be Smart.
be Secure.
Phone: 800-441-6612

Stopping Forged Email 3: DMARC to the Rescue

We have recently looked at how hackers and spammers can send forged email and then seen how these forged messages can be almost identical to legitimate messages from the purported senders.  In fact, we learned that generally all you can trust in an inbound email message is the internet IP address of the server talking to your inbound email server — as this cannot realistically be forged in any way that would still enable you to receive the message.

In our previous two posts in this series, we examined how SPF and DKIM can be used to help limit forged email messages based on validating if a message was sent by an approved server by looking at the IP address delivering the email message to you and based on digitally signing messages.  We found that while SPF and DKIM can work, they has many significant limitations that cause them to fall or be insufficient to stop forgeries in many cases.

However, SPF and DKIM address the forgery problem in very different and, in many respects, very complementary ways. For this reason, many organizations use both technologies.

If you are using both technologies and you have a good amount of control over where your domain’s messages are coming from, then you can step up your game by using DMARC — Domain-based Message Authentication, Reporting and Conformance. 

DMARC: A Simple Explanation

When using SPF and DKIM, email filters see if messages pass or fail SPF and DKIM and use the DNS-published “strictness” settings to help them determine “what do do next”.  The result of failing SPF and/or DKIM is thus a function of how a particular filter is implemented … and leads to varied and inconsistent results.

So, what doe DMARC do?  To quote

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

(Note that in the following discussion we omit some of the finer, nuanced options and configuration possibilities available with DMARC for the sake of clarity.)

In practical terms, with a DMARC policy published in DNS:

  1. The message mu`st pass either SPF or DKIM but does not need to pass both.
  2. This resolves the deficiencies of SPF (forwarding) and DKIM (inadvertent message modification) by allowing compensation via the other mechanism
  3. Sender policies can specify exactly what to do with messages that do not pass SPF and DKIM: do nothing, quarantine them, or reject them.  There is no longer any implementation-specific ambiguity on what filters should do, when.

Setting up DMARC

With DMARC (as with all anti-fraud solutions for email), it is up to the owner of a domain (e.g. the owner of to setup the DNS settings required for DMARC to be used by the recipients.   If they do not do this, then there is no way to use DMARC.

DMARC is set up by adding special entries to the published DNS settings for the domain.  You can use a tool, such as this DMARC Record Assistant, to create create the DMARC DNS record for your domain.

We are not going to spend time on the details of the configuration or setup here; instead we will look at the actual utility of DMARC and where its use can actually make it easier for attackers to forge email.

DMARC – The Good Parts

Once DMARC has been set up, it really does help reduce generic fraudulent email from a domain.  E.g. simple forged spam and basic phishing attacks are curtailed more effectively than via use of SPF and DKIM alone, though the DKIM “glue” that combines them into a more comprehensive check with a consistent, well-defined failure state (e.g. reject or quarantine).

DMARC shines when used by domain owners that would normally put up weak SPF and DKIM records (e.g. ones that say that SOF and DKIM “don’t have to pass”).  DMARC allows them to allow that one of these validation schemes may fail while still requiring that the other one passes for the message to be considered legitimate.  This is great progress.

Use of DMARC is recommended for every domain owner  and for every email filtering system, where you have control over all of the sources of messages “from your domain name”.

An interesting side effect, however, is that DMARC use can make a domain more susceptible for determined forged email!

DMARC – Its Limitations

This is a surprise, if you think about it.  Combining DKIM and SPF into a unified, complementary policy set that allows each to compensate for the other’s weakness is an amazing idea and does a great job in general.  However, a side effect of this technique, in terms of its susceptibility to determined fraud, is that it requires on only ONE of DKIM or SPF pass .. NOT BOTH.  In fact, there is no way to use DMARC to require that BOTH must pass.

Wait … what is the problem?

Since DMARC is happy if either SPF or DKIM passes, then an attacker needs to find a way to generate an email that passes only one, and not both validation checks.  Note that this is only worse than separate use of SPF and DKIM if your SPF and DKIM rules are both “strict” (if it doesn’t pass — “drop it”); in most other cases its the same or better than using both technologies separately.

Looking at our previous analyses of SPF and DKIM, an attacker could generate a “Good Looking” forged email that passes DMARC if:

  1. They can send from a server IP that is allowed under the forged sender domain’s SPF policy.  This can be done by using the same email provider (or approved vendor) as the sender.
  2. They can send you a message from one of the servers authorized by the DKIM for the domain and if that server does not care who initiated the message … but will sign any messages going through it with the proper DKIM keys, then the message will look legitimate.  E.g. If the attacker signs up with the same email provider as that used by the forged domain and that provider’s servers do not restrict DKIM key usage, then s/he can send an email from those same servers are the legitimate account and have his/her messages properly signed.
  3. The attacker can compromise any of the sender’s workstations, email servers, or vendor’s email servers.

So — it requires a determined attacker with some knowledge of the sender’s infrastructure and some ingenuity to get past DMARC.

Oh wait — there is another way they can easily get past DMARC:

  1. Even if the sender’s domain has DMARC, SPF, and DKIM DNS records, if the recipient’s SPAM filters do not pay attention to DMARC (or the others), then these settings will be “all for nought” … and the forged message will still appear legitimate.

So — a determined attacker will gain knowledge both of the anti-fraud settings of the sender domain and of the capabilities of the recipient’s systems.  The weaker the filters … the easier the attacker’s job can be.

Ok – So What Else Can We Do?

Various standard technologies take better and better stabs at email fraud protection, but none of them are fool proof: SPF and DKIM are implemented inconsistently, and DMARC is not well supported across email filters at this point.  DMARC records are also not published for a majority of domains.  And many that do publish them, e.g. Bank of America at the time of this writing, have “no nothing” records that are designed to just test the waters and gain telemetry on what messages sent by them are would fail DMARC.

Beyond using these technologies, to the extent that they are available to you, and being vigilant … which is what most people do … there are some final techniques that can be used to further the lock down identities of message senders.

In our next, and last, article in this series, we shall see what some of these are.

Read next: Stopping Forged Email 4: Your Last Resorts

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries