Differences

This shows you the differences between two versions of the page.

--- bind:domain-based_message_authentication_reporting_and_conformance_dmarc [2016/11/18 10:20] – peter
+++ bind:domain-based_message_authentication_reporting_and_conformance_dmarc [2019/11/26 21:01] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Bind - Domain-based Message Authentication Reporting and Conformance (DMARC) ======
-DMARC is built upon two other authentication protocols:
-  - [[Bind:Sender Policy Framework (SPF)|SPF (Sender Policy Framework)]] and
-  - [[Bind:Domain Keys Identified Mail (DKIM)|DKIM (DomainKeys Identified Mail)]]
-A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message.  The receiver will look to the established policy to make a determination on where to filter mail.  So DMARC requires one or the other, though it makes it easier to fail if SPF and DKIM aren't both implemented.
-===== DNS config =====
-DMARC-policies are published as TXT records, in DNS.
-The basic record looks like this:
-<code>
-_dmarc.example.com IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; fo=1; rua=mailto:postmaster@example.com"
-</code>
-===== DMARC tags =====
-DMARC tags tell the email receiver to
-  - Check for DMARC and
-  - What to do with messages that fail DMARC authentication.
-^Tag Name^Required^Purpose^Sample^
-|v|required|Protocol version|v=DMARC1|
-|p|required|Policy for domain|p=quarantine|
-|pct|optional|% of messages subjected to filtering|pct=20|
-|rua|optional|Reporting URI of aggregate reports|rua=mailto:aggrep@example.com|
-|sp|optional|Policy for subdomains of the domain|sp=reject|
-|aspf|optional|Alignment mode for SPF|aspf=r|
-==== v: Version ====
-This tag is used to identify the TXT record as a DMARC record, so email receivers can distinguish it from other TXT records.  The v: tag must have the value of "DMARC1" and it must be listed as the first tag within the entire DMARC record.  If the value doesn't exactly match "DMARC1" or the v: tag is not listed first, the entire DMARC record will be ignored by the receiver.
-Example:
-<code>
-v=DMARC1
-</code>
-==== p: Requested Mail Receiver Policy ====
-This tag indicates the policy to be enacted by the receiver for messages that fail DMARC authentication and alignment checks, as specified by the domain owner.  This policy will apply to the domain queried and to all subdomains unless a separate subdomain policy is explicitly described.  There are three possible values for the p: tag.
-  * **p=none**: The domain owner requests no specific action be taken on mail that fails DMARC authentication and alignment.
-  * **p=quarantine**: The domain owner wishes that mail failing the DMARC authentication and alignment checks be treated as suspicious by mail receivers. This can mean receivers place the email in the spam/junk folder, flag as it suspicious or scrutinize this mail with extra intensity.
-  * **p=reject**: The domain owner requests that mail receivers reject the email that fails the DMARC authentication and alignment checks. Rejection should occur during the SMTP transaction. This is the most strict policy and offers the highest level of protection.
-Given the information above, the most basic DMARC record example could be:
-<code>
-v=DMARC1; p=none
-</code>
-==== rua: Reporting URI of aggregate reports (Optional) ====
-Indicates where aggregate DMARC reports should be sent to.  Senders designate the destination address in the following format:
-<code>
-rua=mailto:domain@example.com.
-</code>
-==== ruf: Reporting URI of failure reports (Optional) ====
-Indicates where forensic DMARC reports should be sent to.  Senders designate the destination address in the following format:
-<code>
-ruf=mailto:domain@example.com.
-</code>
-The addresses is a comma separated list of DMARC URIs used in conjunction with the `fo` key.
-==== adkim: DKIM identifier alignment ====
-Indicates strict or relaxed DKIM identifier alignment. The default is relaxed.
-==== rf: Report Format (Optional) ====
-Format used for the message-specific failure reports expressed as an optional comma-separated list of values.  The two accepted formats are
-  * `afrf`: An "augmented" ARF report with additional DMARC-specific headers included.
-  * `iodf`: RFC-5070 (“Incident Object Description Exchange Format”), which is a format suitable for reporting computer security incidents.
-Note that receivers can define other formats, albeit this should be a rare occurrence as most operations are embracing ARF as the reporting format of choice.
-The default is Authentication Failure Reporting Format, or "AFRF."
-==== ri: Reporting Interval (Optional) ====
-The number of seconds elapsed between sending aggregate reports to the sender.  The default value is 86400 seconds or a day.  This is the value that is most commonly supported.  Higher frequencies are accommodated on a best-effort basis.
-==== pct: Percentage of messages to which the DMARC policy is to be applied (Optional) ====
-Percentage of messages to which the DMARC policy is to be applied.  This parameter provides a way to gradually implement and test the impact of the policy.
-This allows the sender to specify what percentage of the mail flow is to be subjected to the DMARC checks.  For senders that are beginning to setup their policies, this parameter provides a way to gradually implement and test the impact of the policy, considerably reducing the risk of impact by error.
-The specification does not mandate how to calculate this percentage.  Instead, it suggests that a common way to implement this at the receiver side, is to use the value as a probability that the message is subjected to the DKIM checks.
