Why you need DMARC

Overview

This is a small post on the importance of DMARC and how it helps you see the truth about your mail flow and how it’s being seen on the world wide web by other mail servers.

Normally when you send an email you write it hit send and forget about it. If things go wrong, then maybe just MAYBE you’ll get a bounce back.

This normally happens when you send an email and put in a type-o in the TO: address like john@zenithmedia[.ca], my name is actually spelled JON so, when you send an email to the address above our email server will send you an automatic email saying no account exists at that address or the email your trying to send cant be sent. That’s a normal bounce back.

Example of a standard bounce

From: no-reply@sendgrid.net
Subject: Undelivered Mail Returned to Sender
To: "postmaster" <postmaster@zenithmedia.net>


This is an automatically generated message from SendGrid.

I'm sorry to have to tell you that your message was not able to be
delivered to one of its intended recipients.

If you require assistance with this, please contact SendGrid support.

zmnet:2307644:admin@ase.md : 550 5.4.1 [admin@ase.md]: Recipient address rejected: Access denied [AM5EUR03FT035.eop-EUR03.prod.protection.outlook.com]
X-SendGrid-QueueID: 19282272
X-SendGrid-Sender: <bounces+12323324-f493-admin=ase.md@sendgrid.zenithmedia.net>
Arrival-Date: 2018-10-21 16-52-32

Final-Recipient: rfc822; admin@ase.md
Original-Recipient: rfc822; admin@ase.md
Action: failed
Status: 5.4.1
Diagnostic-Code: 550 5.4.1 [admin@ase.md]: Recipient address rejected: Access denied [AM5EUR03FT035.eop-EUR03.prod.protection.outlook.com]

As you can see, “Access denied”. But what you’re not seeing, is how your mail is flowing and what other mail servers are saying about your mail in the background.

Usually, you set up your SPF records and your DKIM and start sending and this works normally, but you don’t really have a way to know if that’s the case. Was there an error in your SPF or DKIM and the mail is still being accepted? (Most major mail providers like Google accept a lot of broken emails, just to reduce support, but trust me, it doesn’t mean your setup is in order) or is the error in your SPF just silently ignore and quarantined?

This is where DMARC comes into play. The setup is generally easy. You include a TXT record on your sending domain and mail servers will start sending REPORTS to that address.

The problem with receiving your own DMARC reports is that they are received in XML and contain JSON data. So it makes it hard to read.
But thankfully, there are DMARC services that parse these emails and give you a nice overview.

All our HaaS (Hosting as a Service) accounts that are able to send an email. All come with the required settings to allow DMARC to work. You don’t have to worry about anything.

We monitor our DMARC reports daily and proactively fix or notify our clients of any issues.

You don’t know till you know

You might be telling yourself, well I set up my SPF and DKIM properly and I’m sending an email every day without a problem! this is just another gimmick.

Well no, 1st you don’t know if your sending emails properly. How could you? do you get a report every day of how Google, Hotmail, Microsoft, Yahoo are rating/processing your emails?

Do you know how many of your email are going into spam? Do you know how many 3rd parties are sending emails as you (spoofing) impersonating your email and trying to scam your clients? No of course not, cause you don’t have DMARC and you’re not getting your reports.

This is what a spoof run looks like when you have DMARC enabled and reporting.

These images show all the hostnames that were used in a spam run, and the 2nd image shows the IPs used for that specific spam run.
As you can see from the image the DMARC compliance is 0% SPF is 0% and DKIM is 0% but most importantly when you expand the IP you’ll be able to see how the receiving mail server (Google Mail or Yahoo Mail or Zenit Media ) are dealing with them, in this case for the protection of the client i won’t expand, but they have set up their DMARC rules to quarantine the email, but you can tell them to outright reject their emails if they don’t validate SPF or DKIM.

How can you tell if you have it?

How can you tell if you have DMARC and if your provider is looking out for you?

Easy… ish.

