DMARC Delusions // Michael's corner of the web

I have been “in charge” of DMARC at my job for several years now, and this is a bit of a rant about the delusions people have about DMARC.

What is DMARC?

DMARC stands for Domain based Message Authentication, Reporting and Conformance. It’s basically a standard for (and around) email systems to avoid certain kinds of email fraud. It does this - to split up the components - by:

authenticating senders based on the domain they’re (saying they’re) sending from. This relies on two other systems, SPF and DKIM, described below.
reporting non-compliance either by sending aggregated reports or by forwarding the individual offending email to an email address chosen by the domain owner.
thus sorting sent email (purportly) from that domain in “conforming” and “non-conforming” heaps.

SPF

SPF stands for Sender Policy Framework. It’s basically a method for domain owners to tell “the world” which servers are allowed to send email from their domain.

Sadly this breaks hard when you are sending email to a mailing list or forwarded, because then your email comes from a server it normally shouldn’t come from.

DKIM

DKIM stands for Domain Keys Identified Mail, and it’s used to get around the forwarding/mailing list problem described above, and to ensure email is actually sent by the correct sender and hasn’t being tampered with on the way. It does this by publishing the public key of a cryptographic key pair and signing outgoing email with the private key. The recipient of the email is then able to determine if the email is “correct” (ie. nobody changed its body and it’s sent from the person it should come from) by verifying the cryptographic signature sent with the email against the DNS-published public key.

DMARC (remember DMARC?) is combining these two mechanisms - SPF and DKIM - to mark a mail “compliant” or do some action if not. Now, what actions can be taken?

if the email is non-compliant, report it (well, forward it) to a chosen email address. Note that this doesn’t have to happen on the sender’s outgoing email host, in fact, the sender’s outgoing email host is very seldomly involved in non-compliance cases.
collect statistics of sending domains and report to the chosen address how many emails were compliant and how many (and which) were not. This report is sent to the domain owner, not the recipient.

Misconceptions

There are several misconceptions though…

DMARC makes your email secure

No it doesn’t. It makes sure you know when somebody is impersonating you, but there’s no inherent security win just for using DMARC (meaning you need more than a DMARC record in your DNS).

DMARC hinders spam

Not really. It depends very much on the DMARC policy the sending domain that is abused as a sender address for that spam if it is accepted or rejected by your incoming email server. If the owner of the sending domain (false or not) has set their DMARC policy to “none” there will be very little done beyond reporting. If it is set to “quarantine” your incoming email server should, well, quarantine non-compliant emails, in case there are false positives. The only “good” policy however is “reject”. In that case the incoming mail server (if it checks for DMARC compliance) should just throw away non-compliant emails, and in that case spam will be stopped. However, this depends on the sending domain, not your receiving email server.

The reporting address is just a normal email address, right?

No, it isn’t. For starters, the reports are sent in XML format, and either zipped or gzipped (the standard says gzipped, if you get zipped reports the sending domain is still working after the draft standard). What I have seen a lot of are bounced emails because the mailbox is full (d’oh, if you tell the whole world to send you automated email, maybe you should make sure you’re ready to receive it), in addition to email addresses that simply don’t exist (so why do you want people to send email there at all?).

Examples:

<noreply-dmarc@trustpilotmail.com>: host mx.sendgrid.net[167.89.123.50] said:
    454 4.7.1 <noreply-dmarc@trustpilotmail.com>: Relay access denied (in reply
    to RCPT TO command)

<reporterdmarc@yandex.ru>: host mx.yandex.ru[77.88.21.249] said: 550 5.7.1
    Policy rejection on the target address 1657101622-AfNQOwRpOC-0MdiwTp4 (in
    reply to RCPT TO command)