Lead Image © tigger11th, Fotolia.com
Email sender verification with DMARC
Traffic Control
Faking email senders is easy. Because email was not originally intended as a global communication tool, the system offers no convenient means for checking email addresses. Developers and large corporations have thus bolted additional functions onto the mail log, thus retrofitting sender verification. DMARC (Domain-based Message Authentication, Reporting, and Conformance) [1], which is the result of cooperation between Google, Yahoo, and other major corporations, seeks to reduce spam and tackle the problem of sender verification at the root.
Based on SPF and DKIM
DMARC checks the domain used by an address, thus discovering whether the sender is legitimate. To check the domain, DMARC relies on two established technologies: DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework).
DKIM is a technology developed by Yahoo, which practically makes the DNS servers a CA and supports mail verification within the scope of asymmetric encryption. When the receiving mail server receives an email message, the message is signed with a digital key. DMARC uses the public key provided by the DNS server in the sender's domain to verify or refute the origin of the mail. SPF uses TXT entries in domain zones to determine which servers are allowed to email from this domain.
DMARC combines these two features and adds a new feature on top: Admins can create a set of rules to decide whether or not incoming email has successfully negotiated SPF or DKIM. In addition to the existing TXT records for DKIM and SPF, admins simply create a third TXT record for DMARC that describes what to do with messages that fail SPF or DKIM. The record for Yahoo, one of the co-inventors of DMARC, is merciless:
v=DMARC1; p=reject; sp=none; pct=100; rua=mailto:dmarc-yahoo-rua@yahoo-inc.com, mailto:dmarc_y_rua@yahoo.com;
The
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Secure email communication
DMARC combines the abilities of SPF and DKIM to safeguard and protect against spam and phishing and allows targeted configuration according to company policy. -
Hardening mail servers, clients, and connections
If you don't want to hand over your mail to a corporation, you have to operate your own mail server. Securing it sensibly involves some effort. - Top Universities Lack Proper Email Security Measures
-
Hardening network services with DNS
The Domain Name System, in addition to assigning IP addresses, lets you protect the network communication of servers in a domain. DNS offers further hardening of network protocols – in particular, SSH fingerprinting and CAA records. -
Fast email server deployments with iRedMail
Setting up and maintaining an email service in the data center doesn't have to be a nightmare. The iRedMail open source solution lets you deploy a full-featured email server on a number of platforms in a matter of minutes.