DMARC: protect your newsletter from fakes
Have you encountered the problem that emails from your service are faked for the purpose of extorting a password or other confidential data? Every day, thousands of spam, phishing and fraudulent emails that hackers disguise as messages from well-known services try to break through to users.
Such letters cause damage to the addressees, which ultimately affects the reputation of both respectable services and mail providers.
Now we are giving services that are conducting their mailings the opportunity to defend themselves against such fakes with the help of DMARC technology (dmarc.org), which we were the first to support among the major mail services in runet.
')
The essence of the technology is simple: you, as the owner of the domain from which you are mailing, can register in the DNS of your domain a policy defining what to do with letters that are considered fake.
Emails can be missed, put in the Spam folder, or not accepted at all by the mail server.
For this technology to work, you need to configure SPF for your domain and sign each letter with a DKIM signature. In this case, the DKIM domain must match the domain in the From header.
When receiving a letter, our server will check the validity of SPF and DKIM. In case the validation of both DKIM and SPF is not passed, the DMARC policy of your domain will be applied to the letter.
The first thing to do is decide how DMARC will be implemented. We recommend doing it not immediately, but gradually:
Such a step-by-step approach will allow identifying problems with DKIM-signature, if any, in time and correct them before the policy is deployed to 100%.
To enable the DMARC policy, you need to place a new TXT record in the DNS records of your site:
In this form, the record means that all fake letters should be skipped, and reports should be sent to the mailbox postmaster@exampledomain.ru; exampledomain.ru must be replaced with your domain.
If you want to receive reports on a domain that does not match the DMARC domain, you need to place a TXT record for a special type of mail domain. Suppose your domain with DMARC is exampledomain.ru, and you want to receive reports for the test.ru domain. In this case, it is necessary to add a TXT-record in the DNS domain of the test.ru domain:
At the moment we support sending only aggregated reports. Sending samples that did not pass the test will be launched later.
Daily aggregated reports come in XML format from the address dmarc_support@corp.mail.ru.
Below is an example of a report stating that 20 emails were sent from the same IP address, and they all passed the test.
There are many ready-made tools that make the processing of these reports more convenient. You can find them on the DMARC website: http://www.dmarc.org/resources.html .
More information about configuring DMARC can be found in the http://help.mail.ru/mail-help/postmaster/dmarc help. Include and comment - we will be grateful for questions, comments and ideas.
Denis Anikin,
Technical Director Mail Mail.Ru
Such letters cause damage to the addressees, which ultimately affects the reputation of both respectable services and mail providers.
Now we are giving services that are conducting their mailings the opportunity to defend themselves against such fakes with the help of DMARC technology (dmarc.org), which we were the first to support among the major mail services in runet.
')
How DMARC works
The essence of the technology is simple: you, as the owner of the domain from which you are mailing, can register in the DNS of your domain a policy defining what to do with letters that are considered fake.
Emails can be missed, put in the Spam folder, or not accepted at all by the mail server.
For this technology to work, you need to configure SPF for your domain and sign each letter with a DKIM signature. In this case, the DKIM domain must match the domain in the From header.
When receiving a letter, our server will check the validity of SPF and DKIM. In case the validation of both DKIM and SPF is not passed, the DMARC policy of your domain will be applied to the letter.
I already want. What should I do?
The first thing to do is decide how DMARC will be implemented. We recommend doing it not immediately, but gradually:
- At first, enable only receiving reports and skip all emails. This is necessary to ensure that all letters are correctly signed.
- Next, you can enable the application of the policy only for some small percentage of traffic using the pct option
- If no problems are found in the reports, you can include a 100% policy.
Such a step-by-step approach will allow identifying problems with DKIM-signature, if any, in time and correct them before the policy is deployed to 100%.
To enable the DMARC policy, you need to place a new TXT record in the DNS records of your site:
_dmarc.exampledomain.ru. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@exampledomain.ru " In this form, the record means that all fake letters should be skipped, and reports should be sent to the mailbox postmaster@exampledomain.ru; exampledomain.ru must be replaced with your domain.
If you want to receive reports on a domain that does not match the DMARC domain, you need to place a TXT record for a special type of mail domain. Suppose your domain with DMARC is exampledomain.ru, and you want to receive reports for the test.ru domain. In this case, it is necessary to add a TXT-record in the DNS domain of the test.ru domain:
exampledomain.ru._report._dmarc.test.ru. 3600 IN TXT "v=DMARC1" At the moment we support sending only aggregated reports. Sending samples that did not pass the test will be launched later.
What does a report look like?
Daily aggregated reports come in XML format from the address dmarc_support@corp.mail.ru.
Below is an example of a report stating that 20 emails were sent from the same IP address, and they all passed the test.
<feedback> <report_metadata> <date_range> <begin>1361304000</begin> <end>1361390400</end> </date_range> <email>dmarc_support@corp.mail.ru</email> <extra_contact_info>http://corp.mail.ru/en</extra_contact_info> <org_name>Mail.Ru</org_name> <report_id>1361304000874948</report_id> </report_metadata> <policy_published> <adkim>r</adkim> <aspf>r</aspf> <domain>adan.ru</domain> <p>none</p> <pct>100</pct> <sp>none</sp> </policy_published> <record> <auth_results> <dkim> <domain>adan.ru</domain> <result>pass</result> </dkim> <spf> <domain>adan.ru</domain> <result>pass</result> </spf> </auth_results> <identifiers> <header_from>adan.ru</header_from> </identifiers> <row> <count>20</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated> <source_ip>176.9.9.172</source_ip> </row> </record> </feedback> There are many ready-made tools that make the processing of these reports more convenient. You can find them on the DMARC website: http://www.dmarc.org/resources.html .
What's next?
More information about configuring DMARC can be found in the http://help.mail.ru/mail-help/postmaster/dmarc help. Include and comment - we will be grateful for questions, comments and ideas.
Denis Anikin,
Technical Director Mail Mail.Ru
Source: https://habr.com/ru/post/170957/
All Articles