DMARC Fills the Holes Left by SPF and DKIM
SPF, as well as DKIM, are essential standards for the authentication of emails. Even after the email sender has implemented SPF and DKIM, however, three crucial elements of the email authentication are not in place. That’s why the evolution of DMARC.
#1: Which Matters More: SPF or DKIM?
There isn’t a method for the recipient system to figure out the amount of trust they should place on SPF or DKIM findings of any particular email.
Should they discard anything that doesn’t meet both requirements? Do they need to scrutinize emails more closely if it doesn’t meet at the very least one? Or is the sender in a testing phase that it’s just a test phase, and SPF or DKIM results don’t matter to them at this point?
There are hundreds or thousands of servers that send emails to large corporations and organizations, the process of deploying SPF and DKIM isn’t an easy one-time switch. It’s not uncommon to receive genuine emails but fail to meet the requirements of SPF and DKIM. So email senders require ways to communicate to recipients of emails, “We’ve deployed SPF and DKIM, and we are telling you what you should do with email from us that fails these tests.”
This way, email-receiving systems don’t find themselves having to speculate regarding the legitimacy of the email and run the risk of the ire of users and legal liability if they do wrong and stop legitimate mail from being delivered.
#2: How Do You Alert the Sender?
In addition, SPF and DKIM provide the email recipients with no opportunity to provide feedback to the emailers.
Suppose an email message is blocked because of SPF or DKIM results. In that case, the recipients must be able to let the sender know the reason for blocking to avoid the “black hole” effect, in which emails aren’t being delivered to specific recipients.
Additionally, the feedback mechanism needs to be automated since estimates suggest that the daily volume of email globally is now in the region of 300 million messages. Working manually to handle delivery issues for even a tiny portion of that amount is not feasible at best.
#3: How Would Recipients Ever Know the Difference?
Three, SPF and DKIM authenticate email with information hidden in the headers of messages and is not readily visible to the average user.
Most end-users will notice the From header email address on their email or webmail client such as Microsoft Outlook. In the absence of DMARC, someone can send you a message that is not SPF if they authenticate a fake domain’s address in the message headers and still use your bank’s email address in the header. From that, you will see. In this situation, you’ll get an authenticated spoof, which is a frightening possibility.
Enter: DMARC
Domain-based Message Authentication, Reporting and Conformance, commonly referred to as DMARC, is an established mail authentication method that includes three essential elements of feedback, policies and identity alignment to the existing SPF and the DKIM framework.
The first is that DMARC lets email providers issue policies that tell recipients to rely upon DKIM and SPF for a particular domain and what to do if messages fail these tests. The most aggressive policy for enforcement will be rejected (p=reject), which means that email messages that fail to pass DMARC authentication are rejected by the mail server and will not be sent to the intended recipient.
The p=reject rule can be the only way of ensuring that fraudsters cannot hijack your domains and use them in emails targeting your partners, customers, investors, and even the general public in general. The weaker policies won’t block the use of spoofed emails in any way.
The second reason is that DMARC lets senders instruct receivers on where they can send feedback about their messages to determine what information is being sent and its reasons. Finally, DMARC adds the requirement that the From email address that recipients see matches with the domains of email that SPF and DKIM authenticate.
By adding these hyperlinks, DMARC makes it possible for email recipients to take firm decisions on what emails to refuse and which to forward with confidence that they’re carrying the guidelines established by the authorized sender of these emails.
For instance, If an email receiver refuses to receive emails from Chase.com that does not pass DKIM, the reason is due to Chase’s DMARC policy states, “Reject email that fails authentication, and let us know that it was rejected.”
Starting with DMARC
Over 2.5 million mailboxes have been DMARC secured across the globe, including Google, Yahoo, Microsoft, and a variety of other significant providers of mailboxes. If you don’t implement DMARC could be costly.
However, beware: while the implementation of DMARC on just one domain is easy, the process of making it available across an enterprise’s entire domains–which could be a multitude of domains highly complicated and rapid.
Original source: https://medium.com/@rawatnimisha/dmarc-fills-the-holes-left-by-spf-and-dkim-7a9aadaa4bcc