The dangers of using DMARC
- jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
The dangers of using DMARC
Just for an experiment I set up a DMARC record for our business. It was based on SPF only (I dont use DKIM). Something like
v=DMARC1; p=reject; rua=mailto:dmarcfail@mycompany.com; aspf=r; pct=100; sp=none
the idea being that upon receiving an email, a DMARC compliant mail server will check our SPF records and if SPF fails then it will be rejected.
But then I found a problem:
Scenaro: We send an email to a recipient, and that recipient has FORWARDING set up on his receiving account.
eg, (As a recipient) he has a GMAIL and a Yahoo account. But to consolidate everything he sets his gmail account to forward all emails to his Yahoo account.
When my company sends an email to the recipients gmail account, gmail cannot forward it to Yahoo account, and consequently the recipient never gets to see the email because he only looks at his Yahoo account and expects gmail to forward everything. (Yahoo rejects it as SPF does allow sending from GMAIL and the dmarc 'p=reject' tells it to refuse delivery).
Discuss.
v=DMARC1; p=reject; rua=mailto:dmarcfail@mycompany.com; aspf=r; pct=100; sp=none
the idea being that upon receiving an email, a DMARC compliant mail server will check our SPF records and if SPF fails then it will be rejected.
But then I found a problem:
Scenaro: We send an email to a recipient, and that recipient has FORWARDING set up on his receiving account.
eg, (As a recipient) he has a GMAIL and a Yahoo account. But to consolidate everything he sets his gmail account to forward all emails to his Yahoo account.
When my company sends an email to the recipients gmail account, gmail cannot forward it to Yahoo account, and consequently the recipient never gets to see the email because he only looks at his Yahoo account and expects gmail to forward everything. (Yahoo rejects it as SPF does allow sending from GMAIL and the dmarc 'p=reject' tells it to refuse delivery).
Discuss.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: The dangers of using DMARC
Why don't you use DKIM?
Doesn't DMARC rely on you having an existing DKIM?
What does DMARC achieve that SPF and DKIM on their own achieve?
Again the levels of “none” to “quarantine” to “reject”, this is just like SPFs '+all', '~all' and then '-all', from what I can tell from the DMARC website
hMailserver doesn't yet support DMARC. Should it?
Doesn't DMARC rely on you having an existing DKIM?
What does DMARC achieve that SPF and DKIM on their own achieve?
Again the levels of “none” to “quarantine” to “reject”, this is just like SPFs '+all', '~all' and then '-all', from what I can tell from the DMARC website
hMailserver doesn't yet support DMARC. Should it?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
- jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Re: The dangers of using DMARC
mattg wrote:Why don't you use DKIM?
Doesn't DMARC rely on you having an existing DKIM?
What does DMARC achieve that SPF and DKIM on their own achieve?
Again the levels of “none” to “quarantine” to “reject”, this is just like SPFs '+all', '~all' and then '-all', from what I can tell from the DMARC website
hMailserver doesn't yet support DMARC. Should it?
I dont use it because, to be honest, the hassle of setting it up. Despite the endless postings we see on this forum supposedly advising on how easy it is to set it up and how to do it, I also see endless postings of people showing the problems implementing it or dealing with it. (I remain unconvinced AND I do not know enough to tackle certificates). And I dont think it will benefit us any/enough to warrant paying for certificates or hassling over the implementation of free ones, oh, and I am too proud to ask for the help here with it myself. I have no evidence that having DKIM signature makes things better for us in that we have no evidence that we are being spoofed/defrauded of our name AND causing us a problem. (I know, that last bit is a bit lame).Why don't you use DKIM?
Which brings me on the next second question:
Dmarc reports back to you, the domain owner, the statistics of your emails, and whether they are being abused and by where and how much (you receive dmarc reports by all dmarc-complient mail servers that handle emails from your domain). You would then know how 'your name' is being abused.What does DMARC achieve that SPF and DKIM on their own achieve
Alos, Dmarc tells these compatible servers to 'accept', place in 'SPAM' folder, or completely 'reject' outright any emails that fail the spf or dkim checks. Spf +~- all markers only tell servers what you prefer but they cant enforce those servers to act as you wish as those servers rely on their internal spam-fighting predefined 'rules' to act (eg, SA looks and find a fail against -all and only scores it higher than a pass - it doesnt necessarily stop the email delivery. This action is customisable - it doesnt FORCE the rejection of the email). Think of DMARC being one of those rules but YOU, the owner of your domain, is telling the server what to do and the server administrator of those compliant servers doesnt need to provide a rule and cannot override this action.
So in essence, you have the control. You you set up your SPF 'preference' and then you set your DMARC record to force the server what to do on failure of SPF according to your spf record - the recipient emails server has no control over this. (Note: of course DKIM checks also applies, I used spf just as an example).
No, you can state in your dmarc record which (or both) you want to have checked. Ideally, of course, you would use both, but you dont have to.Doesn't DMARC rely on you having an existing DKIM?
Well, it is an 'industry standard' feature - some servers are dmarc compatible (and act accordingly if dmarc records are found) and others dont do dmarc. Its really whether Martin wants to make Hmailserver DARC compatible.hMailserver doesn't yet support DMARC. Should it?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: The dangers of using DMARC
DKIM or DMARC... Same, same but different... Neither likes to be forwarded
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: The dangers of using DMARC
DMARC is to protect from mail spoofing.
Anyone can setup valid SPF and DKIM and spoof an email address with this.
DMARC check that the from address is the same domain as SPF and DKIM.
This is an example, spam.com has valid SPF and DKIM setup.
It use MAIL FROM: user@spam.com but in the emails From header it use user@spoofing.com.
This is not blocket by SPF and DKIM, only DMARC
You can test it here https://dmarcian.com/dmarc-tester/
Anyone can setup valid SPF and DKIM and spoof an email address with this.
DMARC check that the from address is the same domain as SPF and DKIM.
This is an example, spam.com has valid SPF and DKIM setup.
It use MAIL FROM: user@spam.com but in the emails From header it use user@spoofing.com.
Code: Select all
Return-Path: 77276deb71b34f2ea92664db97aa28fb@spam.com
Delivered-To: user@example.com
Received: from spam.com (spam.com [xxx.xxx.xxx.xxx]) by spoofing.com with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Fri, 7 Apr 2017 14:39:08 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=spam; d=spam.com; h=From:Sender:Subject:To:Message-Id:Date:MIME-Version:Content-Type:Content-Transfer-Encoding; i=user@spam.com; bh=xxxx; b=xxx
From: <user@spoofing.com>
Sender: <user@spam.com>
Subject: Spoofing mail!
To: <user@example.com>
You can test it here https://dmarcian.com/dmarc-tester/
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.
Re: The dangers of using DMARC
We tried to implement dmarc, but it never wasn't detected by any test. Did we something wrong?
Our configuration:
Our configuration:
Code: Select all
C:\Users\psm>nslookup
Standardserver: pool.ns.ha.example.local
Address: 10.xxx.yyy.zzz
> server 8.8.8.8
Standardserver: google-public-dns-a.google.com
Address: 8.8.8.8
> set query=all
> example.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Nicht autorisierende Antwort:
example.com
primary name server = dns1.example.net
responsible mail addr = postmaster.example.net
serial = 2017032401
refresh = 28800 (8 hours)
retry = 1800 (30 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
example.com nameserver = dns3.example.net
example.com nameserver = dns2.example.net
example.com nameserver = dns1.example.net
example.com internet address = www.xxx.yyy.zzz
example.com text =
"v=spf1 -all"
example.com text =
"v=dmarc1; p=reject; sp=reject; fo=1; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com; rf=afrf; pct=100"
>
Re: The dangers of using DMARC
That should work, but reports are only send by dmarc-complient mail servers (example microsoft, google) and it only send one per 24 hours. So you have to wait for the report.
However, alerts are sent directly.
However, alerts are sent directly.
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.
Re: The dangers of using DMARC
tunis wrote:That should work, but reports are only send by dmarc-complient mail servers (example microsoft, google) and it only send one per 24 hours. So you have to wait for the report.
However, alerts are sent directly.
Tested either against google and live.com, but never received any report, but It's ok. Maybe one day they will be delivered. Let's see what the future brings...
Re: The dangers of using DMARC
MXtoolbox has a good suite of tools >> https://mxtoolbox.com/dmarc.aspx
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: The dangers of using DMARC
Bookmarked!mattg wrote:MXtoolbox has a good suite of tools >> https://mxtoolbox.com/dmarc.aspx
I've tested some configurations and it said in the results, that dmarc was not found. I will check this.
