DMARC

From Wikipedia, the free encyclopedia
Jump to: navigation, search
This article is about an email validation system. For the telephony junction point, see demarcation point.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations. Specified in RFC 7489, DMARC counters the illegitimate usage of the exact domain name in the From: field of email message headers.[1]

DMARC is built on top of two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy on which mechanism (DKIM, SPF or both) is employed when sending email from that domain and how the receiver should deal with failures. Additionally, it provides a reporting mechanism of actions performed under those policies. It thus coordinates the results of DKIM and SPF and specifies under which circumstances the From: header field, which is often visible to end users, should be considered legitimate.

DMARC's validation of the From field has similarities to Author Domain Signing Practices (ADSP, originally called DKIM Sender Signing Practices, DKIM-SSP). The reporting aspect builds on Abuse Reporting Format (ARF).[note 1]

History[edit]

A group of leading organizations came together in the spring of 2011 to collaborate on a method for combating fraudulent email at Internet-scale, based on practical experience with DKIM and SPF. They aimed to enable senders to publish easily discoverable policies on unauthenticated email - and to enable receivers to provide authentication reporting to senders to improve and monitor their authentication infrastructures.[2]

A draft DMARC specification has been maintained since January 30, 2012, and within one year DMARC was estimated to protect 60% of the world's mailboxes.[3]

In October 2013, GNU Mailman 2.1.16 was released with options to handle posters from a domain with the DMARC policy of p=reject.[4] The change tried to anticipate the interoperability issues expected in case restrictive policies were applied to domains with human users (as opposed to purely transactional mail domains).

In April 2014, Yahoo changed its DMARC policy to p=reject, thereby causing misbehavior in several mailing lists.[5] A few days later, AOL also changed its DMARC policy to p=reject.[6] Those moves resulted in a significant amount of disruption, and those mailbox providers have been accused of forcing the costs of their own security failures on third parties.[7]

A IETF working group was formed in August 2014 in order to address DMARC issues, starting from interoperability concerns and possibly continuing with a revised standard specification and documentation.[8] Meanwhile, the existing DMARC specification had reached an editorial state agreed upon and implemented by many. It was published in March 2015 on the Independent Submission stream in the "Informational" (non-standard) category as RFC 7489.[9]

In March 2017, the Federal Trade Commission published a study on DMARC usage by businesses.[10] It seems that about 10% of 569 businesses with a significant online presence publish strict DMARC policies.

Overview[edit]

A DMARC policy allows a sender's domain to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes - such as junk or reject the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides two ways for the email receiver to report back to the sender's domain about messages that pass and/or fail DMARC evaluation. Aggregate reports contain statistical data, while forensic reports can include the message at fault.

DMARC is designed to fit into an organization's existing inbound email authentication process. The way it works is to help email receivers determine if the purported message aligns with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle the "non-aligned" messages. DMARC doesn't directly address whether or not an email is spam or otherwise fraudulent. Instead, DMARC requires that a message not only pass DKIM or SPF validation, but that it also pass alignment. For SPF, the message must PASS the SPF check, and the domain in the From: header must match the domain used to validate SPF (must exactly match for strict alignment, or must be a sub-domain for relaxed alignment). For DKIM, the message must be validly signed and the d= domain of the valid signature must align with the domain in the From: header (must exactly match for strict alignment, or must be a sub-domain for relaxed alignment). Under DMARC a message can fail even if it passes SPF or DKIM, but fails alignment.[11]

DMARC policies are published in the public Domain Name System (DNS) as text (TXT) resource records (RR) and announce what an email receiver should do with non-aligned mail it receives.

To ensure the sender trusts this process and knows the impact of publishing a policy different than p=none (monitor mode), receivers send daily aggregate reports indicating to the sender how many emails have been received and if these emails passed SPF and/or DKIM and were aligned. The sender looks at failing IP addresses in aggregate reports in order to find the (sub)domains responsible of bad authentication.[12]

DMARC may have a positive impact on deliverability for legitimate senders. Google, at least, recommends the use of DMARC for bulk email senders.[13]

Alignment[edit]

DMARC operates by checking that the domain in the message's From: field (also called "5322.From") is "aligned" with other authenticated domain names. If either SPF or DKIM alignment checks pass, then the DMARC alignment test passes.

Alignment may be specified as strict or relaxed. For strict alignment, the domain names must be identical. For relaxed alignment, the top-level "Organizational Domain" must match. The Organizational Domain is found by checking a list of public DNS suffixes, and adding the next DNS label. So, for example, "a.b.c.d.example.com.au" and "example.com.au" have the same Organizational Domain, because there is a registrar that offers names in ".com.au" to customers.

