Tagdmarc

September 19, 2019

Should you publish a DMARC policy statement?

By laura
4 Min read
1 comment
19September

DMARC is a protocol that makes it very, very simple to shoot yourself in the foot. Setup is tricky and if you don’t get it exactly right you risk creating deliverability problems. The vast majority of companies SHOULD NOT publish a DMARC policy with p=reject or p=quarantine for their existing domains. DMARC policy statements are, essentially, a way for a company to assert the following...

August 29, 2019

DMARC doesn’t fix phishing

By laura
3 Min read
4 comments
29August

Over the last few weeks I’ve had a lot of discussions with folks about DMARC and the very slow adoption. A big upsurge and multiple Facebook discussions were triggered by the ZDNet article DMARCs abysmal adoption explains why email spoofing is still a thing. There are a lot of reasons DMARC’s adoption has been slow, and I’m working on a more comprehensive discussion. But one of...

January 23, 2019

Gradual DMARC Rollout

By steve
3 Min read
2 comments
23January

Over on twitter Alwin de Bruin corrected me on an aspect of DMARC soft rollout I’d entirely forgotten about. It’s useful, so I thought I’d write a quick post about it. If you have a large mail stream and you want to avoid the Scary Red Flag Day when you turn on DMARC p=reject enforcement and wait for people to complain you can use the DMARC policy “pct=” tag to roll...

October 14, 2018

Good morning DMARC

By steve
1 Min read
3 comments
14October

I’m thinking I may need to deploy DMARC report automation sooner rather than later.

… and so on, and on, and on for a lot further down the mailbox.

July 19, 2018

Minimal DMARC

By steve
4 Min read
2 comments
19July

The intent of DMARC is to cause emails to silently vanish. Ideally deploying DMARC would cause all malicious email that uses your domain in the From address, but which has absolutely nothing to with you to vanish, while still allowing all email you send, including mail that was sent through third parties or forwarded, to be delivered. For some organizations you can get really close to that ideal...

April 9, 2018

Brand indicators in email

By laura
3 Min read
Add comment
09April

A number of companies in the email industry have been working on a way to better identify authenticated emails to users. One proposal is Brand Indicators for Message Identification (BIMI). A couple weeks ago, Agari announced a pilot program with some brands and a number of major consumer mail providers. These logos should be available in the Yahoo interface now and will be rolling out at other...

December 21, 2017

Authentication is about Identity, not Virtue

By steve
1 Min read
3 comments
21December

I just got some mail claiming to be from “Bank of America <secure@bofasecure.com>”. It passes SPF: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=185.235.176.160; helo=bofasecure.com; It passes DKIM: Authentication-Results: mx.wordtothewise.com (amavisd-new); dkim=pass (1024-bit key) header.d=bofasecure.com The visible RFC 822 From address is strictly...

December 13, 2017

Organizational Domain

By steve
4 Min read
2 comments
13December

We often want to know whether two hostnames are controlled by the same person, or not. One case for that is cookie privacy in web browsers. We want pages at www.blighty.com and images.blighty.com and blighty.com to all be able to set and read cookies for each other – so a user only needs to log in once for pages or images on all of them to work well together.  So we allow all of them to...

December 5, 2017

About that DMARC "exploit"

By laura
2 Min read
Add comment
05December

A security researcher has identified a rendering flaw that allows for “perfect” phishing emails. From his website: Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC...

October 18, 2017

The feds are deploying DMARC

By steve
2 Min read
Add comment
18October

The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email. It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication. Set up a centralized reporting repository for DMARC failure...

Recent Posts

Archives

Follow Us