The dangers of using DMARC

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
jimimaseye
Moderator
Moderator
Posts: 8077
Joined: 2011-09-08 17:48

The dangers of using DMARC

Post by jimimaseye » 2016-03-12 20:35

Just for an experiment I set up a DMARC record for our business. It was based on SPF only (I dont use DKIM). Something like

v=DMARC1; p=reject; rua=mailto:dmarcfail@mycompany.com; aspf=r; pct=100; sp=none


the idea being that upon receiving an email, a DMARC compliant mail server will check our SPF records and if SPF fails then it will be rejected.

But then I found a problem:

Scenaro: We send an email to a recipient, and that recipient has FORWARDING set up on his receiving account.

eg, (As a recipient) he has a GMAIL and a Yahoo account. But to consolidate everything he sets his gmail account to forward all emails to his Yahoo account.

When my company sends an email to the recipients gmail account, gmail cannot forward it to Yahoo account, and consequently the recipient never gets to see the email because he only looks at his Yahoo account and expects gmail to forward everything. (Yahoo rejects it as SPF does allow sending from GMAIL and the dmarc 'p=reject' tells it to refuse delivery).

Discuss.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19999
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: The dangers of using DMARC

Post by mattg » 2016-03-13 03:44

Why don't you use DKIM?

Doesn't DMARC rely on you having an existing DKIM?
What does DMARC achieve that SPF and DKIM on their own achieve?

Again the levels of “none” to “quarantine” to “reject”, this is just like SPFs '+all', '~all' and then '-all', from what I can tell from the DMARC website

hMailserver doesn't yet support DMARC. Should it?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8077
Joined: 2011-09-08 17:48

Re: The dangers of using DMARC

Post by jimimaseye » 2016-03-13 11:52

mattg wrote:Why don't you use DKIM?

Doesn't DMARC rely on you having an existing DKIM?
What does DMARC achieve that SPF and DKIM on their own achieve?

Again the levels of “none” to “quarantine” to “reject”, this is just like SPFs '+all', '~all' and then '-all', from what I can tell from the DMARC website

hMailserver doesn't yet support DMARC. Should it?
Why don't you use DKIM?
I dont use it because, to be honest, the hassle of setting it up. Despite the endless postings we see on this forum supposedly advising on how easy it is to set it up and how to do it, I also see endless postings of people showing the problems implementing it or dealing with it. (I remain unconvinced AND I do not know enough to tackle certificates). And I dont think it will benefit us any/enough to warrant paying for certificates or hassling over the implementation of free ones, oh, and I am too proud to ask for the help here with it myself. I have no evidence that having DKIM signature makes things better for us in that we have no evidence that we are being spoofed/defrauded of our name AND causing us a problem. (I know, that last bit is a bit lame).

Which brings me on the next second question:
What does DMARC achieve that SPF and DKIM on their own achieve
Dmarc reports back to you, the domain owner, the statistics of your emails, and whether they are being abused and by where and how much (you receive dmarc reports by all dmarc-complient mail servers that handle emails from your domain). You would then know how 'your name' is being abused.

Alos, Dmarc tells these compatible servers to 'accept', place in 'SPAM' folder, or completely 'reject' outright any emails that fail the spf or dkim checks. Spf +~- all markers only tell servers what you prefer but they cant enforce those servers to act as you wish as those servers rely on their internal spam-fighting predefined 'rules' to act (eg, SA looks and find a fail against -all and only scores it higher than a pass - it doesnt necessarily stop the email delivery. This action is customisable - it doesnt FORCE the rejection of the email). Think of DMARC being one of those rules but YOU, the owner of your domain, is telling the server what to do and the server administrator of those compliant servers doesnt need to provide a rule and cannot override this action.

So in essence, you have the control. You you set up your SPF 'preference' and then you set your DMARC record to force the server what to do on failure of SPF according to your spf record - the recipient emails server has no control over this. (Note: of course DKIM checks also applies, I used spf just as an example).
Doesn't DMARC rely on you having an existing DKIM?
No, you can state in your dmarc record which (or both) you want to have checked. Ideally, of course, you would use both, but you dont have to.
hMailserver doesn't yet support DMARC. Should it?
Well, it is an 'industry standard' feature - some servers are dmarc compatible (and act accordingly if dmarc records are found) and others dont do dmarc. Its really whether Martin wants to make Hmailserver DARC compatible.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: The dangers of using DMARC

Post by SorenR » 2016-03-13 16:24

DKIM or DMARC... Same, same but different... Neither likes to be forwarded :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

tunis
Normal user
Normal user
Posts: 221
Joined: 2015-01-05 20:22
Location: Sweden

Re: The dangers of using DMARC

Post by tunis » 2017-04-13 11:52

DMARC is to protect from mail spoofing.
Anyone can setup valid SPF and DKIM and spoof an email address with this.
DMARC check that the from address is the same domain as SPF and DKIM.

This is an example, spam.com has valid SPF and DKIM setup.
It use MAIL FROM: user@spam.com but in the emails From header it use user@spoofing.com.

