- Introduction to DMARC
- DMARC Working Process
- DMARC Record Breakdown
- Aggregate DMARC Report
- Why DMARC is Neccessary
- DMARC Misconfiguration Threat
Introduction to DMARC:
DMARC also known as Domain Message Authentication, Reporting & Conformance is a technical standard that helps protect email senders and receipients from email related spoofing and phishing attacks which are widely usd as a part of social engineering techniques to compromise user’s system. It uses SPF (Sender policy framework) and DKIM (Domain Keys Identified Mail) to validate the authenticity of a mail.
DMARC record policy can be published by an organization to define their mail authenitication practice and provides intructions to receiving mail servers on how to enforce them.
Specifically, DMARC establishes a method for a domain owner to:
- Publish its email authentication practices
- State what actions should be taken on mail that fails authentication checks
- Enable reporting of these actions taken on mail which looks to be from its domain.
DMARC Work Process:
As explained above, DMARC uses SPF and DKIM for email authenitcation. In general terms, the process of DMARC validation works like this:
- A domain administrator publishes DMARC Policy which defines its email authentication procedure and how receiving mail server should handle the mails which violate the policy.
- When a mail server receives an email, it uses DNS to look up the DMARC policy of sender domain contained in the From address. The receiving server then check for
1. Does the message’s DKIM signature valid?
2. Did the message come from IP addresses allowed by the sending domain’s SPF records?
3. Do the headers in the message show proper “domain alignment”?
- Using above information, the receving mail server can apply the DMARC policy of sending mail server to decide whether the mail is legit or not.
- Once done with above step, the receiving mail server will send a report mail to the sending domain owner.
DMARC Record Breakdown:
DMARC record is stored in a domains’s DNS databases i.e, it is possible to view the DMARC record of a domain using DNS query tools like dig, host dnsenum etc., or some online dns lookup sites. We have used dig tool in kali linux to perform a dns lookup of DMARC record for a domain.
As we can see from above screenshot, the DMARC record looks like below
v=DMARC1;p=reject;rua=mailto:[email protected];ruf=mailto:[email protected];rf=afrf;pct=100
Lets breakdown each section of the DMARC record,
“v=DMARC1” specifies the version of DMARC protocol used.
“p=none” This specifies the DMARC policy of sending domain is set to none.
Apart from this, the policy can have different values like reject and quarantine.
Policy value none tells the receiving server to not take any actions when the mail is not authenticated properly. Also it will force the receiving server to send a mail report to sending domain admin’s mail id which is present in rua=mailto value.
Policy value of reject tells the receiving server to completely deny the mail if its not validated 100% by sending domain.
Policy value of quarantine tells the receiving server to quarantine the mail if not validated ie send the mail to spam folder.
“rua=mailto:[email protected]” This part insists the receiving server to send DMARC aggregate reports to the mentioned mail id of sending domain owner.
“ruf=mailto:[email protected]” This part insists the receiving server to send DMARC forensic reports to the mentioned mail id of sending domain owner.
“rf=afrf” This refers to the reporting format.
“pct=100” Percent – This part tells the receiving server how much of their mail should be subjected to the DMARC policy’s specifications.
Besides the above mentioned configurations in DMARC record, there are other configurations available for DMARC record which can be configured by Domain administrator. They include sp (policy for subdomains), ri (time interval between aggregate reports) and adkim (DKIM alignment).
Aggregate DMARC Reports:
An organization which published DMARC records will receive aggregate reports via mails from various domains as part of mail security. DMARC aggregate reports contain information about the authentication status of messages sent on behalf of a domain. With the reports an organization can see which emails are authenticating against DKIM and SPF and which emails are rejected.
DMARC report mail contains reports in xml format. Below images shows the xml format structure and description.
Initial part of the report contains details like Reporting organization (organization sending reports) name, Reporting Organisation sending email address and additional contact information, data range in bytes and report id.
Next part of the report contains DMARC record information like from domain, dmarc policy status like reject or quarantine and percent of mails subjected to policy.
Last part of the report describes the authentication summary with details like IP address in the mail, Disposition of the message, to show if the policy was applied, DKIM and SPF authentication results.
Why DMARC is Neccessary:
When an organization requires mail services for business or transactional functions then DMARC is absolutely important for them to implement as this would prevent against social engineering attacks like mail spoofing. Below are few key reasons to implement DMARC in your organization,
- Publishing a DMARC record protects your brand by preventing unauthenticated parties from sending mail from your domain. This helps keeping the reputation of organization in high end.
- DMARC record enables security for mails sent and received by organization employees, stake holders etc.,
- configuring DMARC helps receiving mail servers determine how to evaluate messages that claim to be from your domain.
- The aggregate and Forensic reports sent by receiving mail servers will help to identify who sends mail from your domain.
DMARC Misconfiguration Threat:
The major threat to mail services due to lack of DMARC record or misconfiguration of DMARC record will be mail spoofing attack. Email spoofing is part of social engineering technique where an attacker sends a mail to organization’s employees or customers from one of the mail id of the same organization to carry out phising or installing malware in their systems. The mails will be received in user’s inbox due to lack of DMARC record mail authentication.
In below image we have checked the DMARC record of domain vulnweb.com (test domain) in an online tool.
Note: DMARC record can also be tested using dns enumeration tools like dig in linux as shown in above sections.
As we can see from above screenshot, there is not DMARC record configured for this domain which leads to spoofing of legitimate mail id from this domain. We were able to spoof vulnweb.com domain to send mail to some random user and found that the mail is in his inbox.
DMARC records are an important evolution of email authentication. This is just an example of email senders and ISPs working together to protect the email channel. This blog lets the readers to understand the need of DMARC record for their organization as it may lead to serious security threats if not configured properly.