-==== fo:  Failure reports options (Optional) ====
-Dictates what type of authentication and/or alignment vulnerabilities are reported back to the Domain Owner.
-There are four values to the latter **fo:** tag:
-  * **0**: Generate a DMARC failure report if all underlying authentication mechanisms fail to produce an aligned "pass" result. (Default)
-  * **1**: Generate a DMARC failure report if any underlying authentication mechanism produced something other than an aligned "pass" result.
-  * **d**: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment.
-  * **s**: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment.
-While the default is **"fo=0,"** Return Path advises clients to use fo:1 to generate the most comprehensive failure reports, providing that much more granular visibility into the email channel.
-===== What about sub-domains? =====
-The final DMARC tag we will discuss today is the sp: tag, which is used to indicate a requested policy for all subdomains where mail is failing the DMARC authentication and alignment checks.  This tag is only applicable to top-level domains (organizational level domains).  It is most effective when a Domain Owner wants to specify different policy for the top-level domain and all subdomains.
-For the following scenarios, we will use the top-level domain of "domain.com" and the sub-domain of "mail.domain.com" to illustrate the use cases.
-  - The Domain Owner wants to enforce a reject policy for "domain.com," but a quarantine policy for "mail.domain.com" (and all other subdomains).  The DMARC record for "domain.com" would then include "v=DMARC1; p=reject; sp=quarantine."  This is an effective strategy if the organization needs to maintain separate DMARC policy for the top-level domain and all subdomains.
-  - Domain Owner wants to enforce a reject policy for "mail.domain.com" (and all other subdomains) but not enforce a reject policy for "domain.com."  The DMARC record for “domain.com” would then include "v=DMARC1; p=none; sp=reject."  This would be an effective strategy to combat dictionary attacks in the event that the top-level domain isn't ready to enforce policy, but the fraudsters are spoofing subdomains like mail.domain.com, abc.domain.com, 123.domain.com, xyz.domain.com, etc.  Setting the sp: tag to reject will protect the organization from these dictionary attacks targeting subdomains without impacting any of the mail sent from the top-level domain, "domain.com"
-===== Create a DMARC record in monitor mode =====
-<code>
-v=DMARC1; p=none; fo=1; rua=mailto:dmarc_agg@auth.example.com;ruf=mailto:dmarc_afrf@auth.example.com
-</code>
-With DMARC in monitor mode, you can gather the information on your entire email ecosystem, including who is sending email on behalf of your brand, what emails are getting delivered, and what emails are not.
-Request to receive the daily aggregate and forensic reports by specifying your email address in the rua tag and the ruf tag, respectively.  Use the email address(es) you identified in step three above.
-===== Deploy Slowly =====
-It is strongly recommended to ramp up DMARC use slowly by employing these policies in this order.  First, monitor your traffic and look for anomalies in the reports, such as messages that are not yet being signed or are perhaps being spoofed.  Then, when you're comfortable with the results, change the TXT record policy setting from "none" to "quarantine."  Once again, review the results, this time in both your spam catch and in the daily DMARC reports.  Finally, once you're absolutely sure all of your messages are signed, change the policy setting to "reject" to make full use of DMARC. Revisit reports to ensure your results are acceptable.
-Similarly, the optional pct tag can be used to stage and sample your DMARC deployment.  Since 100% is the default, passing "pct=20" in your DMARC TXT record results in one-fifth of all messages affected by the policy actually receiving the disposition instead of all of them.  This setting is especially useful once you elect to quarantine and reject mail. Start with a lower percent and increase it every few days.
-A conservative deployment cycle would resemble:
-<code>
-Monitor all.
-Quarantine 1%.
-Quarantine 5%.
-Quarantine 10%.
-Quarantine 25%.
-Quarantine 50%.
-Quarantine all.
-Reject 1%.
-Reject 5%.
-Reject 10%.
-Reject 25%.
-Reject 50%.
-Reject all.
-</code>
-Attempt to remove the percentages as quickly as possible to complete the deployment.
-As always, review your daily reports.
-===== Examples =====
-<code>
-v=DMARC1; p=reject; fo=1; rua=mailto:domain@example.com; ruf=mailto:domain@example.com; rf=afrf; pct=100
-</code>
-Choose how you want recipient servers to handle email from your domain that fails SPF/DKIM validation. Options are outlined below in red:
-<code>
-None: "v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400"
-Reject: "v=DMARC1; p=reject; sp=none; rf=afrf; pct=100; ri=86400"
-Quarantine: "v=DMARC1; p=quarantine; sp=none; rf=afrf; pct=100; ri=86400"
-</code>
-Alternately, you can request an email report of failed DMARC validations by adding a valid email address, such as the following:
-<code>
-None: "v=DMARC1; p=none; sp=none; ruf=mailto:user@example.com; rf=afrf; pct=100; ri=86400"
-Reject: "v=DMARC1; p=reject; sp=none; rf=afrf; pct=100; ruf=mailto:user@example.com; ri=86400"
-Quarantine: "v=DMARC1; p=quarantine; sp=none; ruf=mailto:user@example.com; rf=afrf; pct=100; ri=86400"
-</code>
-===== References =====
-https://dmarc.org/resources/deployment-tools/