How to implement DMARC “reject” policy for your domain – “know the what and where” (when there are multiple partners sending mails on behalf of your domain from their respective MTAs)
Author: Prasad Sugunan
During my preparation to implement DMARC “reject” policy for one of our European banking clients, I did not find enough information on “what and where” should be done to achieve DMARC alignment when there are multiple partners sending mails on behalf on your domain. In this blog, I have detailed the process and steps to achieve DMARC alignment (this is needed before DMARC policy is set to reject) for mails which are sent by several third-party partners on behalf of your domain. A lot of information is available about implementing SPF and DKIM on the internet and there are really good reads on what the above technologies do. Therefore, I won’t talk much about implementing SPF and DKIM; instead would focus on implementing DMARC “reject” policy.
What is DMARC
DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
IMP: For DMARC to work, both the sender and the recipient domains should have the DMARC capability enabled. It would be worthwhile to elaborate this with an example.
- Imagine we a domain named test.com with DMARC record and the policy is set to “reject”. We have two recipient domains (a.com and b.com) and a spoofer is sending fraudulent mails to them.
- com is DMARC enabled and has SPF, DKIM and DMARC check enabled for inbound mails
- com does not have DMARC capability i.e. it does not have SPF, DKIM and a DMARC record
Let’s see how the mail is treated at both the recipient domains:
a.com – when the mail reaches the gateway of a.com, it checks for SPF, DKIM and DMARC. If the mail has a pass result either with DKIM or SPF, it will further do a validation as per DMARC for alignment. The validation will happen based on the information in the mail header. If it fails DMARC alignment, the mail will be rejected as per the policy set on test.com.
b.com - when the mail reaches the gateway of b.com, fraudulent mail will be delivered without performing any validation since it does not have DMARC capability.
Therefore, for DMARC to work, both sender and recipient domains should have this capability.
DMARC record and policy
Example of a DMARC record for outlook.com:
When you’re using DMARC, you can set a policy to define how you want the receivers to handle emails which fail the DMARC checks.
v: This is the version tag that identifies the record retrieved as a DMARC record. It's value must be DMARC1 and be listed first in the DMARC record.
p: This is the tag that indicates the requested policy you wish mailbox providers to apply when your email fails DMARC authentication and alignment checks. The policy is applied to a primary domain (example.com) and all of its subdomains (m.example.com, b.example.com, etc), unless the sp tag is used (see below) with a different policy value. Learn more about the different policy values here. The different policy values are:
You can choose one of these 3 DMARC policies: In the above example the policy is set to ‘p=none’
- none: Just monitor the results and do not take specific action for failing messages. Use this policy to start gathering DMARC reports and analyzing the data in these reports.
- quarantine: Put the messages which fail the DMARC checks in quarantine. This mostly means that receivers will place these messages in the junk folder.
- reject: Reject all messages which fail the DMARC checks. The receivers should do this ‘on SMTP level’ which means the messages will bounce directly in the sending process.
sp: This tag is used to indicate a requested policy for all subdomains where mail is failing the DMARC authentication and alignment checks. It is most effective when a domain owner wants to specify different policies for the primary domain and all subdomains. The policy options are the same as the "p" tag listed above. If this tag is not used for subdomains, the policy set using the p tag will apply to the primary domain and all of its subdomains.
pct: The percentage of messages to which the DMARC policy is to be applied. This tag provides a way to gradually implement and test the impact of the policy.Values are integers ranging from 1 - 100. The default value is 100.
rua=mailto:firstname.lastname@example.org: This is a tag that lets mailbox providers know where you want aggregate reports to be sent. Aggregate reports provide visibility into the health of your email program by helping to identify potential authentication issues or malicious activity. These reports contain higher level information and are sent by participating mailbox providers daily.
ruf=mailto:email@example.com: This tag that lets mailbox providers know where you want your forensic (message-level) reports to be sent. Forensic reports are more detailed and are intended to be delivered by mailbox providers almost immediately after detecting a DMARC authentication failure. However, due to potential privacy and performance concerns, most mailbox providers do not send them.
fo: This is a tag that lets mailbox providers know you want message samples of emails that failed either SPF and/or DKIM. There are four value options available:
0: Generate a DMARC failure report if all underlying authentication mechanisms (SPF and DKIM) fail to produce an aligned “pass” result. (default)
1: Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) produced something other than an aligned “pass” result. (recommended)
d: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment.
