OVERVIEW OF DMARC
Email these days are one of the most used forms of exchanging messages. But, how do you know that the email you received in your mailbox is from an authentic source? Suppose you get an email from your bank, asking for information related to your bank account. How can you be sure that the email came from a credible source? Email attacks are common these days.
Two majorly used email attacks are: –
1.Email Phishing: When an attacker tries to create an email address, that looks like the real email address, to send a message or malicious links, it is said to be an email phishing. The email is not fully identical, there is a change in a word or two. This change many times, goes unnoticed and lets the victim fall prey to the attacker.
E.g.
2.Email Spoofing: When an attacker creates an identical email address of a real email address, it is known as email spoofing. Both email IDs will be identical, without any change.
E.g.
To mitigate email risks, DMARC (Domain Message Authentication Reporting and Conformance) comes into the picture.
What is DMARC?
DMARC (Domain Message Authentication Reporting and Conformance) is a protocol used for email authentication. It is used to reduce attacks like business email compromise attacks, email spam, email spoofing, and phishing.
The DNS (Domain Name Server) holds DMARC entries. These DMARC entries are checked by the company’s exchange server policies. The policies are deployed by the company, based on which the email is authenticated on receivers’ end. Once, the email is authenticated, it is valid, or else the email is monitored, rejected, or quarantined based on the configured policy.
How does DMARC record work?
DMARC protocol makes it easier for email domain owners to check whether the email is from the legitimate source or not.
To determine if the received email is legitimate, DMARC uses two authentication mechanism. They are: –
1.SPF (Sender Policy Framework): Every email has an allotted domain name which is bound with a pool of IP (Internet Protocol) address. The sender policy framework is a technique that is used to detect if the email is sent from the valid allotted address or not. If the IP address of the sender matches with that in the domain list, SPF approves and authenticates the email.
2.DKIM (Domain Keys Identified Mail): This is a signature-based email domain authentication method. When we receive an email, a specific signature is sent along with the email, that is created by the content of the email, signature ID, and salting. It is a unique signature that cannot be forged and changes with every email. The sender encrypts it with its private key and then with the DNS’ public key. When the email reaches the recipient, it is decrypted by the DNS’ private key and then by the sender’s public key. If the email is decrypted, it is authenticated.
There are two types of authentication techniques in DMARC. These authentication techniques can be used separately or together based on the configuration policy.
The policy framework for DMARC is as follows.
- When STRICT POLICY is implemented, it authenticates the email only when, both the conditions are true. Else, the email is Quarantined or Rejected.
- When we use MODERATE POLICY, it authenticates the email only when, both the conditions are true, or at least one necessary condition is true. Else, the email is Quarantined or Rejected.
- When we use RELAX POLICY, it authenticates the email and there’s not much of a security. It just monitors emails.
Is a DMARC record necessary?
Yes, it is especially important to have a DMARC record. The DMARC record plays a particularly significant role in the validation of an email. It helps the sender and receiver side to match the records on both the ends, which leads to the authentication of the emails. If the DMARC record is not available, then it will not be possible to match the signatures and policy framework on both the ends, making DMARC of no use. Because DMARC records and DNS records go together with each other.
These are the basics of the DMARC, we will be covering these things in detail in our future threads.