If you’re a nerd with some Linux skills all you have to do is run a dig command on your domain. (dig txt _dmarc.yourdomain.tld)

Here is an example output:

dig txt _dmarc.zenithmedia.ca
ANSWER SECTION:
_dmarc.zenithmedia.ca. 86400 IN CNAME _dmarc.zenithmedia.net.
_dmarc.zenithmedia.net. 3600 IN TXT "v=DMARC1\; p=quarantine\; sp=quarantine\; adkim=r\; aspf=s\; rua=mailto:9da9e271c392215@rep.dmarcanalyzer.com\; rf=afrf\; pct=100\; fo=0:1:d:s\; ri=3600"

Now as you can see I have a CNAME record, pointing to our DMARC entry.

"v=DMARC1\; p=quarantine\; sp=quarantine\; adkim=r\; aspf=s\; rua=mailto:dmarc@zenithmedia.net\; rf=afrf\; pct=100\; fo=0:1:d:s\; ri=3600"
Let’s clean this up a little to make it easier to read. (We specify the proper escaping on \; just to make sure we are as compliant as possible according to RFC 1034/1035 tl;dr essentially the ; characters are specified as comments so they should be escaped also the @ should also be escaped but we found that some servers don’t like it.)

"v=DMARC1; p=quarantine; sp=quarantine; adkim=r; aspf=s; rua=mailto:dmarc@zenithmedia.net; rf=afrf; pct=100; fo=0:1:d:s; ri=3600"

So let’s break it down

As per the documentation over at dmarcian.com

Tag Value Translation
p quarantine Policy to apply to email that fails the DMARC check. Can be “none”, “quarantine”, or “reject”. “none” is used to collect feedback and gain visibility into email streams without impacting existing flows.
sp quarantine Policy to apply to email that fails the DMARC check. Can be “none”, “quarantine”, or “reject”. “none” is used to collect feedback and gain visibility into email streams without impacting existing flows.
adkim r Specifies “Alignment Mode” for DKIM signatures. “r” is for Relaxed, “s” is for Strict. Relaxed mode allows Authenticated DKIM d= domains that share a common Organizational Domain with an email’s header-From: domain to pass the DMARC check. Strict mode requires exact matching between the DKIM d= domain and an email’s header-From: domain.
aspf s Specifies “Alignment Mode” for SPF. “r” is for Relaxed, “s” is for Strict. Relaxed mode allows SPF Authenticated domains that share a common Organizational Domain with an email’s header-From: domain to pass the DMARC check. Strict mode requires exact matching between the SPF domain and an email’s header-From: domain.
rf afrf The reporting format for individual Forensic reports. Can be either “afrf” or “iodef”.
pct 100 The percentage tag tells receivers to only apply policy against email that fails the DMARC check X amount of the time. For example, “pct=25” tells receivers to apply the “p=” policy 25% of the time against email that fails the DMARC check. NOTE: you must have a policy of “quarantine” or “reject” for the percentage tag to do anything.
fo 0:1:d:s Forensic reporting options. Possible values: “0” to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, “1” to generate reports if any mechanisms fail, “d” to generate a report if DKIM signature failed to verify, “s” if SPF failed.
ri 3600 The reporting interval for how often you’d like to receive aggregate XML reports. You’ll likely receive reports once a day regardless of this setting.
rua mailto:dmarc@zenithmedia.net The list of URIs for receivers to send XML feedback to. NOTE: this is not a list of email addresses, as DMARC requires a list of URIs of the form “mailto:address@example.org”. External destination verification is tested if applicable Source IETF.

That’s the gist of it.

We strongly recommend that you setup DMARC and find a provider or parse your logs yourself if you’re a developer. This will give you a clear overview of who is spoofing your domain, how other mail servers are treating your email and more importantly allow you to troubleshoot email and make sure your flow is clean.

Hope this helps, I’d recommend this for marketing companies who want to make sure their mail is delivered.

If you’re our client then you’re protected and we passively monitor your mail flow to make sure everything is clean.

If you’re not our client we can help you set up your DMARC implementation and even set you up on our monitoring.
You can Open a Request or order our mail service.

Additional Reading

DMARC FAQ
Sendgrid Blog – Yahoo DMARC Policy
Sendgrid Blog – AOL DMARC Policy