s: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment.
adkim: Indicates strict or relaxed DKIM identifier alignment. The default is relaxed.
aspf: Indicates strict or relaxed SPF identifier alignment. The default is relaxed.
rf: Format for message failure reports. The default is Authentication Failure Reporting Format, or “afrf.” Afrf is the only value supported at this time.
ri: The number of seconds elapsed between sending aggregate reports to the sender. The default value is 86400 seconds which is equivalent to one day. Participating mailbox providers that are able to accommodate sending more than one aggregate report per day will provide more frequent reports on a best-effort basis
DMARC Identifier Alignment
To understand how DMARC makes use of SPF and DKIM, let's take a look at DMARC Identifier alignment.
DMARC uses the results of SPF and DKIM for alignment. Because anyone can buy a domain and put SPF and DKIM into place (including criminals), the results of processing SPF and DKIM have to be related to the domain found in the From:header to be relevant to DMARC. This concept is referred to as “Identifier Alignment”. Getting identifiers to align ends up being a large part of the work of deploying DMARC. If a criminal is trying to spoof bank.com and sets up a domain criminal.net to get SPF and DKIM in place, just because SPF and DKIM both pass doesn’t mean the authentication has anything to do with bank.com.
To tie it all together, for a piece of email to be considered DMARC compliant, the domain found in an email’s From:header must match either the SPF-validated domain or the originating domain found in a valid DKIM signature. If the domains match, receivers can safely confirm that the email did come from the domain from which it appears to originate. The below diagrammatic flow shows how DMARC uses DKIM and SPF to secure the domain iciber.nl from being spoofed by un-authorized partners/spoofers.
DMARC alignment with DKIM
In the above diagrammatic flow, the left side shows how DMARC uses DKIM i.e. how DMARC treats a mail compliant or fraudulent based on the results of DKIM and if it passes DKIM, it will further validate the alignment. When an email is sent by a partner on behalf of a domain that has a DMARC policy enabled, the receiving mail server that has DMARC capability does the following:
- Extracts DKIM signature from mail headers.
- Checks if DKIM pass. If DKIM result is “pass”, only then it will further validate DMARC alignment. If the DKIM result is “fail” or is other than “pass”, DMARC alignment with DKIM will fail for that mail.
- If the DKIM result is “pass”, DMARC further performs an alignment using the selector domain (d=com) and matches with the from domain (from:mydomain.com) in the mail header. Since both match, DMARC result is pass for this mail as it is aligned with DKIM.
- If DMARC alignment with DKIM fail, it will check for alignment with SPF. SPF alignment is explained next.
Note: It doesn’t matter if DKIM does not pass if DMARC alignment is achieved with SPF.
DMARC alignment with SPF
When an email is sent by a partner on behalf of a domain that has a DMARC policy enabled, the receiving mail server that has DMARC capability does the following:
- Extract SPF information from mail headers.
- Checks if SPF pass. If SPF result is “pass”, only then it will further validate DMARC alignment. If the SPF result is “fail” or is other than “pass”, DMARC alignment with SPF will fail for that mail.
- If SPF result is “pass”, DMARC further performs an alignment using return-path domain (mailfrom:test.user@com) and matches with the from domain (from:mydomain.com) in the mail header. Since both match, DMARC result is pass for this mail as it is aligned with SPF.
- If DMARC alignment with SPF fail, it will check for alignment with DKIM. DKIM alignment process explained above.
Note: It doesn’t matter if SPF does not pass, DMARC alignment is achieved with DKIM.
I think that is enough of theory. Now let’s look at what needs to be done i.e. “how and where” to achieve DMARC alignment.
Let’s learn this through our fictious story:
Imagine we have a domain named mydomain.com.
- There are two partners that manage different campaigns for mydomain.com and are named mypartner1.com and mypartner2.com.
- All partners have their respective MTA from where they send outbound mails on behalf of mydomain.com. Reply to all mails point to the MX of mydomain.com.
- DMARC record is created in the public DNS zone of mydomain.com with the policy p=none (currently set to reporting only).
