The DMARC Protocol - What The Hell Is It? (Phishing Part 2)

In response to a question DM'd to me by a connection from #SierraLeone, these are the basics of DMARC.

So a couple of pointers should suffice. It's gonna be a little bit technical though.

So, let’s get the ball rolling on what DMARC is!

DMARC is the Domain-based Message Authentication, Reporting and Conformance Protocol.

It is designed to stop the unauthorised usage of a business or personal e-mail address/domain to commit fraud or otherwise impersonate you.

This expands on from the last article on WhatsApp Phishing that Comfortably Dumb recently published - and helps secure remaining trust between sender and recipient when it comes to electronic messaging of all kinds.

Phishing in general has eroded the trust between the sender and the recipient of an electronic message, and makes it that much harder for legitimate marketing material and business communication to flow freely (and securely)

In short, DMARC helps the email receiver determine whether an email aligns with the known properties of the sender and prevents an attack known as email spoofing.

How Does It Work?

Step 1: Spam or phishing email comes in.

Let's say your name is Bob and you run a pizza place. You've set up a website with your name on it, and registered the domain www.bobspizzajoint.com so people can check out reviews and the menu etc. You also set up a mailbox at bob@bobspizzajoint.com so you can take bookings and answer questions from press and customers. Sorted!

All of this information, as well as other technical information is held in the DNS records for that domain. The IP address of the hosting service you're using, aliases, administrator information - all sorts.

What you can also set is the DMARC DNS Entry. What this does is essentially issue a set of instructions for incoming emails and messages, and a set of instructions to be checked against before being sent on to its final destination. If the message passes the DMARC checks as laid down in the original DNS entry by the domain owner, then the message is good to do - and it fets sent.

If it doesnt....

Step 2: Email does not pass DMARC authentication.

DMARC extends two email-checking mechanisms that are already established - Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) - those two Wikipedia articles amply explain how they both work.

It doesn't establish whether the message is spam or not, but performs the SPF/DKIM checks against the message to establish authentication. It can also check for alignment, too.

Alignment is checking whether the IP address and other information from the sending server/endpoint is "aligned" with other registered domains and information available from the location the sender is purporting to be from. Alignment is "checking out your alibi" before letting the message drop or be sent on/quarantined.

Step 3: Email gets sent to DMARC’s control and visibility stage.

You would normally have a DMARC reporting tool, or DMARC reporting functionality built into your mail management software solution, and messages that fail DMARC authentication will normally find their way into this stage.

You can administrate the messages kept back, and see for yourself whether you recognise the sender and make decisions based on that information.

Step 4: Email gets either rejected or quarantined depending on the domain owner’s policy.

After completing SPF, DKIM and alignment checks - the message will either be dropped, rejected or quarantined when it has failed DMARC authentication. This stops attackers from leveraging your credibility built up, to extract information from unwitting customers - a growing tactic in phishing.

🖐4 easy steps to start with DMARC:

🏅Identify all the domains of your organisation!

🏅Add all identified domains on your domains dashboard!

🏅Publish the generated DMARC record into your DNS!

🏅Analyze your DMARC data!

It’s not 100% foolproof so still #thinkbeforeyouclick