Thank you for sharing the link.
Re: The dangers of using DMARC
I missed that it must be a sub domain record _dmarc.example.com TXT "v=dmarc1; p=reject; fo=1; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com"estradis wrote: I've tested some configurations and it said in the results, that dmarc was not found. I will check this.
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.
Re: The dangers of using DMARC
Never noticed that such a record is required! I added it and et violá here we go.tunis wrote:I missed that it must be a sub domain record _dmarc.example.com TXT "v=dmarc1; p=reject; fo=1; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com"estradis wrote: I've tested some configurations and it said in the results, that dmarc was not found. I will check this.
Thank you!
And by the way it seems that DMARC1 is case sensitive and must be UPPERCASE.
Re: The dangers of using DMARC
DMARC helps battle against email spoofing attacks. The forward issue caused by indirect mailflow OP mentioned can be addressed by Authenticated Received Chain (ARC) together with SPF/DKIM/DMARC. Basically how ARC works is to preserve email authentication results across intermediaries that cause IP address change and may modify email subject/content, causing SPF/DKIM authentication to fail. When the terminal receiver receives the email, it will check DMARC authentication result first, and if it fails, it checks if it has ARC-preserved authentication results, and if there are, it might still choose to have the email pass authentication. This is how it solves the indirect mailflow issue.
Here are some resources:
1 [arc-spec][arc-spec.org]: formal definition of Authenticated Received Chain (ARC);
2 [dmarcly tools][dmarcly. com/tools]: a set of tools to set up SPF/DKIM/DMARC.
Here are some resources:
1 [arc-spec][arc-spec.org]: formal definition of Authenticated Received Chain (ARC);
2 [dmarcly tools][dmarcly. com/tools]: a set of tools to set up SPF/DKIM/DMARC.
Re: The dangers of using DMARC
"DMARC helps email senders and receivers verify incoming messages by authenticating the sender's domain. DMARC also defines the action to take on suspicious incoming messages. "
But can you miss real clients' messages?
But can you miss real clients' messages?
Re: The dangers of using DMARC
once upon a time the internet was very nice
if someone had configured something wrong in their setup it was not a big deal it was more important that email reached the reciever
with spammers entering the internet , it became obvious that it was good to follow rules so for instance you had to build some kind of trust for others to recieve mail from you..
for instance
1. ptr should match your servers name
2. antispam rules
2. put spf in place
3. use dkim
4. use dmarc
for every step in securing email transport .. there has always been a possibility that missconfigured senders, clients, forwarders would have problem ...
we cant trust missconfigured infrastructure because spammers take advantage of that
i had a static antispam rule removing all emails that had "earn bitcoin" in it ... one day.. someone asked me legitimately in an email if they could "earn bitcoin" by mining it ... i did not recieve that email..
i have taken away that rule ( but hoping that other better antispam rules make up for it )
for every security step you take you have to do a risk assesment if it is worth it
lets cheat darwin out of his legacy, find a cure for cancer...
Re: The dangers of using DMARC
Perfect answer. I go to read https://en.wikipedia.org/wiki/DMARCjohang wrote: ↑2020-05-28 08:16
once upon a time the internet was very nice
if someone had configured something wrong in their setup it was not a big deal it was more important that email reached the reciever
with spammers entering the internet , it became obvious that it was good to follow rules so for instance you had to build some kind of trust for others to recieve mail from you..
for instance
1. ptr should match your servers name
2. antispam rules
2. put spf in place
3. use dkim
4. use dmarc
for every step in securing email transport .. there has always been a possibility that missconfigured senders, clients, forwarders would have problem ...
we cant trust missconfigured infrastructure because spammers take advantage of that
i had a static antispam rule removing all emails that had "earn bitcoin" in it ... one day.. someone asked me legitimately in an email if they could "earn bitcoin" by mining it ... i did not recieve that email..
i have taken away that rule ( but hoping that other better antispam rules make up for it )
for every security step you take you have to do a risk assesment if it is worth it
Re: The dangers of using DMARC
What 1990?
we are so past email Authentication, and that can't stop domain impersonation.
(BTW, I fully expect that you are a SPAM bot)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation