Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Communications Spam IT

Ask Slashdot: How Useful Are DMARC and DKIM? 139

whoever57 writes How widely are DKIM and DMARC being implemented? Some time ago, Yahoo implemented strict checks on DKIM before accepting email, breaking many mailing lists. However, Spamassassin actually assigns a positive score (more likely to be spam) to DKIM-signed emails, unless the signer domain matches the from domain. Some email marketing companies don't provide a way for emails to be signed with the sender's domain — instead, using their own domain to sign emails. DMARC doesn't seem to have a delegation mechanism, by which a domain owner could delegate other domains as acceptable signatures for emails their emails. All of these issues suggest that the value of DKIM and DMARC is quite low, both as a mechanism to identify valid emails and as a mechanism to identify spam. In fact, spam is often dkim-signed. Are Slashdot users who manage email delivery actually using DKIM and DMARC?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Useful Are DMARC and DKIM?

Comments Filter:
  • Not really (Score:4, Informative)

    by Anonymous Coward on Sunday November 02, 2014 @01:46PM (#48294521)

    I do technical support for an industry leading antispam email appliance. Very, very few of the admins I speak with every day utilize DKIM.

    • That does not equate to "DKIM is useless". Most email on the internet is DKIM signed at this point. If your clients don't use it, they're in the minority.

  • by Anonymous Coward

    Are my preferred tools to use on spammers.

    • by grcumb ( 781340 )
      I prefer DFENESTRATE, or in extreme cases, DCAPITATE.
      • by N!k0N ( 883435 )
        <quote>I prefer DFENESTRATE, or in extreme cases, DCAPITATE.</quote>

        Too bad DFENESTRATE is a windows-only application.
  • by green1 ( 322787 ) on Sunday November 02, 2014 @01:59PM (#48294605)

    The poster complains that some email marketing (spam) companies don't provide any way to avoid being caught by these anti-spam tools... sounds like a good thing to me...

    • by Pentium100 ( 1240090 ) on Sunday November 02, 2014 @04:01PM (#48295551)

      This. Every time I see a complaint that "some tool" makes it harder for "marketing companies" to send email I think that I should use that tool for my email servers if I am not doing that already.

      Pretty much nobody wants to get spam and that includes the marketing emails, not just the regular "vi@gr@" and "Nigerian prince" spam. Pretty much nobody cares that you do honor the "unsubscribe" link, because a lot of others don't, so it is much easier to just tag your email as spam and hope to never see it again.

      • This. Every time I see a complaint that "some tool" makes it harder for "marketing companies" to send email I think that I should use that tool for my email servers if I am not doing that already.

        Your reading skills need some more work. My point was that the tools are ineffective, irrespective of who is using them.

        • Being snide isn't useful. You didn't make your point in the summary at all in this case. Pentium100's impression is very likely what everyone else read as well.
    • Actually, my central point was, as a non-email marketer, there is little value in spf, dkim and dmarc, since (according to spamassassin) they are poor indicators of whether something is spam or not.

      But, what the heck, it's easier to get in a cheap shot than a reasoned comment.

      • You obviously haven't experienced spam being sent out to people claiming to be from your domain yet -- you'll implement DKIM and SPF that week ...

      • SPF is all about preventing joe-jobs where someone sends out malicious email and uses your email address to do it.

        With properly configured SPF records (with "-all"), you're telling all of the mail servers of the world (or the majority which support SPF) that if the email doesn't come from a select (and small) group of IP addresses that they should discard it. A message that fails SPF verification is a very bad thing in most spam software and will get a severe down-vote.

        That being said, SPF is not anti-
    • Also means you should avoid those services. My company had to rule out MailChimp for email specifically because they wouldn't support those protocols. It's unfathomable to me that a company who's entire business revolves around sending email does not actually have a way to let you use these.

      • Also means you should avoid those services. My company had to rule out MailChimp for email specifically because they wouldn't support those protocols. It's unfathomable to me that a company who's entire business revolves around sending email does not actually have a way to let you use these.

        I just looked at a Mailchimp delivered "Newsletter" and it has SPF, DKIM, and DomainKey.

        • Through their servers. You can't do it for your domain though (or at least you couldn't last year). Might have changed since they started offering their Mandrill product and virtually MUST have that capability.

    • I use DKIM and SPF on all domains I administer with appropriate settings on each and then advertise DMARC records stating that SPF and DKIM should be expected on all messages. This means anyone attempting to send E-mail as one of my clients to a server using DMARC will fail. I see no down side either.

      • by HJED ( 1304957 ) on Sunday November 02, 2014 @11:42PM (#48298439)
        It breaks a few mailing (discussion, not advertising) list programs (such as my uni's one) if you send from a SPF protected address because the list server forwards it with you address in the from boxs. Other then that it works well.
        • It breaks a few mailing (discussion, not advertising) list programs (such as my uni's one) if you send from a SPF protected address because the list server forwards it with you address in the from boxs. Other then that it works well.

          Then that mailing list is poorly maintained. I belong to dozens of mailing lists on a domain with very restrictive SPF records and have never had issues.

          If you allow the mailing list to forge your email address, then *everyone* can forge your email address. The better mai
          • by HJED ( 1304957 )
            Whilst that is true, I don't have any say in how the software is setup and have to use it. I'm sure this is the case for many people, so it definitely is a strike against companies implementing reject or spam responses to spf.
            • Therefore as I said, it works as advertised. Mailing lists should never have been forging from addresses in the first place and DMARC and SPF help prevent that source of spam for many people.

              Sometimes breaking things is the correct behaviour.

  • by Psyko ( 69453 )

    spf, dkim, dmarc, so many ways to try and accomplish the same thing and none of them work well because nobody trusts any of them fully and few people have them fully implemented... Obligatory xkcd [xkcd.com]

    • by Anonymous Coward

      That would be an acceptable thought, except that even when it was just SPF and DKIM most admins didn't bother with it. And you're really supposed to be using both as they don't do they complement each other.

      Ultimately, ti's the same as IPv6 nobody bothered because they wanted everybody else to go first and meanwhile nothing was being done.

    • Valid DKIM signed mail from Yahoo still has a very high likelihood of being spam. They don't seem to do nearly enough to prevent spam originating from their network.

      • Big time. When a lot of the spam you get is from compromised machines, a valid DKIM signature means absolutely nothing. I have both SPF and DKIM implemented on my mail server, and I honestly can't say it's made much of a difference except I almost never get bounces from outgoing mail.
      • DKIM does NOT mean that a message isn't spam, it means that Yahoo really sent it.

        DKIM is fixing a completely different problem; random spammers sending out E-mail from their own servers claiming to be from Yahoo (or another domain).

        I've had this happen to domains I administer and its incredibly annoying, especially when clients get E-mail claiming to be from me. DKIM fixes this problem.

  • Here we go again (Score:5, Interesting)

    by Anonymous Coward on Sunday November 02, 2014 @02:03PM (#48294651)

    Your post advocates a

    (X ) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    (X ) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    (X ) It will stop spam for two weeks and then we'll be stuck with it
    ( ) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it
    ( ) Requires too much cooperation from spammers
    (X ) Requires immediate total cooperation from everybody at once
    (X ) Many email users cannot afford to lose business or alienate potential employers
    ( ) Spammers don't care about invalid addresses in their lists
    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    (X ) Lack of centrally controlling authority for email
    ( ) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    (X ) Asshats
    ( ) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    (X ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    (X ) Armies of worm riddled broadband-connected Windows boxes
    (X ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    ( ) Dishonesty on the part of spammers themselves
    ( ) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    (X ) Ideas similar to yours are easy to come up with, yet none have ever
    been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    ( ) Blacklists suck
    (X ) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    (X ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    (X ) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    (X ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    (X ) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your
    house down!

    • The clever form should have been attributed to its author, Corey Doctorow. . It has long been useful when responding to someone's believe that they have the Final Ultimate Solution to the Spam Problem (FUSSP).
    • by allo ( 1728082 )

      > (X ) technical ( ) legislative ( ) market-based ( ) vigilante

      > (X ) It will stop spam for two weeks and then we'll be stuck with it
      it will stop forgery. forever.

      > (X ) Requires immediate total cooperation from everybody at once
      It does not.

      > (X ) Lack of centrally controlling authority for email
      Not needed, not implemented

      > (X ) Huge existing software investment in SMTP
      None. SMTP stays as it is.

      > (X ) Armies of worm riddled broadband-connected Windows boxes
      Which do not have the keys for yo

    • by mcrbids ( 148650 )

      I've seen this lame list for 10 years, pretty much trolling bait. But based on this, I wonder if you even know how DKIM works?

      (X ) It will stop spam for two weeks and then we'll be stuck with it

      Pretty touch to crack legitimate encryption.

      (X ) Requires immediate total cooperation from everybody at once

      Not at all. You can use it, or not. If you don't use it, you essentially give permission for black hats to spoof your identity. Also, if you are an admin, you can choose what you do with DKIM.

      (X ) Many email users cannot afford to lose business or alienate potential employers

      How is being able to protect your account from being spoofed going to affect business?

      (X ) Lack of centrally controlling authority for email

      Why would you need one? DKIM is done via DNS and is under the co

  • by Anonymous Coward

    Even of one pronounces Marc and Kim and DMARC and DKIM, their names should be written correctly! of course, you could wrote "The Marc" and "The Kim".

  • by DamonHD ( 794830 ) <d@hd.org> on Sunday November 02, 2014 @02:05PM (#48294679) Homepage

    DMARC would work a lot better if Google for one didn't wrongly try to internally forward as-is *and then bounce* email from DMARC-controlled domains, thus making it impossible for example to get through for many support queries, and causing spurious problems with (say) Google Calendar when the account ID is in a DMARC-controlled domain.

    Left hand vs right hand Google? You guys are meant to be smart!

    That and randomly chucking email from DMARC-controlled domains in SPAM folders...



  • by david.emery ( 127135 ) on Sunday November 02, 2014 @02:08PM (#48294697)

    A lot of the mail I get that goes into quarantine or marked as spam comes from outsourced senders, where Domain.com uses some 3rd party to send mail on behalf of it. This can be ISPs, companies like Constantcontact.com or God-only-knows what else. Of course, the company who bought this service probably doesn't know or want to understand what the problem is, and the company that's doing the outsourcing has no real incentive to make sure their hosts (including SPF, etc) are configured properly.

    • by Anonymous Coward

      That's because the 3rd party isn't doing it right. When one receives such a message for forwarding, one is supposed to verify that it passes the checks and then resign them with your information. And as long as the specification works you wind up with a message being accounted for all the way to the sender.

      And you're right that the sender ultimately has responsibility here. They're also the ones that get burned when emails wind up disappearing because somebody's server won't pass them on.

  • by StripedCow ( 776465 ) on Sunday November 02, 2014 @02:11PM (#48294723)

    Are there any guides out there describing how to send e-mail *reliably* these days?
    Seems that the RFCs don't cut it anymore, since there are so many undocumented rules that large e-mail providers (gmail, etc.) use.
    If you'd go by the RFSs alone, your e-mail just ends up in a spam-filter (at best) most of the time.

    • by raxx7 ( 205260 ) on Sunday November 02, 2014 @02:38PM (#48294935) Homepage

      Follow the RFCs. Don't leave your outgoing server poorly configured.
      A number of e-mail servers check for strict adherence of RFCs, which many spambots fail.

      Implement DKIM and DMARC, maybe SPF.
      If you're using a mailing list, beware on how SFP/DKIM and DMARC can break it.

      Don't send unwanted bulk e-mail. Really. DON'T SEND UNWANTED BULK E-MAIL even if you're asking for donations to UNICEF.

      Don't let your outgoing e-mail server be used to send unwanted bulk e-mail. Don't leave it as an open relay, don't bounce messages, filter for e-mail outgoing unwanted bulk e-mail.
      If you can't sanitize it's output, consider using a different outbound e-mail server for the important stuff.

      Don't let your network be used to send unwanted bulk e-mail.
      If you can't sanitize your network, place your outgoing e-mail server somewhere else.

      Don't place your outgoing e-mail server in a domestic internet access. Most of they are permanently blacklisted.

      Beware of your ISP/data center's network.
      If they are not active in blocking spammers on their system/network, you can become blacklisted as a collateral damage.
      Be specially beware of shared hosts.

      • Don't place your outgoing e-mail server in a domestic internet access. Most of they are permanently blacklisted.
        Beware of your ISP/data center's network.
        Be specially beware of shared hosts.

        Don't use your own Internet service, don't use your ISP's network, don't use a datacenter's network, and don't use a shared host.

        What's left? I see nothing more other a carrier pigeon or a paper envelope with a stamp on it.

        • by raxx7 ( 205260 )

          I'm pretty sure I didn't write "don't use" all of that stuff.
          I just wrote "beware".

          The majority of ISPs, data center operators and hosting providers are pro-active or act quickly to keep their networks clean of spammers -- they don't want to end up on Spamhaus' shitlist.
          I don't have any problems with our business internet connection, nor do I have any problem with my hobbies' hosting providers.
          I do my bit to keep clean and they do their bit and it all works well.

          But some operators are lazy and a minority ac

      • That blocking of ISP ranges is a real problem -- many ISPs offer business dedicated IP ranges suitable for running services like E-mail off of but are incorrectly marked as home network addresses by various idiots.

  • I send bulk email.. (Score:5, Informative)

    by TechyImmigrant ( 175943 ) on Sunday November 02, 2014 @02:18PM (#48294765) Homepage Journal

    I send bulk email for an opt-in list with mailman (opt in as in you have to walk in the store and physically write your email on our sign up sheet).
    We have Google host the email for the business and use self hosted for the important stuff.

    To get SPF and DKIM working for the business I determined that I could not do this through google. The bounces get redirected to the wrong place and the sender auth fails. I needed bounces to come to me, not Google, so mailman could do the bounce processing. So I had to set up a separate self hosted mail machine with a separate domain, so that the sending domain could match the sender and the bounces could come back to the same place and get bounce processed.

    Email sucks and SPF, SKIM and probably DMARC suck.

    • by Animats ( 122034 )

      Well, yes. Why should Google give you free bulker hosting?

      • Free? We pay them for the service.

    • by dotancohen ( 1015143 ) on Sunday November 02, 2014 @03:26PM (#48295297) Homepage

      Email sucks and SPF, SKIM and probably DMARC suck.

      What is wrong with SPF?

      v=spf1 include:_spf.google.com a -all

      That will let you send mail through google, and additionally through any server mentioned in an A record. DKIM sucks, yes, I agree.

    • I send bulk email for an opt-in list with mailman (opt in as in you have to walk in the store and physically write your email on our sign up sheet).

      It's not opt-in unless you send out a verification email to the address on the sign-up sheet. You have zero guarantee that the person writing down that address has the permission of the person who receives mail at that address. That verification email should explain how you obtained the address and require action on the recipient's part in order to remain o
  • SpamAssassin & DKIM (Score:5, Informative)

    by Zocalo ( 252965 ) on Sunday November 02, 2014 @02:20PM (#48294793) Homepage
    Default scores in SpamAssassin have been assigned based on tests against a large corpus of both emails to obtain a statistical likelihood that a given email will be spam or not for ages, so I take the positive score (more likely to be spam) as a pretty solid indication that its use doesn't provide a good indicator of legitimate mail. Ironically, the biggest culprit for that is probably one of DKIM's biggest proponents, the sheer volume of spam from compromised Yahoo accounts and signed by Yahoo's outbound mail relays is largely responsible for that positive score in my experience - if only they'd do better spam filtering of their outbound email... Not that they are the only ESP with that failing, of course.
    • by Anonymous Coward

      This. Wish I had mod points for you.

      If DKIM raises the probability that SpamAssassin will block a mail, that's because SpamAssassin believes, based on statistical analysis, that DKIM-marked e-mails are more likely to be spam. DKIM never stopped spam, but spammers just adapted to it. Mailing lists admins didn't have the training and resources to adapt as well. There's very little difference between listservs and spam, except training and resources: the spammers are pros.

    • That's not how it works. SpamAssassin scoring is "stupid" and stateless, which is a deliberate (and good!) design. You don't write rules like "give negative (less likely to be spam) scores to valid DKIM signatures, but positive scores to invalid signatures". Instead, you write two rules: "add 3 if there's a DKIM signature" and "subtract 3 if the DKIM signature validates". The net result is that unsigned email doesn't get a DKIM-related score adjustment. Email signed with an invalid signature gets 3 added to

      • by Zocalo ( 252965 )
        I was talking about the *net* average score for DKIM signed emails as a whole, which does indeed seem to be positive - e.g. more likely to be spam - and pointing out that the one major reason for that being the case is actually Yahoo! because they put a *legimate* DKIM signature on their outbound email regardless of whether it's spam or not. The upshot of that is that a lot of spam from compromised accounts hits the net with a valid DKIM signature and so the probability of an email with a valid DKIM signat
  • by Anonymous Coward

    Orbitz uses DKIM in their email blasts. They ignore all requests to be removed from these email blasts.

  • We've been running it since 1997 and it was fine until AOL changed their policy. Then some members on the list couldn't get email. And they reported problems with other lists. I made a change to the server but it didn't help and more big ISPs started rejecting traffic from our list. Earthlink outright banned our ISP for it's 5 members and the owner of the system had to contact Earthlink to get it fixed. It took two weeks and in the end we were asked to shutdown our list.

    I don't know what others are doin

  • Can't e-mail people on AOL or Yahoo anymore, and anyone on those services can't sent to a mailing list.

  • by tlambert ( 566799 ) on Sunday November 02, 2014 @03:29PM (#48295319)

    Why the mailing lists broke... They didn't follow RFC 2476 with regard to RFC2822 headers and what can and can not be rewritten, and then they failed to sign the messages with their own mail server signatures.

    If you are going to send messages, the policies and protocols force you to take responsibility for the fact that you've sent them, and if you're unwilling to do that, then you don't get to send mail to people who don't like you not taking responsibility.

    Too bad, so sad, fix your configuration or you lose.

  • by ourlovecanlastforeve ( 795111 ) on Sunday November 02, 2014 @03:39PM (#48295409)

    Former technical support rep for an email marketing company, here.

    You only need DKIM if you send a massive amount of mail to users at Yahoo or Microsoft (outlook.com, hotmail) domains.

    The purpose of DKIM is to verify the mail you're sending is actually coming from your domain and not someone who is spoofing your domain.

    Nobody cares about DMARK.

    Yahoo and Microsoft throttle email based on whether or not your domain has proper DKIM keys setup.

    If you don't have them set up you can only spam about a thousand messages before you get blocked.

    However if you set up DKIM you can spam Yahoo and Microsoft mail (hotmail, outlook.com, etc) users all day long and those mail providers will turn a blind eye.

    • Nobody cares about DMARK? Seriously? If you're going to try and claim to be some kind of authority on anti spam, at least try and spell the names of the standards correctly! It's DMARC!

      The asker of slashdot, and you, are both deeply confused about what these technologies are for.

      The purpose of DKIM is not to be some kind of "anti evil bit". DKIM signing your mail does not imply it is or is not spam. The only thing DKIM does is make it easier for spam filters to identify the source of mail, so that mail stre

    • I don't recommend hiring the OP here; not only do they not realize its DMARC, but they don't seem to realize what DMARC and DKIM actually accomplish.

      Luckily there are easy-to-read summaries like this one: https://support.google.com/a/a... [google.com]

      • by tepples ( 727027 )
        But if you have a third-party sender relay mail through your network, as the linked page recommends, the messages are likely to get classified as unwanted due to your IP address being in a block on the "residential and small office" list.
        • I don't know what your point is at all.

          A) I send my own mail, I sign it all using DKIM and advertise a DMARC record that says so.
          B) I have a third party I trust sending mail as me, I send them a key to sign mail with and add them to the SPF senders list and advertise a DMARC record saying so.
          C) I have a third party relay messages through my own server; A) applies and works fine.
          D) I use a third party relay myself, I sign the messages before going out and publish an SPF record saying they are trusted and a D

    • by grahamm ( 8844 )

      You should also be using DKIM, SPF and DMARC if you are bank, a financial institution, or other domain which is high risk for forged phishing emails purporting to be from you. This allows the recipients to differentiate between your legitimate emails and forgeries.

  • by sithlord2 ( 261932 ) on Sunday November 02, 2014 @03:54PM (#48295515)
    Basically, there are two sides to implementing SPF and DKIM:

    - Outgoing mail: yes, it's probably a good idea to set up SPF and DKIM on your outgoing mail-servers and DNS. You'll less likely end up in the "junk" folder of Hotmail or GMail. Setting up SPF and DKIM is actually not as hard as some people seem to think. There are enough free services on the Internet that will check if your config is correct. While you are at it, make sure your mailserver is configured to use the STARTTLS SMTP command. Most spammers don't use TLS over SMTP, so it's a little extra that can give you an advantage in anti-spam filters.

    - Incoming mail: this is where most of the problems arise. There are a lot of mail servers out there that don't implement it, or don't implement correctly. For my personal mail setup (which runs on PostFix), I decided to implement them as they should be (SPF softfail/hardfail according to sender DNS records etc...). If you run a business, this might result in loss of business mail, so might want to ignore SPF and DKIM

    TL;DR: Configure it for your outgoing email, ignore it for incoming mail. ("Be Strict with Yourself and Lenient Towards Others" - Fan Chunren )
    • Setting up SPF correctly for your domain does have the side-effect of stopping a lot of bounceback spam (where they forge your address and send it to someone else, so you get the rejection), and can be useful for that reason alone.

      But yeah, incoming mail it's not really a big discriminator. Worth looking at slightly, but not really all that useful. (Which means in general it's just more work you'll need to do to set up an email server, which doesn't have much benefit.)

  • Very Useful (Score:4, Interesting)

    by zamboni1138 ( 308944 ) on Sunday November 02, 2014 @04:27PM (#48295701)

    I have DKIM and SPF in place for a domain that needs to send out important emails. It is not that difficult to get in place (assuming you're already comfortable with DNS, SMTP, Public/Private key encryption and debugging email problems). Setting up OpenDKIM alongside a PostFix install is straight-forward. And you don't need to buy a Certificate from a CA to get it working for the public.

    Google checks both the SPF and DKIM when receiving mail, and you can see the results their servers come up with in the header of the received mail. Your message will also display "signed-by: [domain.tld]" in the header details popup.

    I have never seen or gotten reports of emails that pass both DKIM and SPF checks going into Google's "spam" folder or otherwise being delayed/redirected.

    In short, I find it very useful to help assure my customers that data will be kept flowing properly, to the best of my ability anyway. Haven't looked into DMARC much.

  • by MillerHighLife21 ( 876240 ) on Sunday November 02, 2014 @05:24PM (#48296033) Homepage

    I implemented the strictest controls possible for a site that was being heavily phished and it worked very well. Here's the things you have to understand about DMARC, DKIM, and SPF (since SPF matters to DMARC too).

    As a basic overview, here's what these do.

    SPF = Only allow emails from specific domains / ip addresses
    DKIM = When an email arrives, verify the signature with the domain it claims to be from to ensure it actually came from there
    DMARC = How strict should we be with SPF and DKIM?

    DMARC in itself isn't an actual verification system. What DMARC does is allows you to tell mail servers exactly how to handle emails that do not pass SPF and/or DKIM checks. Without DMARC, mail servers have to guess and basically follow their own rules. If you've taken the time to document where email from a particular domain comes from (including 3rd party services), ensured that your SPF includes everything, and have verified that all emails are signed with DKIM then eventually you can be strict enough with your DMARC settings to say that anything not passing both SPF and DKIM can simply be trashed. That's what the strictest setting looks like. You can also tell mail servers to send it to the spam folder, just in case you missed something. You can tell it to treat SPF strictly and ignore DKIM or vice versa. You can tell it to apply your DMARC rules to a percentage of your emails (to make it easier to transition into to using it with a small group of messages). You can also have providers send you an XML based email of the days activity to see how messages were handled from different services and where those messages originated. The reports can be a pain to make sense of but once you have everything setup properly you tend to stop looking at them.

    It's important to remember, because SPF if easier to implement since it's just a DNS rule. For DKIM you have to actually sign the email before it's sent which may or may not be possible from all of your various points of email origin. DKIM is better, but that makes it more complicated. And that's why you have to have something like DMARC so that you can tell mail servers just how thoroughly those rules have been implemented.

    The site that I implemented it for was a very old site where people managed high dollar transactions over email. Phishing was RAMPANT but even more so because there was a good chance a phisher could pass off an email as actually coming from our domain. The combination of 3 protocols in strict mode stopped that completely. It didn't stop PHISHING, but it did secure our domain against it. After that phishers had to use other domains, leaving off a middle letter, trying spelling variations, etc. This gave us the ability to work with registrars to either buy the domains or report the domains for abuse.

    As an early poster said, you can't completely stop phishing but there are preventative measures you can take to protect compromised accounts.

    After that we took additional steps to secure users accounts. We started recording ip addresses with all logins or return visits along with geographic data from MaxMind. Once we had enough sample data to create a general point of origin, we started locking accounts if they were accessed more than 200 miles from their normal center point and always if they logged in from a different country. As soon as the account was locked for a geographic reason, we sent users an email notifying them that their account had been accessed from another country or outside of their area and that if this lock was in error, they could click a link to disable that function for 2 weeks while they were traveling. Otherwise they should change their password. Users really appreciated it. We expected some usability frustration, but overall these users were very happy to know we were watching out for them.

