DMARC

A domain’s DMARC record can tell the world to send DMARC reports to a different domain. For example, the domain example.org might have a DMARC record of: v=DMARC1; p=none; rua=mailto:dmarc_reports@sample.net This DMARC record tells people to send reports regarding example.org to the email address of dmarc_reports@sample.net. Before reports are sent, sample.net must tell the world that it is OK to send example.org’s reports to sample.net. Otherwise, reports will not be sent to sample.net. Allowing “external” domains to accept DMARC reports is called “External Domain Verification.” For those who like too much information, the DMARC RFC describes in detail how report generators determine if sample.net is allowed to receive reports related to example.org. External Domain Verification is made possible when sample.net publishes a special TXT record at a specific location in the DNS. If example.org tells the world to send DMARC reports to the sample.net domain, people who are sending reports will

Our Single Sign-On (SSO) support leverages Security Assertion Markup Language (SAML) version 2 for Enterprise users. This expedites access to your dmarcian account by letting you sign in with your existing corporate credentials, which means one less password to keep track of.  With our SSO, you can easily manage SSO access and user permissions to all of your accounts in dmarcian centrally while adhering to your organization’s security and access policies. Before getting into the details for SSO configuration, let’s first talk about some basic concepts and terminology: Authentication Authentication defines how the user is identified in a system—usually through a login process. Traditionally, a user registers for an account providing authentication credentials (username and password) and uses them to log in moving forward. In the past, this has been sufficient, but it does have limitations. For example, what happens if you have a several employees at your company that you want to grant access

Based on domain events that act as triggers for sending alerts, the highly customizable Alert Central feature on dmarcian’s DMARC Management Platform allows you to monitor your domains without having to login to your dmarcian account. Events could include new or changed DNS records (e.g. we see a new DMARC record) and fluctuation in volume across categories of traffic for your domains. You can choose from common communication channels for alerts—email, Slack, Teams or webhook. The alert will provide you with the details of the event and a link to your dmarcian Timeline for you to get even more information. How does Alert Central Work? Alert Central is based around the dmarcian Timeline. Like the Timeline, you choose which changes to track, and the alerts ensure that you’re aware of the changes in real time. When we notice a DNS change, a change event gets triggered. If a DNS record

Email forwarding can sometimes throw a wrench in DMARC authentication results, and we often get questions about how to manage forwarded emails, especially with mailing lists. Emails are forwarded automatically all the time, more so than most people expect. Forwarding happens automatically when you send an email to myfriend@example.com and that person has set up their email to be forwarded to a separate inbox, like myfriend@dmarcian.com. Another common instance of automatic forwarding is a mailing list, like Google Groups. From the perspective of the email receiver—the one that is generating DMARC XML reports—your email appears to be coming from an infrastructure that has nothing to do with you. In Google Groups, DMARC data that displays forwarding will show your domain as a sender, a Google IP as the sender, and a variety of receivers who send the DMARC report as part of their DMARC check. This number can increase quite

Though Cisco email security appliances (ESA) can be configured to send DMARC aggregate (RUA) reports, they have a limited number of daily DMARC reports they provide. This limit can be easily reached by organizations sending large volumes of email, especially if multiple subdomains are seen in the From header of messages received. The number of subdomains seen is an issue because of a deficiency in how the Cisco IronPort system generates DMARC reports. Instead of creating a single XML report containing data for the top-level domain and any subdomains (e.g. example.com along with www.example.com, server.example.com, etc), each server instance generates a completely separate report for each—this causes the limit to be reached rapidly. Increasing the daily limit will ensure that you have the proper visibility and are helping other organizations with their DMARC projects. The daily DMARC report default setting is 1000, which can be increased only through the command-line

Here’s some long-time-coming news from Microsoft, one of the world’s largest mailbox providers: they have started rolling out changes to honor DMARC policies as published in a domain’s DNS. Microsoft will now be treating the p=reject policy as intended; email failing DMARC authentication will not be delivered. Microsoft had been treating the DMARC policies of p=quarantine and p=reject the same way; email failing DMARC with a p=reject policy was delivered to the spam folder. Microsoft said they had operated this way “because some legitimate email may fail DMARC. For example, a message might fail DMARC if it’s sent to a mailing list that then relays the message to all list participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they’ll be marked as spam and not rejected.” Microsoft signaled the change to

Updated July 17, 2023 to reflect new statistics from the SBA. dmarcian’s MSP Program Manager, Joe Garner, offers his thoughts on MSPs and their ever increasing role in protecting small and medium businesses from digital attacks. COVID shows the importance of MSPs as a vital touchpoint with the cybersecurity world There was a time in the not-too-distant past when most small businesses didn’t need any IT expertise beyond setting up printers and configuring accounting software, as most of their business was in real-time and in person. As COVID transformed the world, these businesses began adopting digital strategies for the first time to handle operations like  digital commerce and remote workforces, and widespread digital transformation began. According to Salesforce’s 2021 “Small and Business Trends” report, 71% of growing small- and medium- sized businesses (SMBs) survived the pandemic by going digital, and 66% say their businesses could not have survived the pandemic

We often get questions about how DMARC policies apply to subdomains and how to establish a subdomain policy. Here’s some information to provide clarity and answer those questions. Because subdomains contend with the same abuse potential as parent domains, aka top-level or root domains, the astute authors of the DMARC control wrote specific conditions for subdomain policies. It goes like this: subdomains inherit the parent domain’s DMARC policy unless you indicate a subdomain policy using the sp= tag in the parent DMARC record or publish a p= tag on a subdomain. Keeping in mind that cybercriminals leverage unprotected subdomains for phishing exploits, it’s important to have a DMARC deployment plan for every subdomain you create, whether the parent domain DMARC policy is inherited, an sp= tag is published to rule the subdomains, or a p= tag is indicated for the subdomain. The DMARC policy definitions and actions apply to subdomain

The Messaging, Malware, and Mobile Anti-Abuse Working Group, or M3AAWG, has released a blog post and white paper calling for the creation of an industry coalition to support the Public Suffix List (PSL). The PSL is an initiative under the Mozilla Foundation, and identifies the parts of the Internet domain name space under which organizations […]

Investment Scams Costliest The FBI’s Internet Crime Complaint Center (IC3) has released the 2022 Internet Crime Report, which is based on internet crimes reported to the IC3. Phishing continues to be the top crime reported, and investment scams were the most financially damaging. Though the IC3 received five percent fewer complaints in 2022 the total loss ballooned from $6.9 billion in 2021 to over $10.2 billion in 2022. By the Numbers – 2022 FBI Internet Crime Report Internet Crime Overview BEC: There were 21,832 BEC complaints with a loss of over $2.7 billion. BEC exploits target organizations and individuals in an effort to redirect funds to fraudulent accounts. Investment Scams: For the first time since the FBI has issued the Internet Crime Report, investment fraud was the costliest crime with losses coming in at $3.31 billion; in 2021, losses were $1.45 billion. There was an unprecedented increase in crypto-investment extortion