DMARC
Domain-based Message Authentication, Reporting and Conformance ( DMARC ) is a specification that was developed to reduce the misuse of e-mails , such as occurs in mail spoofing . DMARC seeks to address some long-standing shortcomings related to email authentication and has been submitted to the IETF for standardization.
overview
DMARC is based on the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) technologies by defining for a sender domain how the recipient mail system should authenticate e-mails and how to proceed in the event of an error is. While the aforementioned techniques describe who is allowed to send a mail (SPF) or ensure that this mail comes from the sender unchanged in a certain way (DKIM), the sender can also give recommendations according to the DMARC specification as to how the recipient should be sent bypasses a mail that does not meet the requirements in one or both cases. If the recipient mail system uses the DMARC specification for e-mail messages, this ensures a consistent check of the authenticity of these e-mails.
The recipient mail system can take the DMARC policy for a sender domain from an entry in the Domain Name System (DNS).
The DMARC specification was created on the initiative of Google , Yahoo , Microsoft , Facebook , AOL , PayPal and LinkedIn , among others .
Structure of a DMARC guideline
DMARC, like SPF and DKIM, uses TXT records in the DNS. For a sender domain, _dmarc
a resource record is created on the subdomain that contains the DMARC policy for this sender domain. The following is an example of how DMARC _dmarc.example.org
could be configured in the TXT record of :
v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@example.org;ruf=mailto:forensik@example.org;adkim=s;aspf=r
abbreviation | meaning |
---|---|
v | Protocol version |
pct | Percentage of emails to be filtered |
call | Forensic report is sent to: |
rua | The aggregated report is sent to: |
p | Instructions on how to handle mails from the main domain. |
sp | Instructions on how to deal with mails from the subdomain. |
adkim | Matching mode for DKIM |
aspf | Matching mode for SPF |
The comparison modes are particularly important: For SPF, the DMARC specification requires that firstly the check is positive and secondly that the From
header of the mail has the same domain as stored in the SPF record. For DKIM it is required that the signature is valid and that the domain named there is the same as in the From
header of the mail. The adjustment modes are s
for 'strict' or r
for 'relaxed'. With 'strict' the domains must match exactly, with 'relaxed' the From
header may also contain a subdomain. The sender receives a daily report on the evaluation to the address mentioned.
The policy (here abbreviated as 'p' or 'sp' for subdomains) finally defines how the recipient mail system should handle the mail if the check fails. The intended modes for this are 'none', 'quarantine' and 'reject'. 'none' (also known as monitor mode) is usually used for testing and does not dictate what to do with the recipient's mail system. 'quarantine' requires that the mail be marked as spam, 'reject' requires that the mail be discarded.
criticism
DMARC checks the From
email header and places strict requirements on it (so-called "alignment"). This is problematic in connection with e-mail forwarding and mailing lists , as DMARC requires that the sender From
information in the e-mail header be replaced by the address of the mailing list or your own address. Example:
From: Nutzer <user@example.org> Subject: ... To: wikide-l@lists.wikimedia.org
must be modified in accordance with DMARC by the mailing list software as follows:
From: Nutzer via wikide-l <wikide-l@lists.wikimedia.org> Subject: ... To: wikide-l@lists.wikimedia.org
The e-mail address of the real sender is completely removed with this replacement, so that it is no longer possible to determine the real sender or to contact the sender directly. One option is for the mailing list to include the original sender in alternative header data such as the Reply-To
header, which can also lead to problems. There is no solution to this problem.
DMARC requires changes to all mailing list and routing software. The DMARC concept has accordingly also led to problems with mailing lists.
Norms and standards
- RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC), 2015
Web links
- dmarc.org - Official website
- dmarc.org / ... - Overview (PDF; 650 kB) (English)
- datatracker.ietf.org / ... - History of the specification creation process