How to repair DMARC

[harlan4096]

The DMARC mechanism has its drawbacks, but we have developed a technology to fix them.

Over e-mail’s history, people have come up with a lot of technologies designed to protect recipients from fraudulent (mainly phishing) e-mails. DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) had significant drawbacks, so the Domain-based Message Authentication Reporting and Conformance (DMARC) mail authentication mechanism was designed to identify messages with a fake sender domain. But DMARC also turned out to be far from an ideal solution. Therefore, our researchers have developed an additional technology to eliminate the disadvantages of this approach.

How DMARC works

A company seeking to prevent others from sending e-mails using the names of its employees can configure DMARC in its DNS resource record. In essence, that allows message recipients to make sure the domain name in the “From:” header is the same as in DKIM and SPF. In addition, the record indicates the address to which mail servers send reports concerning received messages that did not pass verification (for example, if an error occurred or an attempt to fraudulently impersonate a sender was detected).

In the same resource record, you can also configure DMARC policy to specify what happens to the message if it fails to pass the check. Three types of DMARC policies cover such cases:

• Reject is the strictest policy. Choose it to block all e-mails that do not pass the DMARC check.
  
• With the Quarantine policy, depending on the mail provider’s exact settings, the message will either end up in the spam folder or be delivered but marked suspicious.
  
• None is the mode that lets the message reach the recipient’s mailbox normally, although a report is still sent to the sender.
  

Disadvantages of DMARC

By and large, DMARC is capable. The technology does make phishing much more difficult. But in solving one problem, this mechanism causes another: false positives. Legitimate messages may be blocked or marked as spam in two types of cases:

• Forwarded messages. Some mail systems break the SPF and DKIM signatures in forwarded messages, whether messages are forwarded from various mailboxes or they are redirected between intermediate mail nodes (relays).
  
• Incorrect settings. It is not uncommon for mail server administrators to make mistakes when configuring DKIM and SPF.
  

When it comes to business e-mail, it’s difficult to say which scenario is worse: letting through a phishing e-mail or blocking a legitimate message.
...

Continue Reading