    People also tried to create fake accounts on the system to initiate transactions. For that, we took a page out of Fark's playbook. On Fark, when you get blocked / banned you don't KNOW you've been banned.

    • For all of the goodness of the above extended comment, it misses some important marks:

      DKIM assigns a validated identifier to a message. It does /not/ tell you who "sent" the message, in the sense that folk normally mean. The validated identifier, for example, does not have to have anything to do with the message author or the originating organization. However once a message reliably has a validated identifier, then that identifier can be used to build a noise-free reputation. The DKIM identifier ca

    • Dude, this is why I visit slashdot. Great info, thanks a lot.

      • Thanks! From what I understand it's pretty rare for a company as small as that one to get phished as heavily as it was. Having full responsibility to deal with something like that among other development priorities was a unique experience.

  • DKIM, SPF and DMARC are in reality not very wide implemented, but the thing is many biggies in the tech scene implemented them, so that millions of mail adresses are now being affected by them. The thing is, anyone can sign his emails with DKIM. This only tells that he's able to do it, it doesn't tell anything about if it is Spam or not. In fact, many spammers were the first to sigh their mails with it. DKIM is only a mechanism to make sure the sending domain is not being forged, nothing more, nothing les
  • I had lots of mails bounce after Yahoo implemented DMARC.

    However, with a bit of patience, I was able to implement DKIM and SPF for my domain, and now all the mails get delivered to Yahoo addresses.

    I wrote about how ot configure SPF and DKIM in this article: Setting up SPF and DKIM for Postfix [baheyeldin.com].

  • My company (Roaring Penguin) uses SPF for outbound mail and we DKIM-sign our mail too. Our antispam software also supports SPF and DKIM. We don't yet support DMARC, but probably will at some point. The problem with fully supporting DMARC is the reporting component. It's a real bear to send DMARC reports, but obeying DMARC policies is much easier. We'll start by doing DMARC-policy-obeying first and then think about reporting.

  • I was involved in some quite heated discussions on the DMARC list about one problem. DMARC is supposed to prevent someone from forging the From: header sender (and to a lesser extent if used with SPF, the envelope sender.)

    The problem is that most MUAs (mail clients) do not show the full email address of the sender. They only show the full name. For example, a header that looks like this:

    From: American Express Fraud Dept <bozo@example.com>

    will be displayed in a typical mail client as just A

  • Version 12 of DMARC provides enhanced authentication for protection of the user account. The user finds availability of the multiple security keys. The most important betterness of version 12 over version 11 is the elimination of all possibilities of the man in the middle attack. Many reports of man in the middle attacks still happen so I doubt this advantage. If have the concern of man in the middle attacking of your system, use MAILP3 or an SPF factor of at least 40.
  • I work for a Real Estate company, and we have a nice Exchange setup (with DKIM) through our parent corp. A number of our agents (for mainly silly reasons) prefer to use personal email accounts, so they forward from their corp addresses to their personals. A number of tools they use fall into the category mentioned in the article, so emails are sent "from" their addresses but signed by say, docusign. Then they freak out because they aren't getting contracts.

    That mail from Facebook and LinkedIn don't get

  • With a gubernatorial campaign. First we used one of the big campaigner sites. They are based in Canada. They didn't like that people bitched so we got a pipe from the local provider, setup and outbound smtp server and started from there. Immediately started getting bounces from AOL. Decided it wasn't worth implementing their paradigm.
  • In my org (a high school) we were having issues with spambots using our organization's address in the From: field for spam campaigns. The turning point for us was when a malware payload came with a From: field of the assistant principal addressed to many of our employees. The mail was not from one of our mail servers, but the From field trick some of our users into opening it. With DMARC + DKIM and a strict policy we have eliminated this problem.

    We did have some minor implementation headaches. Our admission

  • I use DKIM and DMARC on the email from my domain, so I have some experience. The benefit of DKIM (and SPF) is that the email I send does not automatically get mis-identified as spam. Before implementation, it was. Later I discovered that some spammers were forging the headers in their email to indicate that they were sent from my domain, so I implemented DMARC to see if that would stop it. DMARC is hard to set up and it has problems. Not many email hosts support it, so it is not very useful either. Some of

"Never face facts; if you do, you'll never get up in the morning." -- Marlo Thomas