• This blog post was originally published on 1/12/2014 and was updated on 1/18/2019

For companies that house and handle massive amounts of customer data, security is key, particularly when sending sensitive information via email. With the growing amount of cyberattacks in recent years, financial services companies must remain vigilant and take every measure possible to secure communications with their customers. Enter: Domain-based Message Authentication, Reporting & Conformance (DMARC), an email security protocol was developed about six years ago by major email providers, e-commerce companies, and social media networks to block fake emails or have them marked as spam. The top five US banks have all adopted DMARC, has your business? Follow the guide below to learn how to ensure your financial services company meets this vital standard for email authentication:

DNS entries that DMARC uses:

1 – The DMARC DNS text entry

The following is an example DMARC text entry for DNS :

v=DMARC1; p=none; rua=mailto:postmaster@mydomain.com; 
ruf=mailto:postmaster@mydomain.com; adkim=r; aspf=r; rf=afrf; sp=none

The above example was generated with the following utility:

http://www.kitterman.com/dmarc/assistant.html

In order to get this in the real world use:

dig +short _dmarc.<domain> TXT
<snip>
[root@mymachine ~]# dig +short txt _dmarc.sovereignsociety.com
“v=DMARC1\; p=none\; rua=mailto:84tcdfj1@ag.dmarcian.com\;”
<snip>

2 – The SPF DNS text entry

The following is an example of an SPF DNS text entry:

mydomain.com. IN SPF “v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all”

You can find this for most domains by issuing a dig +short <domain> TXT. Here is an example:
<snip>
[root@mymachine ~]# dig +short hotmail.com txt
“v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com 
include:spf-d.hotmail.com ~all”
[root@mymachine default]# dig +short spf-a.hotmail.com txt
“v=spf1 ip4:157.55.0.192/26 ip4:157.55.1.128/26 ip4:157.55.2.0/25 ip4:65.54.190.0/24 ip4:65.54.51.64/26
 ip4:65.54.61.64/26 ip4:65.55.111.0/24 ip4:65.55.116.0/25 ip4:65.55.34.0/24 ip4:65.55.90.0/24 
ip4:65.54.241.0/24 ip4:207.46.117.0/24 ~all” <snip>

More information on creating an SPF DNS text entry available here:

http://www.openspf.org/SPF_Record_Syntax

For SPF validation you can use:

http://www.kitterman.com/spf/validate.html

3 – The DKIM DNS text entry

The following is an example of a DKIM DNS text entry:

dkim1024._domainkey.mydomain.com. 86400 IN TXT “v=DKIM1; k=rsa; h=sha1;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrZXNwzXOk0mRqPcgSUOnmVHro
rg/BZHybpiBoDS/g6IaMjmVwaQf2E72x9yDBTgiUBtTCqydQRZJ3EbfYfvo+WAHq
2yz6HKR0XCwMDSE2S3brVe7mbV/GPEvnCuFPPEVjbfL4w0tEAd8Seb5h07uVQqy1
Q7jIOnF5fG9AQNd1UQIDAQAB”

You generally can find this by doing a dig +short _domainkey.<domain> TXT. Here is an example:
<snip>

[root@mymachine ~]# dig +short google._domainkey.protodave.com TXT

“v=DKIM1\; k=rsa\; 
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGfiExKCF1qk/JMaESySByrwx2VjPYDZThQa8432
pSTf9mj+AtFiY6wo9A4CMMDLfUBzbDhXFzw3s/qci/tTut+sqv+MSAHhCBJV72Kai64j6TjxUUnfW1RkEYvDhX
L+9Wy9OODx2DBZeTpPd6N2Rm4ks3b5wvg73s7RCKjTA7XQIDAQAB”

<snip>

You can find more details on validation of DKIM available here:

http://dkimcore.org/tools/keycheck.html

You can find a utility to create DKIM DNS entries here:

http://www.dnswatch.info/dkim/create-dns-record

The DMARC Validation Process.

In order for DMARC to begin passing a message, either the DKIM must pass or the SPF must pass, if neither passes then the action requested, in p (Domain policy) or sp (Subdomain policy) in the above DMARC DNS text entry will be adhered to. The options on the policies are none, quarantine or reject.

Once either DKIM or SPF have passed, and it can be both, DMARC will then take action based on the requested behavior of adkim or aspf.

For strict adherence:

  1. In all cases, the RFC5321:Mailfrom and the RFC5322:From must match exactly.
  2. If the adkim is set to strict then the d= entry must match exactly the RFC5322:From domain.
  3. If spf is set to strict then spf domain must exactly match the RFC5322:From domain.

For relaxed adherence:

  1. In all cases both RFC5321:Mailfrom and RF5322:From must share an organizational domain.
  2. For dkim relaxed the d= domain must share an organizational domain with the RFC5322:From domain.
  3. For spf relaxed the domain must share an organizational domain with the RFC5322:From domain.

Here are some additional resources on DMARC that you may find useful:

http://www.dmarc.org/

https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1

Enjoy!

-Daniel