Image sourced from https://dmarc.org/overview/
DMARC and other authentication for SMTP. How to adopt / deploy?
Below are the key features which when adopted can help to secure and enhance the email domain’s reputation with authentication mechanisms:
What is TLS?
TLS stands for “Transport Layer Security”. This allows encryption of the transport between source and target servers. This is not a DMARC feature but should be adopted whenever possible to protect content from interception. The version of TLS can also be critical. Most solutions now only support communications in TLS 1.2 or higher.
Without TLS in place the connections risk being dropped and therefore the email will not be accepted. This is even before a content filter gets to work.
What is SPF?
SPF stands for “Sender Policy Framework”. This provides a list of approved sending servers for the domain identity such as Silversands.co.uk. Generally, this is expected to be configured so that if values don’t match, they are rejected (known as Hard Fail). SPF is limited to a maximum of 10 records. This is both to prevent Denial of Service DoS and to ensure the minimum number of systems can send as that domain further enhancing the reputation of the domain.
What is DKIM?
DKIM stands for “DomainKeys Identified Mail”. This adds a cryptographic signature to all outbound email messages in the header. This is not whole message encryption. This allows several senders for a specific domain to use/maintain their own cryptographic signatures which are stored in the external DNS zone for reference be the receiving email service. This is on the assumption it is configured to check for them.
What is DMARC?
DMARC stands for “Domain Message Authentication Reporting and Conformance”. Essentially this is a reporting feature which allows discovery of what and how emails are being sent.
Reports are produced by remote email servers (which receive emails from this domain) and then through the policy values of the DMARC record, send the report to the defined email address. Generally, a 3rd party provider paid for subscription (such as https://www.dmarcanalyzer.com/) receives these MTA reports, and displays them for consumption through an online dashboard. When looking as a DMARC report processing provider, you should also always consider security and ensure the provider supports the enablement of 2FA for all users.
Conclusions?
Adoption of DMARC will not solve all your email delivery/reputation issues. Deployment should be a staged approach as the screw is tightening the better the reputation of the domain will become. If you have been blacklisted, then you can look to be cleared off the lists as you improve your reputation.Once you have reached the desired state you should monitor on a semi-regular basis to ensure you are not having traffic blocked.
How Can Silversands Help?
Silversands can work with you to help adopt these features. We can guide you through the changes required, advising on adoption planning and strategy. If you would like to speak to one of our consultants please complete the form below.
For your information we run regular workshops and webinars providing the latest updates and expert advice about Microsoft 365, Cloud and Hybrid IT, security, compliance and partner tools. We also post regular blogs so please do follow us.