ok for you to send them there.

That record tells a server that checks DMARC that I feel anything that doesn't match SPF and DKIM should be quarantined (p=quarantine). I could have said "ignore" or "reject" instead and I will change it to reject as soon as I am sure I've identified rogue sources. I'll get back to that shortly, but for now notice that there are two "mailto" links in the record. These tell the receiving server where to send reports about mail from my domain that they process. These reports give me feedback on who is sending email saying it is from my domain. They help me determine whether I really have control or not.

For example, I use Gmail and have my "From" address set to my domain. That wouldn't match my SPF and DKIM settings. Fortunately, Gmail allows you to fix this easily, but without the reports I wouldn't necessarily know that this mail had been sent.

Not all servers implement DMARC, but many of the big names do: Google, Facebook, Microsoft, Yahoo and many more. Any mail that says it's from aplawrence.com that reaches those servers will be reported back to me in the form of an XML file. Of course the actual content is not included, but if the server supports forensic reporting (not all do), that "ruf" tag tells them where to send that data, which will include some header information:

Received: from vbhbgy (unknown [183.38.241.12])
by ip-10-0-1-60.localdomain (Postfix) with ESMTP id 9804D14DF5D
for ; Sun, 21 Dec 2014 12:47:33 +0900 (KST)
From: "oqnuyrjc" 
Reply-To: [email protected]
To: "hanpingduan" 
Subject: =?GB2312?B?u9i4tDrQu9C7o6E=?=
Date: Sun, 21 Dec 2014 11:48:10 +0800
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=behmuk649_3449_144839002.173092"
X-Priority: 3
 

The XML files are not difficult to read, but I created a free account at Dmarcian.com to do the analysis for me. I just forward the DMARC reports to an address they provide and can easily see reports like this:

Dmarc reports processed

The "Forwarders" section was Google before I changed Gmail to use my SMTP server.

Forensic data

Source of spoofed email

I was curious about the Subject of those spoofed emails, so asked Google Translate:

Spammish subjects, of course

Now that I know that I have identified all legitmate sources of mail, I can change my DMARC record to "reject". According to the DMARC faq, "quarantine" means:


Given the real-world, non-technical use of the term, quarantine means "set aside for additional processing". The definition is at the appreciation of the manager of the receiving email infrastructure. It may mean deliver to the "junk folder" but it may also mean hold in a database for further review by dedicated personnel, or simply add a specific tag to the message before delivery.

DMARC does recommend that you first use "none", to give you a chance to see where your problems lie. You can also set an optional percentage of emils to filter when yo bump that to "quarantine" or "reject". This lets you implement DMARC gradually

Is it worth the effort?

I think so, yes. The reporting is informative and setting this up can help your email not be seen as spam. Longer term, if everyone used this, it might someday be possible to simply ignore mail that doesn't identify its source honestly and completely.

Configuring DNS for DKIM

How do I create an SPF or Caller ID record?



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Help protect your mail domain with DMARC




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us