Code: Select all

Return-Path: 77276deb71b34f2ea92664db97aa28fb@spam.com
Delivered-To: user@example.com
Received: from spam.com (spam.com [xxx.xxx.xxx.xxx]) by spoofing.com with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Fri, 7 Apr 2017 14:39:08 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=spam; d=spam.com; h=From:Sender:Subject:To:Message-Id:Date:MIME-Version:Content-Type:Content-Transfer-Encoding; i=user@spam.com; bh=xxxx; b=xxx
From: <user@spoofing.com>
Sender: <user@spam.com>
Subject: Spoofing mail!
To: <user@example.com>
This is not blocket by SPF and DKIM, only DMARC

You can test it here https://dmarcian.com/dmarc-tester/
HMS 5.6.8 B2437.17 on Windows Server 2019 Core VM.
HMS 5.6.8 B2451.21 on Windows Server 2016 Core VM.
HMS 5.6.7 B2425.16 on Windows Server 2012 R2 Core VM.

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: The dangers of using DMARC

Post by estradis » 2017-07-17 09:37

We tried to implement dmarc, but it never wasn't detected by any test. Did we something wrong?


Our configuration:

Code: Select all

C:\Users\psm>nslookup
Standardserver:  pool.ns.ha.example.local
Address:  10.xxx.yyy.zzz

> server 8.8.8.8
Standardserver:  google-public-dns-a.google.com
Address:  8.8.8.8

> set query=all
> example.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Nicht autorisierende Antwort:
example.com
        primary name server = dns1.example.net
        responsible mail addr = postmaster.example.net
        serial  = 2017032401
        refresh = 28800 (8 hours)
        retry   = 1800 (30 mins)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)
example.com   nameserver = dns3.example.net
example.com   nameserver = dns2.example.net
example.com   nameserver = dns1.example.net
example.com   internet address = www.xxx.yyy.zzz
example.com   text =

        "v=spf1 -all"
example.com   text =

        "v=dmarc1; p=reject; sp=reject; fo=1; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com; rf=afrf; pct=100"
>

tunis
Normal user
Normal user
Posts: 221
Joined: 2015-01-05 20:22
Location: Sweden

Re: The dangers of using DMARC

Post by tunis » 2017-07-17 10:03

That should work, but reports are only send by dmarc-complient mail servers (example microsoft, google) and it only send one per 24 hours. So you have to wait for the report.

However, alerts are sent directly.
HMS 5.6.8 B2437.17 on Windows Server 2019 Core VM.
HMS 5.6.8 B2451.21 on Windows Server 2016 Core VM.
HMS 5.6.7 B2425.16 on Windows Server 2012 R2 Core VM.

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: The dangers of using DMARC

Post by estradis » 2017-07-17 15:55

tunis wrote:That should work, but reports are only send by dmarc-complient mail servers (example microsoft, google) and it only send one per 24 hours. So you have to wait for the report.

However, alerts are sent directly.

Tested either against google and live.com, but never received any report, but It's ok. Maybe one day they will be delivered. Let's see what the future brings...

User avatar
mattg
Moderator
Moderator
Posts: 19999
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: The dangers of using DMARC

Post by mattg » 2017-07-18 00:51

MXtoolbox has a good suite of tools >> https://mxtoolbox.com/dmarc.aspx
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: The dangers of using DMARC

Post by estradis » 2017-07-18 11:42

mattg wrote:MXtoolbox has a good suite of tools >> https://mxtoolbox.com/dmarc.aspx
Bookmarked!

I've tested some configurations and it said in the results, that dmarc was not found. I will check this.

Thank you for sharing the link.

tunis
Normal user
Normal user
Posts: 221
Joined: 2015-01-05 20:22
Location: Sweden

Re: The dangers of using DMARC

Post by tunis » 2017-07-18 23:33

estradis wrote: I've tested some configurations and it said in the results, that dmarc was not found. I will check this.
I missed that it must be a sub domain record _dmarc.example.com TXT "v=dmarc1; p=reject; fo=1; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com"
HMS 5.6.8 B2437.17 on Windows Server 2019 Core VM.
HMS 5.6.8 B2451.21 on Windows Server 2016 Core VM.
HMS 5.6.7 B2425.16 on Windows Server 2012 R2 Core VM.

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: The dangers of using DMARC

Post by estradis » 2017-07-26 09:01

tunis wrote:
estradis wrote: I've tested some configurations and it said in the results, that dmarc was not found. I will check this.
I missed that it must be a sub domain record _dmarc.example.com TXT "v=dmarc1; p=reject; fo=1; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com"
Never noticed that such a record is required! I added it and et violá here we go. :roll:
Thank you!

And by the way it seems that DMARC1 is case sensitive and must be UPPERCASE. :oops:

hifall
New user
New user
Posts: 1
Joined: 2018-09-17 05:28

Re: The dangers of using DMARC

Post by hifall » 2018-09-17 05:41

DMARC helps battle against email spoofing attacks. The forward issue caused by indirect mailflow OP mentioned can be addressed by Authenticated Received Chain (ARC) together with SPF/DKIM/DMARC. Basically how ARC works is to preserve email authentication results across intermediaries that cause IP address change and may modify email subject/content, causing SPF/DKIM authentication to fail. When the terminal receiver receives the email, it will check DMARC authentication result first, and if it fails, it checks if it has ARC-preserved authentication results, and if there are, it might still choose to have the email pass authentication. This is how it solves the indirect mailflow issue.

Here are some resources:
1 [arc-spec][arc-spec.org]: formal definition of Authenticated Received Chain (ARC);
2 [dmarcly tools][dmarcly. com/tools]: a set of tools to set up SPF/DKIM/DMARC.

Post Reply