What is DMARC ?

  • An e-mail authentication system that helps determining what to do when messages fail SPF or DKIM checks.
  • The receiving hosts applies the DKIM and SPF checks. Then it validates the results against the published DMARC policy and decides what to do: Block, quarantine, deliver, report to sender.
  • The DMARC policy is published via DNS TXT record.
  • Helps receiving organization decide what to do with e-mails that fails checks and create a feedback loop to allow course correction.
  • It improves and monitor protection of the domain from fraudulent email.

DMARC Fixes the Flaw:

DMARC adds features to email to make it easy to identify email. Senders are given what they need to accurately identify themselves, and receivers are given a simple way to check the legitimacy of email.

Another great feature of DMARC is that it also provides a way for the email receiver to report back to the sender about messages that pass or fail DMARC evaluation. To ensure the sender trusts this process and knows the impact of publishing a policy different than p=none (No specific action be taken regarding delivery of messages.), the receiver sends daily aggregate reports indicating to the sender how many emails have been received and if these emails passed SPF and/or DKIM and if they were aligned.

Difference between phishing and spoofing:

Both are part of the SPAM category, and even though these 2 are usually encountered together, there are also separate cases to be considered.

A spoofed email represents any email which is received from a cloned address or a cloned domain. It does not matter what is the content of the email, it is still a spoofed one from this point of view.

A phishing email represents any email which contains a malicious link to be accessed, or any email trying to fool you into providing information, money, etc. This email can be received from a work colleague, from a legitimate internal or external address, from a spammer, from a spoofed address, etc. No matter the source, the content make it into a phishing email or not.

Note:  The above is important to understand, because DMARC is designed to catch spoofed emails, but it does not catch any other type of spam. 

This does not mean that you are exposed to other types of spam. All other necessary security checks are already done for you by the EOP (Exchange Online Protection) system of Office 365.

Does DMARC block all types of phishing attacks?

No. DMARC is only designed to protect against direct domain spoofing. If the owners/operators of yourdomain.com use DMARC to protect that domain, it would have no effect on otherdomain.com or otherdomain.net (notice the ".net" vs. ".com").

While impersonating a given domain is a common method used for phishing and other malicious activities, there are other attack vectors that DMARC does not address. For example, DMARC does not address cousin domain attacks (i.e. sending from a domain that looks like the target being abused - e.g. yourdomain3.com vs. example.com), or display name abuse (i.e. modifying the "From" field to look as if it comes from the target being abused).

DMARC is designed to satisfy the following requirements:

  • Minimize false positives.
  • Provide robust authentication reporting.
  • Assert sender policy at receivers.
  • Reduce successful phishing delivery.

Note: It is important to note that DMARC builds upon both the DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) specifications.

For any further clarification or information on topics related to Office365 and email security reach out to us on https://cloud.foetron.com.You can also visit our website Foetron for any assitance on Microsoft related products.