Like SPF and DKIM, DMARC uses the concept of a domain owner, the entity or entities that are authorized to make changes to a given DNS domain.

SPF checks that the IP address of the sending server is authorized by the owner of the domain that appears in the SMTP MAIL FROM command. (The email address in MAIL FROM is also called envelope-from or 5321.MailFrom.) In addition to requiring that the SPF check passes, DMARC additionally checks that 5321.MailFrom aligns with 5322.From.

DKIM allows parts of an email message to be cryptographically signed, and the signature must cover the From field. Within the DKIM-Signature mail header, the d= (domain) and s= (selector) tags specify where in DNS to retrieve the public key for the signature. A valid signature proves that the signer is a domain owner, and that the From field hasn't been modified since the signature was applied. There may be several DKIM signatures on an email message, DMARC requires one valid signature where the domain in the d= tag aligns with the sender's domain stated in the From: header field.

DNS record[edit]

DMARC records are published in DNS with a subdomain label _dmarc, for example _dmarc.example.com. Compare this to SPF at example.com, and DKIM at selector._domainkey.example.com.

The content of the TXT resource record consists of name=value tags, separated by semicolons, similar to SPF and DKIM. For example:

"v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com"

Here, v is the version, p is the policy, sp the subdomain policy, pct is the percent of "bad" emails on which to apply the policy, and rua is the URI to send aggregate reports to. In this example, the entity controlling the example.com DNS domain intends to monitor SPF and/or DKIM failure rates, and doesn't expect emails to be sent from subdomains of example.com. Note that a subdomain can publish its own DMARC record, receivers must check it out before falling back to the organizational domain record.

Reports[edit]

DMARC is capable of producing two separate types of reports. Aggregate reports, are sent to the address specified under the rua and Forensic reports are emailed to the address following the ruf tag. These mail addresses must be specified in URI mailto format (e.g. mailto:worker@example.net ). Multiple reporting addresses are valid and must each be in full URI format, separated by a comma.

Target email addresses can belong to external domains. In that case, the target domain has to set up a DMARC record to say it agrees to receive them, otherwise it would be possible to exploit reporting for spam amplification. For example, say receiver.example receives a mail message From: someone@sender.example and wishes to report it. If it finds ruf=mailto:some-id@thirdparty.example, it looks for a confirming DNS record in the namespace administered by the target, like so:

  sender.example._report._dmarc.thirdparty.example IN TXT "v=DMARC1"

Aggregate reports[edit]

Aggregate Reports are sent as XML files, typically once per day. The subject mentions the "Report Domain", which is the policy-publishing sender of the mail messages being reported, and the "Submitter", which is the entity issuing the report. The payload is in an attachment with a long filename consisting of bang-separated elements such as the report-issuing receiver, the begin and end epochs of the reported period as Unix-style time stamps, an optional unique identifier and an extension which depends on the possible compression.[1] For example example.com!example.org!1475712000!1475798400.xml.gz.

The XML content consists of a header, containing the policy on which the report is based and report metadata, followed by a number of records. Records can be put in a database as a relation and viewed in a tabular form. The XML schema is defined in Appendix C of specifications[1] and a raw record is exemplified in dmarc.org.[14] Here we stick with a relational example, which better conveys the nature of the data. DMARC record can also be directly transformed in HTML by applying an XSL stylesheet.

DMARC rows of an aggregate record shown in tabular form
source ip count disposition spf dkim header from SPF domain (result) DKIM domain (result)  
192.0.2.1 12 none pass pass example.org example.org (pass) example.org (pass)  
192.0.2.1 1 none pass fail example.org example.org (pass) example.org (fail)  
192.0.2.28 42 none fail pass example.org example.org (fail) example.org (pass) forwarder.example (pass)
192.0.2.82 none fail fail example.org discusslist.example (pass) example.org (fail) discusslist.example (pass)
...

Rows are grouped by source IP and authentication results, passing just the count of each group. The leftmost result columns, labelled dmarc and spf show DMARC-wise results, either pass or fail, taking alignment into account. The rightmost ones show the name of the domain which claims to participate in the sending of the message and (in parentheses) the authentication status of that claim, according to the original protocol, SPF or DKIM, regardless of Identifier Alignment. SPF can appear at most twice, for the Return-Path: and HELO tests, while DKIM can appear once for each signature present in the message. In the example, the first row represents the main mail flow from example.org, and the second row is a DKIM glitch, such as signature breakage due to a minor alteration in transit. The third and fourth rows show typical failures modes of a forwarder and a mailing list, respectively.

