DMARC for recipient

DMARC for recipient

DMARC for recipient

DMARC Email Authentication in ESA:

DMARC email authentication in ESA (Email Security Appliance) is based on profiles, similar to DKIM. However, unlike DKIM, the default profile must be compatible with certain characteristics. By default, ESA behaves in a way that no messages are lost. Therefore, the default DMARC authentication profile is set to “No Action.” Additionally, to enable report generation, you need to edit the DMARC section of email policies.

DMARC email authentication adds fields to the Authentication-Results header in emails:


Copy code

Authentication-Results:; dkim=pass (signature verified); DMARC=pass (p=none dis=none)

In the example above, DMARC is verified based on DKIM identifier alignment, and the sender requests a “none” policy. This indicates a “monitor” status during DMARC deployment stages.

Providing Email Services to Other Domains and 3rd Parties:

The major challenge in ESPs (Email Service Providers) aligning with DMARC is achieving complete identifier alignment. When expanding DMARC, it’s crucial to ensure the accuracy of SPF settings so that all associated domains have your gateway’s output in their SPF records. Also, make sure not to send messages that are not alignment-friendly. This is generally accomplished by using different domains for MAIL FROM and Header From. This issue often arises when using applications that send notifications and alerts via email, as many software developers are unaware of the consequences of email identifier misalignments.

As mentioned earlier, it’s essential to ensure separate DKIM signing profiles for each domain, so your signing profile correctly references the domain the signing request was sent to via Header From. If you use subdomains, signing with a single key is possible, but ensure compliance with DKIM in DMARC policies (adkim=”r”) DMARC). In general, when providing email services for a large number of 3rd parties, it’s recommended to prepare guidelines on how to send emails that you can confidently receive.

Domains and Subdomains without Email Traffic:

One of the advantages of DMARC over previous email authentication technologies is its ability to handle subdomains. By default, the DMARC policy applies to all subdomains. When modifying DMARC policy records, if no record is defined at the Header From FQDN level, the email recipient must decide regarding the sender domain and search for policy records. The policy for the Organizational Domain is set in a way that separate policies can be applied to each subdomain (using the “sp” tag in the DMARC record). This policy will be applied to all subdomains that do not have individual DMARC policies.

In the SPF scenario, you have the ability to:

Publish an explicit DMARC record for each subdomain within the group of valid email sources.

Publish a “reject” policy for all subdomains’ Organizational Domain policy records. This way, emails sent from spoofed sources will not be accepted.

This email authentication structure provides the best method for protecting your infrastructure and brand.

Special Considerations in DMARC:

Several potential issues exist in the realm of DMARC, stemming from the nature and shortcomings of other email authentication technologies that DMARC relies on. The primary issue arises when DMARC enforces a “reject” policy or associates different senders’ identifiers within a single message. Often, problems arise with mailing lists and mailing list management software. When an email is sent to a mailing list, it is distributed to all recipients on the list. Although the final email is sent from the original sender’s address via the mailing list management infrastructure, failing SPF tests for Header From will not occur (most mailing list infrastructures use the Envelope From or MAIL FROM as the list address and the original sender as the Header From). Since DMARC can break SPF, these situations will rely on DKIM, although mailing list management software often adds footers or subject line tags along with the list name, rendering DKIM signatures ineffective.
Developers of DKIM offer various solutions to address this issue. Most of these methods involve mailing list managers using the address present in the list for all From addresses and referencing the original sender using other methods.

Similar problems arise when forwarding messages by copying the original message and sending it via SMTP to a new recipient. Although many Mail User Agents create a new message and place the forwarded message within it or attach it as a file today, messages sent in this manner can trigger DMARC requirements (although authenticating the original message cannot be achieved).

Key Points in Email Authentication Implementation:

Step One: DKIM

  • DKIM Parameters: First and foremost, address all your questions regarding the entire DKIM process and selector management options.
  • Key Rotation: Some organizations use separate keys (selectors) for different units within the organization. Implement key rotation for enhanced security.
  • Key Size Consideration: While larger key sizes generally offer better security, be mindful of the computational overhead. 2048-bit keys are commonly used, but 1024-bit keys often strike a balance between performance and security.
  • Third-Party Involvement: If you’re working with third-party services, coordinate with them for key management and signing strategies.

Step Two: SPF

  • dentify All Email Sources: Clearly define all sources within and outside your organization that send emails. This includes Exchange servers, DLP solutions, CRM systems, third-party applications, testing servers, personal computers, and more.
  • Implementing SPF: SPF implementation can be challenging due to diverse email sources. Start with a soft fail (~all) and move to a hard fail (-all) only when you are certain about all your email sources.
  • Complex Email Networks: For complex email infrastructures, consider documenting the current SPF setup for future reference and cleanup.

Step Three: DMARC

  • Reporting Addresses: Set up reporting addresses for receiving DMARC reports. These reports will help you dentify sources attempting email spoofing.
  • Gradual Policy Implementation: Start with a DMARC policy of “none” and a reporting option of “fo=1” to test without affecting email traffic. Gradually move to “quarantine” or “reject” after carefully analyzing the reports and addressing false positives.
  • Continuous Monitoring: Continuously monitor and analyze DMARC reports. Be prepared to make adjustments based on the feedback and attempted spoofing activities.
  • Implementing robust email authentication involves careful planning, coordination with third parties, and continuous monitoring. Make sure to document each step thoroughly and adapt your strategies based on the evolving email landscape and security needs.


Project Implementation Plan and Timeline:

Row                                Task                                                Timeframe

  1.       Planning and DKIM Setup                                       2 – 4 weeks
  2.       DKIM Implementation Testing                               2 weeks
  3.       Valid Sender Identification for SPF                        2 – 4 weeks
  4.       DMARC Policy Preparation                                      2 weeks
  5.       SPF and DMARC Record Testing                             4 – 8 weeks
  6.       Hardfail Testing for SPF                                           2 weeks
  7.       DMARC Testing with Quarantine/Reject               4 weeks
  8.       Continuous DMARC Reporting Monitoring          Ongoing

Note: The timeline may vary based on the organization’s complexity and size. Smaller organizations might complete stages 3 and 4 faster due to simpler email infrastructures. Regardless of the email system’s simplicity, allocate sufficient time for testing and feedback analysis.
Larger organizations typically undergo longer and more stringent processes. Complex email infrastructures not only require extended implementation time for email authentication but also demand meticulous project management and team coordination. In such cases, consulting services are often sought to streamline the process.

Regarding your inquiry about Parsian Intelligent Technology providing services and ESA license sales, it’s advisable to reach out directly to them for a price quote and further information.

Tags: No tags

Add a Comment

Your email address will not be published. Required fields are marked *