BLOG

A DMARC warning

One challenge when implementing DMARC is to ensure that all mail, and I do mean ALL mail is authenticated correctly, before switching to a p=reject notice. The easiest way to do this is to set up a p=none record and check reports to see what mail isn’t authenticated. At least some of this mail is actually going to be valid but unauthenticated email.

I regularly recommend monitoring for 6 – 12 months in order to catch some irregular emails. Even then, someone should regularly monitor DMARC reports in order to identify systems that need authentication added.

One of the cases I worry about is system monitoring emails. These are emails intended to notify sys admins about problems and errors. They often don’t go through the main SMTP server. They usually don’t have an external facing IP and there are security arguments against putting internal IPs into external SPF records. These emails are important and are, usually, not authenticated.

Overall, I could imagine cases where a DMARC record would lead to some problems. And, well, it can. Reading through the postmortem of a significant system failure, one of the problems was no one knew backups weren’t running because notification emails were failing DMARC.

While notifications are enabled for any cronjobs that error, these notifications are sent by email. For GitLab.com we use DMARC. Unfortunately DMARC was not enabled for the cronjob emails, resulting in them being rejected by the receiver. This means we were never aware of the backups failing, until it was too late. GPostmortem of database outage of January 31

Ooops.

Backup failures happen. System outages happen. Crashes happen. (We once had a system crash and take out a disk while during the installation of backup software. #badthing). DMARC failures of this type are preventable.

Part of the challenge here is that gitlab is using google to host their domain and email. That give gitlab a little less control over handling DMARC rejections. Gmail applies the public policy to email. Internal systems sending mail to a SMTP server you control can be whitelisted and exempted from DMARC policy. But using a hosted system means giving up some overhead, and some flexibility.

Of course, DMARC reporting should show internal systems trying to send mail. But I don’t think most places are actually reading their DMARC reports. If anyone at Gitlab was, they didn’t understand the significance of these emails.

DMARC is, overall, a useful protocol and gives senders a little more control over their email. Sometimes, though, there are unexpected consequences. Like most things in email, you can’t set and forget. You have to monitor your DMARC reports and pay attention to systems sending legit but unauthenticated email.

2 comments

  1. Al Iverson says

    And even after you’ve got it all figured out, get ready for occasional DMARC-related rejections. Some ISP somewhere will rewrite a header and forward a message, breaking both SPF and DKIM, and that’s the end of that. There are small numbers of bounces like this for every client of ours who has implemented DMARC.

    1. laura says

      Yup. Implementing p=reject will result in mail failing to deliver. In most cases it’s small, but it will happen. OTOH, when you have lots of senders forging your domain, it might be the only option you have.

Comment:

Your email address will not be published. Required fields are marked *



  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments


  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment


Archives