The disposition reflects the policy published actually applied to the messages, none, quarantine, or reject. Along with it, not shown in the table, DMARC provides for a policy override. Some reasons why a receiver can apply a policy different from the one requested are already provided for by the specification:

  • forwarded while keeping the same bounce address, usually doesn't break DKIM,
  • sampled out, because a sender can choose to only apply the policy to a percentage of messages only,
  • trusted forwarder, the message arrived from a locally known source
  • mailing list, the receiver heuristically determined that the message arrived from a mailing list,
  • local policy, receivers are obviously free to apply the policy they like, it is just cool to let senders know,
  • other, if none of the above applies, a comment field allows to say more.

Forensic reports[edit]

Forensic Reports are generated in real time and consist of redacted copies of individual emails that failed SPF, DKIM or both based upon what value is specified in the fo tag. Their format resembles that of regular bounces.

Human policy[edit]

DMARC policies are published by domain owners and applied by mail receivers to the messages that don't pass the alignment test. The domain being queried is the author domain, that is the domain to the right of @ in the From: header field. The policy can be one of none the so-called monitor mode, quarantine to treat the message with suspicion according to the receiver capabilities, or reject to reject the message outright. Reject policy is fine for domains that don't have individual human users, or for companies with firm staff policies that all mail goes through the company mail server, and employees don't join mailing lists and the like using company addresses, or the company provides a separate less strictly managed domain for its staff mail. Strict policies will never be appropriate for public webmail systems where the users will use their mail addresses any way one can use a mail address.[15]

Compatibility[edit]

Forwarders[edit]

Human use of a mail address may involve email forwarding, for example from a dismissed address. Dot-forwarding, and similar use of aliases usually limit changes to the envelope recipient(s), so that DKIM signatures can be preserved, while SPF is often broken.[16]

Mailing lists[edit]

Mailing lists are a frequent cause of legitimate breakage of the original author's domain DKIM signature. They routinely change the SPF-authenticated domain, and therefore break DMARC alignment. John Levine, a well known mail expert, has collected a list of all the not-so-broken possible workarounds.[17] Several mailing lists software now propose various options to deal with members posting from a domain with p=reject. For instance Mailman 2.1.16 (16 October 2013) and onward have such options.[4]

From: rewriting[edit]

One of the most popular and least intrusive workarounds consists in rewriting the From: header field. The original author's address can then be added to the Reply-To: field.[18] Rewriting can range from just appending .INVALID[note 2] to the domain name, to allocating a temporary user ID to forward replies through the list;[note 3] where an opaque ID is used, this keeps the user's "real" email address private from the list. In addition, the display name can be changed so as to show both the author and the list (or list operator).[20] Those examples would result, respectively, in one of:

From: John Doe <user@example.com.INVALID>
From: John Doe <243576@mailinglist.example.org>
From: John Doe via MailingList <list@mailinglist.example.org>
and
Reply-To: John Doe <user@example.com>

The Last line, Reply-To: has to be designed in order to accommodate reply-to-author functionality, in case reply-to-list function is covered by the preceding change in the From: header field. That way, the original meaning of those fields is reversed.

Altering the author is not fair in general, and can break the expected relationship between meaning and appearance of that datum. It also breaks automated use of it. There are communities which use mailing lists to coordinate their work, and deploy tools which use the From: field to attribute authorship to attachments.[21]

Other workarounds[edit]

Wrapping the message works nicely, for those who use an email client which understands wrapped messages. Not doing any change is perhaps the most obvious solution, except that they seem to be legally due in some countries, and that routinely losing SPF authentication may render overall authentication more fragile.[17]

Sender field[edit]

Making changes to the From: header field to pass DKIM alignment may bring the message out of compliance with RFC 5322 section 3.6.2: "The 'From:' field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message." Mailbox refers to the author's email address. The Sender: header is available to indicate that an email was sent on behalf of another party, but DMARC only checks policy for the From domain and ignores the Sender domain.[note 4]

Both ADSP and DMARC[22] reject using the Sender field on the basis that many user agents don't display this to the recipient.

DNS support[edit]

Setting up DMARC on a domain requires creation of sub-domains starting with an underscore. Some DNS providers, however, such as 1&1, did not allow the creation of sub-domains starting with an underscore.[citation needed] Additionally, some providers, such as Network Solutions, do not support underscores in cname records, which interferes with the consolidation of multiple records by CNAME redirection.[23][24]

Contributors[edit]

The contributors of the DMARC specification include:[25][26]

See also[edit]

Notes[edit]

  1. ^ The "auth-failure" feedback type was added to ARF in RFC 6591 (2012).
  2. ^ INVALID is a top level domain reserved by RFC 2606 for such kind of usage
  3. ^ Eric Thomas described the updated behaviour of Listserv software: "incoming Yahoo and AOL addresses are automatically rewritten to local addresses that can receive private replies and forward them to the original poster"[19]
  4. ^ Use of the Sender field by remailers is mentioned (in the context of DKIM, not DMARC) in sections B.1.4 and B.2.3 of RFC 4871.

