Situation | You want to know how DMARC works with Proofpoint Essentials. |
---|---|
Solution |
This article explains how to enable DMARC authentication in the new Anti-Spoofing section, as well as the following:
|
How To Enable DMARC Authentication
- In the sidebar, under Security Settings, navigate to Malicious Content > Anti-Spoofing.
- Under Inbound DMARC, select Allow the sending domain's DMARC policy to determine whether or not to block messages.
- Click Save.
If the setting is enabled AND the From header domain of the sender has a valid DMARC record, then the individual DKIM and SPF policies are ignored and the sender’s DMARC policy determines the action taken on the email.
Anybody can buy a domain, including those with malicious intent. However, it is the From Header domain that is most often spoofed. As such, we look up the DMARC record of the From header domain and NOT the record of the Envelope Sender/Return Path domain (which is used to authenticate SPF).
How Proofpoint Uses The DMARC Policy
Some Definitions
Return-Path: <splinter@tmnt.org>
Delivered-To: <shredder@turtlesoup.com>
Authentication-Results: mail.tmnt.org; spf-pass(tmnt.org: domain
of splinter@tmnt.org designates 1.2.3.4 as permitted sender)
smtp.mail-splinter@tmnt.org; dkim=pass header.i=@tmnt.org
Received: From ..
DKIM Signature v=1 a=rsa-shal : c=relaxed/relaxed d=tmnt.org
s=february 2021; i=@ alignment q=dns/txt; h= ..
Date: Wed, 4th Feb 2021
From: "Splinter" <splinter@tmnt.org>
To: "Shredder" <shredder@turtlesoup.com>
Subject: Recipe Ideas
Email Headers contain multiple fields with addresses/domains, and it is important for DMARC to be able distinguish between them.
- Envelope From Domain - The return path (sometimes called the reverse path, envelope sender, or envelope from — all of these terms can be used interchangeably) is the value used in the SMTP session in the
MAIL FROM
command. The domain from this field is the value used for typical SPF authentication. - From Header Domain - The FROM address is the value found in the FROM header. This is supposed to be who the message is from, and what you see as the "FROM" in most mail clients.
- DKIM Signature Domain - In the DKIM signature field, d= indicates the domain used with the selector record to locate the public key. The value is a domain name owned by the sender.
Anatomy Of A DMARC Record
Tag Name |
Purpose |
Sample |
v |
Protocol version |
v=DMARC1 |
p |
Policy for organizational domain |
p=quarantine |
rua |
email address to send aggregate reports to. |
rua=mailto:dmarc-reports@domain.com |
In total there are 11 tags. The only mandatory tags are v and p. It is strongly recommended that the rua tag is included so that organizations receive reports. Proofpoint is mainly concerned with the p tag, of which there are three options; none, quarantine, and reject. For more information, and for a full list of each tag and what it does, see the following third party resource: https://dmarc.org/overview/
What Action Will Proofpoint Take Based On DMARC Policy
Proofpoint will never bounce or reject mail based on a domain's DMARC policy
Depending on the DMARC policy of the From Header domain, Proofpoint will take one of two actions.
- If the DMARC policy is p=reject or p=quarantine and the email fails DMARC authentication, then the email is quarantined and categorized as Fraud.
-
If the DMARC policy is p=none (referred to as monitor mode) and the email fails DMARC authentication, then no action is taken, and the email is sent for additional processing i.e. Custom Filters, Spam Engine etc.
Emails categorized as Fraud will not appear in the digest of end users, and can only be released by Organization Admins and above.
How DMARC Authentication Works
For a message to pass DMARC Authentication, at least one of the following conditions must be met:-
- The message passes SPF Authentication and SPF Alignment
- The message passes DKIM Authentication and DKIM Alignment
A message will fail DMARC if it fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment. The table below shows potential combinations (not all) and the outcome of the DMARC evaluation.
SPF Authentication |
SPF Alignment |
DKIM Authentication |
DKIM Alignment |
DMARC Evaluation |
Pass |
Pass |
Pass |
Pass |
Pass |
Pass |
Fail |
Pass |
Fail |
Fail |
Pass |
Pass |
Fail |
Fail |
Pass |
Fail |
Fail |
Pass |
Pass |
Pass |
Fail |
Pass |
Pass |
Fail |
Fail |
To drive home the point, it bears repeating: a message must have at least one complete pair to pass DMARC Authentication.
