• This blog post was originally published on 1/12/2014 and was updated on 1/18/2019

For companies that house and handle massive amounts of customer data, security is key, particularly when sending sensitive information via email. With the growing amount of cyberattacks in recent years, financial services companies must remain vigilant and take every measure possible to secure communications with their customers. Enter: Domain-based Message Authentication, Reporting & Conformance (DMARC), an email security protocol was developed about six years ago by major email providers, e-commerce companies, and social media networks to block fake emails or have them marked as spam. The top five US banks have all adopted DMARC, has your business? Follow the guide below to learn how to ensure your financial services company meets this vital standard for email authentication:

DNS entries that DMARC uses:

1 – The DMARC DNS text entry

The following is an example DMARC text entry for DNS :

The above example was generated with the following utility:

http://www.kitterman.com/dmarc/assistant.html

In order to get this in the real world use:

2 – The SPF DNS text entry

The following is an example of an SPF DNS text entry:

You can find this for most domains by issuing a dig +short <domain> TXT. Here is an example:

More information on creating an SPF DNS text entry available here:

http://www.openspf.org/SPF_Record_Syntax

For SPF validation you can use:

http://www.kitterman.com/spf/validate.html

3 – The DKIM DNS text entry

The following is an example of a DKIM DNS text entry:

You generally can find this by doing a dig +short _domainkey.<domain> TXT. Here is an example:

You can find more details on validation of DKIM available here:

http://dkimcore.org/tools/keycheck.html

You can find a utility to create DKIM DNS entries here:

http://www.dnswatch.info/dkim/create-dns-record

The DMARC Validation Process.

In order for DMARC to begin passing a message, either the DKIM must pass or the SPF must pass, if neither passes then the action requested, in p (Domain policy) or sp (Subdomain policy) in the above DMARC DNS text entry will be adhered to. The options on the policies are none, quarantine or reject.

Once either DKIM or SPF have passed, and it can be both, DMARC will then take action based on the requested behavior of adkim or aspf.

For strict adherence:

  1. In all cases, the RFC5321:Mailfrom and the RFC5322:From must match exactly.
  2. If the adkim is set to strict then the d= entry must match exactly the RFC5322:From domain.
  3. If spf is set to strict then spf domain must exactly match the RFC5322:From domain.

For relaxed adherence:

  1. In all cases both RFC5321:Mailfrom and RF5322:From must share an organizational domain.
  2. For dkim relaxed the d= domain must share an organizational domain with the RFC5322:From domain.
  3. For spf relaxed the domain must share an organizational domain with the RFC5322:From domain.

Here are some additional resources on DMARC that you may find useful:

http://www.dmarc.org/

https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1

Enjoy!

-Daniel