Email Management
While it may all seem simple on the surface, emails are complicated.
Emails have been manipulated in the past to perform malicious tasks unimaginable to humans.
This is why email authentication and verification processes are now much stricter when compared to a few years ago.
This reporting mechanism helps you set up the DMARC policies tighter, and correctly.
Previously, many email service providers didnt make the use of DMARC policies compulsory for email servers.
The SPF records tell which servers should the incoming mail server accept the emails from.
If its not on the list, the email is probably a fake.
This is where DMARC comes in.
Right now, do not be alarmed by this term.
That said, it is likely not the case.
Some emails, despite failing both SPF and DKIM checks, still end up in the users inbox.
It uses special syntax and file name that defines that it is a DMARC record.
The DMARC record holds theDMARC policy.
Emails pass or fail SPF and DKIM checks.
It is the same selector in the DKIM header in an email.
Similarly, the name of the DMARC record on a DNS server also needs to be specific.
Normally it is DMARC1pMandatoryInstructs what to do with emails that do not pass authentication.
It can be none, quarantine, or reject.
Valid value is a 32-bit unsigned integer.
Meanwhile, you’re free to analyze the generated DMARC reports and configure the policies correctly.
Both of these must include mailto, if being used.
If you do not use this tag, the default value will be Relaxed for both of these tags.
I understand that the term alignment may be confusing, and you may be wondering what it means.
Since it is a confusing topic, I have explained it in detail in the next section below.
Remember when wehad discussedthat theFROM HEADERwas different from theMAIL FROMheader?
If not, dont worry.
Here is a quick recap.
An email has two parts (or does it?)
A body and a header.
The body is where the text is, and the header is what contains the metadata for the email.
The header has different parts; for example, the senders information, the receivers information, etc.
It also has theDKIM header(which is different from aDKIM record).
The envelope has additional information about the email.
More precisely, the envelope has a FROM header, which is also available in the emails header.
However, there is a difference.
It is called theFROM HEADER.
While this header also contains the emails sender, it might not be the same as theFROM HEADER.
Note that both of these headers have the senders domain inside them.
This information is important since this is what SPF, DKIM, and DMARC use for alignment.
ForSPF alignmentto pass, the domain name in theMAIL FROMheader must match the domain name in theFROM HEADER.
If the value is set to s for Strict, the two domains need to be an exact match.
The following table might help you understand better:
With that understanding, let us move on toDMARC alignment.
Aggregated reports are sent intermittently, perhaps once a day.
It is in the HTML format, therefore quite hard to understand.
People usually use third-party services or apps that take these HTML reports and translate them into human-readable format.
These are in plain text and, therefore understandable by humans.
Read more about it in the Allowing DMARC Reports section below.
Moreover, before setting up the DMARC record, I would also recommend that you configureDKIMandSPFfirst.
Although DKIM is not necessary, it is very much recommended.
However, the same logic and syntax apply.
Start by logging into your DNS server and navigating to the zone management portal.
It is recommended that you keep the policy lenient initially.
When done, clickSave Record.
After performing the steps above, wait a while so the new DNS records can propagate across the internet.
This can take anywhere between a few minutes to a day.
After a while, you may start tightening your DMARC policy and begin filtering out unauthenticated emails.
DMARC reports go out easily if you are sending them to someone on the same domain.
To send reports to someone outside of the original domain, you must configureExternal Domain VerificationorEDV.
EDV is set up as a DNS TXT record on the receiving domain.
EDV records are specific to the domain that you want to allow the reports from.
However, the record value and the name need to be specific.
After going through it, you should be able to understand DMARC lookups and even configure them if needed.
0
Get weekly insights, tips and exclusive content delivered straight to your inbox.
Talk to us straight and get your questions answered right away
source: www.itechtics.com
