Email is an extremely utilized and important tool for communication across not only businesses and organizations across the world but for personal use as well. Approximately one-third of the population of the planet has an email address. This is why it’s essential for every organization protects their domains to ensure that no one impersonates them via email.
This is where DMARC, or what’s known as domain-based message authentication, reporting and conformance, comes in handy. But not everyone uses DMARC, even though it provides protection against email phishing and spoofing. This means that when Microsoft releases its new Office 365 feature that will give organizations the option to block emails from senders whose domains lack DMARC authentication mechanisms, those non-DMARC authenticated organizations are going to be in trouble.
So, what is there to know about this new Office 365 update and how will it affect your email capabilities?
Let’s hash it out.
Breaking Down Microsoft’s New ATP Feature for DMARC Authentication
Okay, so Microsoft is doing what now? Microsoft recently announced that they’re looking to roll out a new advanced threat protection feature across all Office 365 environments that aims to block any email senders whose domains fail DMARC authentication. The new Office ATP feature is anticipated to roll out around April 2020.
Basically, what this means is that Microsoft plans to incorporate an additional type of filter into their email process/lifecycle that’s based off of domain message authentication, reporting, and conformance (DMARC) validation policies. This means that, quite simply, if DMARC fails for an email, the message will be filtered.
Of course, there’s an option for an admin (likely via the Office 365 admin console) to turn this off and disregard the DMARC status per email. Like most issues, this function, whether on or off, has advantages and disadvantages to consider. But, like many well-thought-out things that are sent to production, the pros will likely still outweigh the cons. But before we can get into a more in-depth discussion about what all of this means, let’s first take a moment to review DMARC, SPF, DKIM, and other considerations.
What is DMARC, SPF, and DKIM, and Why Do They Matter?
DMARC is a reporting tool that takes metrics from two other protocols — sender policy framework (SPF) and domain keys identified mail (DKIM) — to determine the authenticity of an email, and data gathering can determine how well an email sender’s domain is doing. DMARC can also take action on emails based off of SPF and/or DKIM results.
DMARC reporting will describe how the domain(s) are doing as a whole. Examining the data in different timeframes can help you determine if things are getting worse before further sleuthing can help determine what might be going on.
SPF is both a protocol and a very simply configured DNS entry in a DNS record. It’s essentially a listing of hostnames, IP addresses or range of addresses that can be set as valid sending sources. What this means is that if an email comes from an IP/hostname other than what is listed in the DNS’s TXT SPF record, it’ll fail.
DKIM, on the other hand, is a protocol that uses one DNS entry per valid sender to utilize a key signature in outbound emails. So, what this means in layman terms is that email clients (and mail exchangers) will verify the email based off of the DKIM signature and the lookup in the DNS record. If the key is legit (according to the DNS entry), DKIM passes.
So, essentially, DKIM and/or SPF are good for one-off situations, whereas DMARC is useful for authenticating against those standards to ensure validity of an email domain. Of course, this is an oversimplification of these protocols. We didn’t even go over the weighted results of valid vs aligned. For more information on that, you can go back and read my previous articles discussing all the different options and so forth. (Note: Links to each of those specific topics are embedded in the individual paragraphs above.)
How Is Filtering for DMARC Different Than Filtering for SPF, DKIM?
Categorization with SPF is based on the defined IP addresses and/or host names. There are qualifiers that can be placed — and are placed — for anything not matching the defined IP addresses and/or host names. Typically, using the “all” statement at the end of the SPF TXT record indicates this. The qualifiers are:
- Pass (+) — Passes when criteria is met
- Fail (-) — Fails when criteria are met and flag as spam
- Soft Fail (~) — Fails but takes no action
- Neutral (?) — Take no action at all
DKIM is a little less hands-off in that regard. However, it may depend on the email client, such as Outlook, MacMail or Thunderbird, or it will depend on the DMARC policy to filter out the message.
So, basically, SPF and DKIM do pass/fails and note it as such. It is up to the exchangers, servers, and email clients to figure out what, if any, action to take (deliver, spam it, delete it, etc.).
DMARC, which is a composite of SPF and DKIM results but also has extra capabilities beyond that, will utilize the results of each protocol to take action. Those next steps could be filtering (flagging as spam) or simply just marking the message as bad (noted as a failure but not flagged as spam). It has options that can require one or both to pass, or it may require both to be aligned. Those DMARC options can flag a message, soft fail it, etc.
DMARC’s real strength comes from its reporting and domain alignment features. When lots of emails are sent, DMARC is a great way to see how much spoofing or problems an email domain is having. DKIM and SPF are good for handling the single anecdotal instances, but DMARC can help with the bigger picture.
Why We Use DMARC (and Why You Should, Too)
According to research from Valimail, domains without DMARC in place are nearly four times as likely to get spoofed. So, this is where DMARC — and its components SPF and DKIM — comes to the rescue.
So, you possessors of email addresses and inboxes, I know that you understand the attacks that we (as businesses) are constantly under — the flooding of phishing and junk mail that inundates our inboxes on a milli-second basis. Our email clients do a subjectively good job filtering stuff out. (Well, they actually do do (heh) a good job filtering stuff out. It’s the 1(ish) % of junk that does get through that seems to stand out and makes us super frustrated.) However, they’re not enough.
I’ve mentioned in the past that we need to jump through the hoops, do our due diligence and fight the good fight to improve all of our email to junk/phishing ratios and situations. Some of my previous articles go over these tools and actions that should improve those ratios/situations. I have good reason to believe it has improved my company’s ratios and situations.