Friday 11 Jan 2019

Dummy's Guide to DMARC & Email Deliverability

Dummy's Guide to DMARC & Email Deliverability: DMARC-2

DMARC is technical. The problem it is trying to solve is massive and impacts all communicators. Here's my attempt to explain DMARC in a very non-technical way. I hope it helps

In a Nutshell

  • What is DMARC? Domain-based Message Authentication, Reporting and Conformance
  • What the hell does that mean? It's a set of instructions maintained by your company which helps other organisations identify which emails actually come from your organisation and what to do with imposters
  • Why's it important? Because it's becoming the norm and if you don't have a policy pretty soon you'll see your emails getting binned 

Picture this

OK so to make all of this make sense in my non-tech brain, I found it useful to think of organisations as kingdoms (domains) with castle walls (firewalls) and castle guards (firewall policies) and people living within the castle walls (email recipients). Your Kingdom may send a messenger (email) to some people living within another kingdom. That messenger will have to speak to the castle guards in order to get through the castle gates. They’ll check the messages credentials and provided these are legitimate, then they will let the messenger through to deliver their message to the inhabitants of the castle. So with that picture in your mind, please read on…

What is the problem DMARC Is trying to solve?

People who want your account details will send you nice looking emails which appear to come from Amazon or eBay or your bank. The branding will be perfect and the ‘from’ email address which you see in your inbox will look like it is from amazon.com. In fact, it will just be pretending to come from this address. It will be spoofing an amazon.com address. This is also known as Phishing. At PRgloo (like Mailchimp and other email marketing systems) we make use of spoofed emails. We pretend the email is coming from sam@somecompany.com. However in our case, it IS actually sent from Sam who is from the Some Company, but it is sent via PRgloo rather than Some Company’s outlook system.

At PRgloo we practice “moral” spoofing. This is a term I just made up by the way.

Now the internet (surprise, surprise) cannot rely on people being nice and “moral” with their use of this technology. So more and more spoofing and phishing is being eradicated. And here’s how it’s being done:

Safe Kingdoms

Some Kingdoms (the popular ones such as eBay, Amazon and the like) got sick of other people pretending to come from their kingdom and giving them a bad a rep by nicking people’s account details. So, they got together and agreed with other popular kingdoms to do something about it. They came up with DMARC (Domain-based Message Authentication, Reporting and Conformance) to stop people pretending to be from your kingdom.

With DMARC you specify both how the other kingdoms can identify true messengers (emails) which come from you AND what to do if one of them spots someone pretending to be from your kingdom. It acts as an instruction manual to let other kingdoms know how to identify the true messengers of the kingdom and how to report transgressions back to you. Here are the two ways Kingdoms / domains can choose to mark their messengers as authentic:

SPF (sender policy framework) All emails come with a bit of background information which is contained in the header. The header contains the sender email address (which is simply some text – it could be anything), the IP address of the person who sent it, details of where replies should go and some other very techy stuff. Spoofers will say that the sender email address is sam@prgloo.com but the IP address it actually came from cannot be spoofed. Now if the sender email address in the header reads sam@prgloo.com then we are supposed to think that this has come from the PRgloo kingdom but the only way to confirm that it did, is to do some checking on the IP address (which cannot be spoofed).

Some IP addresses are on Blacklists, so it’s easy to say, “go away, I don’t like the look of your IP”. However most sophisticated spoofers will change IP addresses all the time, so this is not a great way of spotting the imposters. So, what happens instead is the castle guards will look up the PRgloo domain in their big book of Kingdoms and see that they use DMARC.

The DMARC policy for PRgloo is a little instruction manual showing the castle guards how to tell if this email is actually coming from sam@prgloo.com and not HackyMcHackface. The policy might say

“We use Sender Policy Framework to help you determine if the email is actually from us. Simply see if the IP address listed in this email header exists in our list of safe IPs; we made it available for you to check (in a public record called the SPF record). If it does, then please welcome the email with open arms. If it does not, please reject it and send us a message to tell us about this nasty imposter so we may behead them”

If PRgloo does not use DMARC then the castle guards can’t really get too much out of the IP address (other than checking to see if it is on a blacklist) and they may simply reject them because they don’t like the cut of their jib or because they come from a Kingdom which is too lazy to be in the big book of DMARC kingdoms.

DKIM (DomainKeys Identified Mail). Using the email header again, Kingdoms / Domains can add a special encrypted digital signature to identify things actually sent from that domain. So let’s say the email sender is set to sam@prgloo.com. The guards at the gate look up the prgloo.com Kingdom in their big book of Kingdoms and see that they use DMARC. The DMARC Instruction manual for PRgloo says

“We use DKIM to help you identify whether this email is actually from PRgloo. Go and have a look in this special place for the key to our signature. Once you apply this key to our email header you’ll unlock our signature and you’ll see that this is really and truly sent by us”.

If you’re not in, you’re well and truly out.

DMARC policy adoption is spreading like wildfire. Soon it will become standard. If you’re not part of that standard, you and your emails will become substandard and that’s not a descriptor any of us want.

For more information on the above, please give us a call. Many thanks to the wonderful Regis Calard for his help sense checking the above article.

Downloads

DMARC-2
DMARC-2