What Is SPF & DKIM Alignment
By design, SPF only authenticates the Envelope Sender address, leaving the From Header address unchecked.
Similarly, DKIM only authenticates the d=domain.com value in the DKIM signature, which can be different to the domain value in the From Header address.
Identifier alignment is a mechanism introduced in DMARC to ensure at least one of the domains authenticated by SPF or DKIM to align with the domain found in the from header address.
SPF Alignment
SPF alignment passes when the domain portion of the Envelope From address matches the domain found in the From Header address.
If the Envelope From address is empty, alignment is checked against the EHLO domain presented in the initial SMTP greeting.
EXAMPLE OF SPF ALIGNMENT PASS
Return-Path: <splinter@tmnt.org>
Delivered-To: <shredder@turtlesoup.com>
Authentication-Results: mail.tmnt.org; spf-pass(tmnt.org: domain
of splinter@tmnt.org designates 1.2.3.4 as permitted sender)
smtp.mail-splinter@tmnt.org; dkim=pass header.i=@tmnt.org
Date: Wed, 4th Feb 2021
From: "Splinter" <splinter@tmnt.org>
To: "Shredder" <shredder@turtlesoup.com>
Subject: Recipe Ideas
The Envelope From, i.e. Return-Path domain (tmnt.org) and the From Header domain (tmnt.org) are identical, and therefore SPF Alignment Passes.
EXAMPLE OF SPF ALIGNMENT FAIL
Return-Path: <splinter@tmnt.org>
Delivered-To: <shredder@turtlesoup.com>
Authentication-Results: mail.tmnt.org; spf-pass(tmnt.org: domain
of splinter@tmnt.org designates 1.2.3.4 as permitted sender)
smtp.mail-splinter@tmnt.org; dkim=pass header.i=@tmnt.org
Date: Wed, 4th Feb 2021
From: "Splinter" <splinter@ninjaturtles.com>
To: "Shredder" <shredder@turtlesoup.com>
Subject: Recipe Ideas
The Envelope From, i.e. Return-Path domain (tmnt.org) and the From Header domain (ninjaturtles.com) are different, and therefore SPF Alignment Fails.
DKIM Alignment
DKIM alignment passes when the domain value in the d= field of the DKIM signature of the email header matches the domain in the From Header address field.
EXAMPLE OF DKIM ALIGNMENT PASS
Return-Path: <splinter@tmnt.org>
Delivered-To: <shredder@turtlesoup.com>
DKIM Signature v=1 a=rsa-shal : c=relaxed/relaxed d=tmnt.org
s=february 2021; i=@ alignment q=dns/txt; h= ..
Date: Wed, 4th Feb 2021
From: "Splinter" <splinter@tmnt.org>
To: "Shredder" <shredder@turtlesoup.com>
Subject: Recipe Ideas
The d= domain (tmnt.org) and the From Header domain (tmnt.org) are identical, and therefore DKIM Alignment Passes.
EXAMPLE OF DKIM ALIGNMENT FAIL
Return-Path: <splinter@tmnt.org>
Delivered-To: <shredder@turtlesoup.com>
DKIM Signature v=1 a=rsa-shal : c=relaxed/relaxed d=tmnt.org
s=february 2021; i=@ alignment q=dns/txt; h= ..
Date: Wed, 4th Feb 2021
From: "Splinter" <splinter@ninjaturtles.com>
To: "Shredder" <shredder@turtlesoup.com>
Subject: Recipe Ideas
The d= domain (tmnt.org) and the From Header domain (ninjaturtles.com) are different, and therefore DKIM Alignment Fails.
There is another scenario in which SPF/DKIM alignment can pass even if the domains are not identical. If the DMARC policy is relaxed, and the Envelope From domain or d= domain is a subdomain of the From Header domain or vice versa e.g. “mail.domain.com and “domain.com”, then alignment will pass. You can read more about this at a third party website here.
Carlos Rios
Comments