DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol that enhances security by linking the sender's "From" address to the outgoing email. Within the DMARC protocol, there are three policies to consider: p=none, p=quarantine, and p=reject.
Initial Monitoring Phase
To kick off DMARC implementation, it is advisable to begin with the monitoring stage using the p=none policy. This phase allows organizations to gather and analyze DMARC reports, gradually configuring legitimate sending sources with SPF and/or DKIM protocols before moving on to stricter enforcement policies.
Types of DMARC Reports
- Aggregate Reports: Provide comprehensive data on authentication results, essential for analyzing email sources and their compliance.
- Failure (Forensic) Reports: Detail specific email failures but are not widely supported by major ESPs like Google and Yahoo.
Challenges with Aggregate Reports
Managing XML-format Aggregate reports can be complex, especially with large volumes of data. EasyDMARC’s solution simplifies this with a dashboard that visualizes and categorizes email authentication results.
Understanding Data Classification
Analyzing the XML format of Aggregate reports can be challenging, especially when dealing with a large volume of data. Utilizing EasyDMARC can streamline the implementation process. Let's delve into the dashboard of parsed reports to better understand the policy enforcement process.
- Within the "Complaint" tab, you can easily identify all the legitimate sending sources that are used for sending emails and are compliant with DMARC. To achieve DMARC compliance, it is essential for either SPF or DKIM checks to pass and be aligned with your sending domain.
It's important to note that while some sources may already be DMARC compliant, attention is still needed, especially if they only pass with SPF and not DKIM. Ensuring that all legitimate sources are also DKIM compliant is crucial, as DKIM plays a significant role in ensuring that certain practices (such as NDR/OOO emails, Forwarding, etc.) that fail SPF can still be DMARC compliant through DKIM.
- The "Non-Compliant" tab is a critical section that demands your attention. In this section, our algorithm detects sending sources that are not meeting DMARC requirements, which may include both legitimate and unauthorized sources. It is crucial to carefully review and validate each source. For legitimate sources, you will need to implement SPF and/or DKIM. Each Email Service Provider (ESP) has its own approach to setting up these protocols, and we provide comprehensive guidance. Our system encompasses over 1,400 email sources, accessible by clicking on the gear icon next to the source name.
- The "Threat/Unknown" tab identifies sources that our algorithm flags as potential hackers or cybercriminals attempting to send fraudulent emails from your domain.
- In the "Forwarded" tab, you'll find sources that are automatically forwarded by third-party entities. SPF will always fail in this tab, but DKIM usually passes if implemented correctly in your original source and the message is auto-forwarded without any changes to its integrity.
Next Steps: DMARC Enforcement
After identifying and resolving all legitimate sources used to send emails on behalf of your organization with SPF and/or DKIM, it is time to move forward with DMARC enforcement. Gradual enforcement is recommended to ensure that best practices are followed without any disruptions or false positives.
The key focus is to ensure that no legitimate sources are categorized under the Non-Compliant tab, indicating that all your sources are DMARC compliant. Additionally, it is crucial to verify that all email sources under the Compliant tab are successfully passing with DKIM. Once these criteria are met, you can proceed to enforce your DMARC policy to p=quarantine.
Under the p=quarantine policy, it is advisable to continue monitoring the sources and confirm that the changes are functioning correctly with the receiving servers. During this phase, it is essential to analyze the data, closely examine the legitimate sources, and ensure that nothing appears in the Non-Compliant tab. After a thorough analysis ranging from 2 weeks to a month, you can progress to enforcing the p=reject policy.
It is important to note that p=reject is the strictest policy, and it should only be implemented once you are confident that all your legitimate sources are compliant. Misconfigurations can result in emails failing to reach your customers. While p=reject can prevent hackers and cybercriminals from spoofing your domain, it can also impact legitimate email communication if not executed correctly. Make sure to utilize all the Alerts provided by EasyDMARC to stay informed about any changes within your organization.