DMARC. Tackling problems with corporate email reputation

Image: DMARC blog email threat
By Martin Barringer on

DMARC – Do you have a problem with your corporate email reputation?

 

Do you have messages being constantly quarantined at their destination?
Do you get rejection when sending to Government or NHS hosted domains?
Do emailed newsletters not get through?

Well, you may have a reputation issue with your corporate domains.

Email reputation has taken a battering in recent years, with mass Spam and phishing never easier to send and flood end user mailboxes. In a battle of Spammers vs mail providers, destination content filters sensitivity has been increased trying to stop the flood and some end points now require more authentication around email such as DMARC compliancy and TLS. This then results in the blocking of corporate domains, preventing communications or losing out on a sales opportunity. If only there was a reliable, secure way to show who and what should be sending as corporate domains.

How can this happen? I only have access to my DNS Zone!

The underlying architecture for email was never intended to be used so widely and did not have authentication designed into the system. DMARC, with corresponding features deployed, allows you to publish a list of allowed sender endpoints and add signatures which can be validated. This informs the receiving email systems and they can judge the inbound email authentication state. It should be noted that the NHS and most UK Government departments will be expecting fully DMARC compliant state on any receiving corporate domains during 2020.

Image: DMARC process diagram

Image sourced from https://dmarc.org/overview/

DMARC and other authentication for SMTP. How to adopt / deploy?

Below are the key features which when adopted can help to secure and enhance the email domain’s reputation with authentication mechanisms:

  • TLS
  • SPF
  • DKIM
  • DMARC

What is TLS?

TLS stands for “Transport Layer Security”. This allows encryption of the transport between source and target servers. This is not a DMARC feature but should be adopted whenever possible to protect content from interception. The version of TLS can also be critical. Most solutions now only support communications in TLS 1.2 or higher.
Without TLS in place the connections risk being dropped and therefore the email will not be accepted. This is even before a content filter gets to work.

What is SPF?

SPF stands for “Sender Policy Framework”.  This provides a list of approved sending servers for the domain identity such as Silversands.co.uk.  Generally, this is expected to be configured so that if values don’t match, they are rejected (known as Hard Fail).  SPF is limited to a maximum of 10 records.  This is both to prevent Denial of Service DoS and to ensure the minimum number of systems can send as that domain further enhancing the reputation of the domain.

What is DKIM?

DKIM stands for “DomainKeys Identified Mail”. This adds a cryptographic signature to all outbound email messages in the header. This is not whole message encryption. This allows several senders for a specific domain to use/maintain their own cryptographic signatures which are stored in the external DNS zone for reference be the receiving email service. This is on the assumption it is configured to check for them.

What is DMARC?

DMARC stands for “Domain Message Authentication Reporting and Conformance”.  Essentially this is a reporting feature which allows discovery of what and how emails are being sent.

Reports are produced by remote email servers (which receive emails from this domain) and then through the policy values of the DMARC record, send the report to the defined email address.  Generally, a 3rd party provider paid for subscription (such as https://www.dmarcanalyzer.com/) receives these MTA reports, and displays them for consumption through an online dashboard.  When looking as a DMARC report processing provider, you should also always consider security and ensure the provider supports the enablement of 2FA for all users.

Conclusions?

Adoption of DMARC will not solve all your email delivery/reputation issues. Deployment should be a staged approach as the screw is tightening the better the reputation of the domain will become. If you have been blacklisted, then you can look to be cleared off the lists as you improve your reputation.Once you have reached the desired state you should monitor on a  semi-regular basis to ensure you are not having traffic blocked.

How Can Silversands Help?

Silversands can work with you to help adopt these features.  We can guide you through the changes required, advising on adoption planning and strategy. If you would like to speak to one of our consultants please complete the form below.

For your information we run regular workshops and webinars providing the latest updates and expert advice about Microsoft 365, Cloud and Hybrid IT, security, compliance and partner tools. We also post regular blogs so please do follow us.

Contact us

  • This field is for validation purposes and should be left unchanged.

We have the expertise and the experience to provide specialist solutions and drive your business forward

Get in touch

How can we help you?

Get in touch

What updates would you like?

Subscribe