References[edit]

  1. ^ a b c M. Kucherawy; E. Zwicky (March 2015). Domain-based Message Authentication, Reporting, and Conformance (DMARC). IETF. RFC 7489. https://tools.ietf.org/html/rfc7489. 
  2. ^ "History", dmarc.org
  3. ^ "In First Year, DMARC Protects 60 Percent of Global Consumer Mailboxes". dmarc.org. 6 February 2013. Retrieved 10 April 2014. 
  4. ^ a b Mark Sapiro (16 October 2013). "Mailman and DMARC". list.org. Retrieved 13 August 2015. 
  5. ^ Lucian Constantin (8 April 2014). "Yahoo email anti-spoofing policy breaks mailing lists". PC World. Retrieved 15 April 2014. 
  6. ^ Vishwanath Subramanian (22 April 2014). "AOL Mail updates DMARC policy to 'reject'". AOL. Retrieved 13 August 2015. 
  7. ^ John Levine (13 August 2016). "DMARC and ietf.org". IETF (Mailing list). Retrieved 10 October 2016. 
  8. ^ "WG Action: Formed Domain-based Message Authentication, Reporting & Conformance (dmarc)". IETF-Announce (Mailing list). 11 August 2014. Retrieved 10 October 2016. 
  9. ^ "Status of DMARC, dmarc.org
  10. ^ "Businesses Can Help Stop Phishing and Protect their Brands Using Email Authentication" (PDF). Federal Trade Commission. 3 March 2017. 
  11. ^ Kucherawy, Murray. The Current DMARC Internet Draft. IETF.org. Jul 15, 2013
  12. ^ Terry Zink (27 September 2016). "How we moved microsoft.com to a p=quarantine DMARC record". MSDN blog. If that sounds like a lot of work, that’s because it was 
  13. ^ "Bulk Senders Guidelines - Gmail Help". support.google.com. Retrieved 2015-04-24. 
  14. ^ "I need to implement aggregate reports, what do they look like?". DMARC.org. Retrieved 26 May 2016. 
  15. ^ John Levine (8 April 2014). "DMARC: perspectives from a listadmin of large open-source lists". IETF Discussion List. IETF. Retrieved 11 April 2014. 
  16. ^ Franck Martin; Eliot Lear; Tim Draegen et al., eds. (September 2016). "Alias". Interoperability Issues between Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Indirect Email Flows. IETF. sec. 3.2.1. RFC 7960. https://tools.ietf.org/html/rfc7960#section-3.2.1. Retrieved 14 March 2017. 
  17. ^ a b John Levine (31 May 2014). "Mitigating DMARC damage to third party mail". wiki. ASRG. Retrieved 1 June 2014. 
  18. ^ Al Iverson (9 April 2014). "Spam Resource: Run an email discussion list? Here's how to deal with DMARC". spamresource.com. Retrieved 18 April 2014. 
  19. ^ "LISTSERV® Inventor Develops Seamless Solution to DMARC Hassles". L-Soft Press Releases. Retrieved 22 May 2016. 
  20. ^ "How Threadable solved the DMARC problem". Threadable Blog. Retrieved 21 May 2016. 
  21. ^ Theodore Ts'o (18 December 2016). "Realistic responses to DMARC". IETF-Discussion (Mailing list). Retrieved 14 March 2017. The fact that the from field is not rewritten is IMPORTANT because rewriting the from field would break the "git am" command, since it uses the From: field to fill in the git commit's from field 
  22. ^ Kucherawy, M.; Zwicky, E. (July 15, 2013). "Domain-based Message Authentication, Reporting and Conformance (DMARC) [draft 01]". IETF. Appendix A.3, Sender Header Field. Retrieved 24 May 2016. 
  23. ^ "DMARC - FAQ". 
  24. ^ "Twitter". 
  25. ^ DMARC specification Acknowledgements
  26. ^ DMARC Contributors (PDF)
  27. ^ Vitaldevara, Krish (10 December 2012). "Outlook.com increases security with support for DMARC and EV certificates". Outlook Blog. Microsoft. Retrieved 12 December 2012. 
  28. ^ Martin, Franck (20 September 2012). "DMARC: a new tool to detect genuine emails". LinkedIn Engineering Blog. Linkedin. Retrieved 17 August 2013. 
  29. ^ Josh Aberant (21 February 2013). "Introducing DMARC for Twitter.com emails". twitter.com. Retrieved 10 April 2014. 
  30. ^ Ian McShane (27 March 2014). "Introducing DMARC Validation in Email Security.cloud". symantec.com. Retrieved 10 April 2014. 

External links[edit]