Spam email that purports to be from your domain is not just annoying for the recipient. It can also cause other sites to have less trust in anything sent from your domain. There are several things that you can deploy to help combat this. One is DKIM, which adds a digital signature to outgoing mail. That signature proves that you sent the email. It's simple to setup in Kerio; see the links at end. The other tool is SPF, where you publish a DNS text record that says which IP addresses are allowed to send mail from your domain. This is again easy to configure.
If everyone implemented these correctly and every receiving server checked against those methods, forged email would become much more difficult. However, not only does everyone NOT use these, but those that do may make errors. For example, you may have set these up, but have remote users sending mail out using their ISP's mail servers. Those won't have a DKIM signature and they won't match your SPF record. If a receiving server checks either or both, what should they do? Should they ignore the discrepancy, treat the email as spam or reject it outright? No matter what they do, you'll never know because you get no notice of such errata.
This is where DMARC can help. What it is from your point of view is just a DNS text record. Here's mine:
_dmarc v=DMARC1; p=quarantine; rua=mailto:firstname.lastname@example.org;ruf=mailto:email@example.com;
By the way, the reports have to go to an address in your domain unless the place you want to send them publishes a special "report" record that says it is ok for you to send them there.
That record tells a server that checks DMARC that I feel anything that doesn't match SPF and DKIM should be quarantined (p=quarantine). I could have said "ignore" or "reject" instead and I will change it to reject as soon as I am sure I've identified rogue sources. I'll get back to that shortly, but for now notice that there are two "mailto" links in the record. These tell the receiving server where to send reports about mail from my domain that they process. These reports give me feedback on who is sending email saying it is from my domain. They help me determine whether I really have control or not.
For example, I use Gmail and have my "From" address set to my domain. That wouldn't match my SPF and DKIM settings. Fortunately, Gmail allows you to fix this easily, but without the reports I wouldn't necessarily know that this mail had been sent.
Not all servers implement DMARC, but many of the big names do: Google, Facebook, Microsoft, Yahoo and many more. Any mail that says it's from aplawrence.com that reaches those servers will be reported back to me in the form of an XML file. Of course the actual content is not included, but if the server supports forensic reporting (not all do), that "ruf" tag tells them where to send that data, which will include some header information:
Received: from vbhbgy (unknown [184.108.40.206]) by ip-10-0-1-60.localdomain (Postfix) with ESMTP id 9804D14DF5D for ; Sun, 21 Dec 2014 12:47:33 +0900 (KST) From: "oqnuyrjc" Reply-To: firstname.lastname@example.org To: "hanpingduan" Subject: =?GB2312?B?u9i4tDrQu9C7o6E=?= Date: Sun, 21 Dec 2014 11:48:10 +0800 X-Mailer: Microsoft Outlook Express 6.00.2800.1106 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=behmuk649_3449_144839002.173092" X-Priority: 3
The XML files are not difficult to read, but I created a free account at Dmarcian.com to do the analysis for me. I just forward the DMARC reports to an address they provide and can easily see reports like this:
The "Forwarders" section was Google before I changed Gmail to use my SMTP server.
I was curious about the Subject of those spoofed emails, so asked Google Translate:
Now that I know that I have identified all legitmate sources of mail, I can change my DMARC record to "reject". According to the DMARC faq, "quarantine" means:
DMARC does recommend that you first use "none", to give you a chance to see where your problems lie. You can also set an optional percentage of emils to filter when yo bump that to "quarantine" or "reject". This lets you implement DMARC gradually
I think so, yes. The reporting is informative and setting this up can help your email not be seen as spam. Longer term, if everyone used this, it might someday be possible to simply ignore mail that doesn't identify its source honestly and completely.
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2014-12-22 Anthony Lawrence
If we define Futurism as an exploration beyond accepted limits, then the nature of limiting systems becomes the first object of exploration. (Frank Herbert)