- com has an SPF record but does not have the technical capability for DKIM but has DMARC capability.
- com has an SPF and DKIM record published in its DNS zone.
- Our goal is to set the DMARC policy for mydomain.com from p=none to p=reject. Unless we are sure that emails from all partners of mydomain.com comply with DMARC, it could be a criminal thing to change the policy to “reject”. Reason – if the policy is changed to “reject” and the partner mails are not DMARC aligned, all these mails will be rejected by all recipient domains on the internet who have DMARC capability enabled for inbound mails on their gateway.
The “what and where” to achieve DMARC alignment before setting the policy to “reject”
Step 1 - Analysis
Analyze the last 30/90 days data of mydomain.com as per DMARC report (you will need a paid subscription with one of the DMARC reporting providers like dmarcian, dmarc-analyser, agari etc. to identify and analyze mails from authorized partners that are failing DMARC.
Below is a sample report from Dmarcian which shows the mails failing DMARC alignment with DKIM and SPF. In the column Q and N you will find the DKIM and SPF domains which are failing DMARC.
Sample dashboard from Dmarcian
Identify the list of domains failing DMARC alignment with the domain owner to verify if there are any authorized partner domains appearing in the list. If you are a small organization, you can take a decision immediately. We identify the authorized partner domains are mypartner1.com and mypartner2.com that is faling DMARC alignment.
Step 2 – Create DNS records for DMARC alignment
For DMARC alignment to work it requires either SPF or DKIM to align (which obviously need to pass first).
Considerations to keep in mind while setting up DMARC alignment for the partner/third party depending on the situation.
Partner mypartner1.com – Since mypartner1.com only has the SPF capability, lets see how we can achieve DMARC alignment with SPF.
For DMARC to align with SPF we need the following:
- Create a child domain under com with MX pointing to the MTA of mypartner1.com
- Create SPF record for the child domain with the IPs which are allowed to send mails for mydomain.com
Therefore, the below DNS records should be created:
Partner mypartner2.com – Since mypartner2.com has the capability of both DKIM, we have more than one option to achieve DMARC alignment for mails sent from MTA of mypartner2.com on behalf of mydomain.com
For DMARC to align with SPF we need the following:
- Create a child domain under com with MX pointing to the MTA of mypartner2.com
- Create SPF record for the child domain with the IPs which are allowed to send mails for mypartner2.mydomain.com
Therefore, the below DNS records should be created:
If a child domain cannot be created, DMARC alignment can still be achieved with DKIM
For DMARC to align with DKIM we need the following:
Create a CNAME record in the DNS zone of mydomain.com pointing to the DKIM record of mypartner2.com which holds the public key to the DKIM signed mail.
The DKIM record details should be shared by mypartner2.com to mycompany.com for the CNAME record creation.
Part C – Testing
After the appropriate DNS records are created (SPF/DKIM) we need to perform testing by sending e-mails from the partner domains on behalf of mydomain.com and check the email headers to confirm the mail is DMARC aligned.
In the below header, we see both DKIM and SPF have a pass result. The next check was the DMARC alignment which matches the domains names from the mail body which is “mydomain.com” and tallies it with the value under “d” from DKIM signature and the domain in the return path of the mail envelope.
Since both match, the DMARC alignment for the mypartner2.com is pass with both SPF and DKIM.
Note: mail from mypartner1.com will have a pass result for SPF and fail result for DKIM. However, the DMARC alignment would pass in this case since it aligns with SPF. You need DMARC alignment either with SPF or DKIM.
Sample mail header showing DMARC alignment with SPF and DKIM:
Part D – The final step i.e. set the DMARC policy for mydomain.com from p=none to p=reject.
Important read - How DMARC works if we have subdomains
By default, the DMARC policy that is set for an organizational domain will apply to any subdomains, unless a DMARC record has been published for a specific subdomain. But domain owners may set separate policies for all subdomains with the “sp” tag (for subdomain policy). It uses the exact same syntax as the p tag. sp=none tells mail receivers that, whatever policy has been specified for the organizational domain, they should use a policy of “none” for subdomains.
sp=quarantine - tells recipient domains to quarantine failing messages from subdomains, and sp=reject - tells recipient domains to reject them.
For more information on SP tag on DMARC refer to the below link