Learn and Test DMARC

Great way of pushing the critical email services we all need to reduce spam. While I have always wanted SPF, DKIM and DMARC to be enough of an incentive for the businesses i work with, reputation is often not enough of a driver to prioritise the investment.<p>But fret not! For when you are dealing with companies which want to communicate with customers in a trusted way, there is a marketer&#x27;s dream standard - Brand Indicators for Message Identification (BIMI) - now security isnt the only outcome, you get a pretty logo too! <a href="https:&#x2F;&#x2F;www.litmus.com&#x2F;blog&#x2F;what-is-bimi-and-why-should-email-marketers-care" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.litmus.com&#x2F;blog&#x2F;what-is-bimi-and-why-should-emai...</a><p>I have used BIMI at multiple companies now which talk about Customer Experience to drive the proper (P=Reject) implementation of DMARC.

Related:<p><i>See how DMARC, SPF, and DKIM work interactively</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29869266">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29869266</a> - Jan 2022 (108 comments)

Does anybody know open-source or, at least, free way to process DMARC reports?<p>I have several e-mail domains with SPF, DKIM and DMARC enabled, and it works, but I have two annoying problems with DMARC:<p>(1) Some sites like to send DMARC reports which says &quot;you send us 3 messages, everything is OK, all checks are passed, you are clear&quot;.<p>(2) Sometimes my domains are used to (try to) send spam via other servers and I got DMARC reports like &quot;this &lt;IP&gt; tired to spam with your domain in HELO&#x2F;FROM and we killed it, as checks failed&quot;.<p>Both reports are of no use for me: I don&#x27;t want to know, that my users send mail to @gmail.com and @mail.ru (first reports) and I can do nothing about second case, as these &lt;IP&gt;s are not &lt;IP&gt;s of my server, so what should I do?<p>Some filter or dashboard will be very useful, as unpacking &amp; checking XMLs by hands are very cumbersome.

Very cool.<p>&gt; For DMARC to pass, DKIM and&#x2F;or SPF checks need to pass and the domains must be in alignment.<p>AFAIK this is incorrect.<p>It is not &quot;and&#x2F;or&quot; but rather &quot;or&quot; - only DKIM or SPF needs to pass. There is no method to require both.

I really appreciate the iterative way it goes through the process. It&#x27;s been a few years but this would have been a godsend at a previous company when we were trying to move to self-hosted email sending with all the proper security measures.

I sent an email via Apple’s “Hide My Email” service [1].<p>&gt; <i>Unhandled Promise Rejection:</i><p>&gt; <i>TypeError: a.from.replace(&#x2F;[&lt;]&#x2F;gi,&quot; is not a function. (In &#x27;a.from.replace(&#x2F;[&lt;]&#x2F;gi,&quot;(&quot;)&#x27;, &#x27;a.from.replace(&#x2F;[&lt;]&#x2F;gi,&quot;&#x27; is undefined)</i><p>&gt; <i>dist.min.js:3:32767</i><p>This error occurred after the interface began displaying the following information:<p>&gt; <i>Here are the message headers and message body:</i><p>&gt; <i>DKIM-Signature: d=icloud.com s=1a1hai</i><p>It’s been over a year since the website was featured on Hacker News (January 10, 2022), so I suspect that the JavaScript code may have become outdated and non-functional. It’s possible that it never supported Safari browsers in the first place, or perhaps it’s a combination of both issues. Nevertheless, I’ve learned a lot from the initial [2] and second [3] parts of the DMARC test, which gives me some insight into what might be happening in the subsequent steps.<p>[1] <a href="https:&#x2F;&#x2F;support.apple.com&#x2F;en-us&#x2F;HT210425" rel="nofollow noreferrer">https:&#x2F;&#x2F;support.apple.com&#x2F;en-us&#x2F;HT210425</a><p>[2] dig +noall +answer -t TXT &lt;EMAIL_DOMAIN&gt; | grep -i SPF<p>[3] dig +noall +answer -t A &lt;HOSTNAME&gt;

It is absolutely astonishing that we rely on layers and layers of shims&#x2F;compatibilities&#x2F;hacks to keep a technology that was well-meaning and ideal 30ish+ years ago running in the 21st century.<p>Same thing in the VOIP&#x2F;telecom space.<p>Microsoft recently had issues with mail deliverability - most of our O365 tenants had a notice reminding us to check SPF, DKIM, DMARC (we&#x27;re configured properly already) - some of our tenants were having issues mailing smaller mail providers (ISP-level) because the small provider is outright blocking IPs and IP ranges due to spam coming from the same IP address&#x2F;mail server we&#x27;re trying to send from.

Fun fact: sns.amazonaws.com still has no DMARC record. This is where AWS SNS messages originate from unless you use a custom domain, and it&#x27;s where all CloudWatch alerts come from (no-reply@sns.amazonaws.com)

This is how email is <i>supposed</i> to work. In reality, there are whitelists ...

People, don&#x27;t forget to properly set all these checks for DNS failover.<p>I saw companies got scammed, because they used default settings in Exchange Online.<p>And attacker just made the DNS &quot;unavailable&quot; for brief moment and all phishing emails passed. Because MS server responded with DNS &quot;temp error&quot; and pass all emails as not a spam. (detailed: received-spf: TempError (protection.outlook.com: error in processing during lookup of &lt;phished domain&gt;: DNS Timeout) and DKIM is checked on domain of sender&#x27;s SMTP server, in this case attacker&#x27;s server used for phishing )<p>Then I had the great experience with MS IT&#x2F;security support, people there can&#x27;t even understand how emails works, very funny and sad experience. I hope outsourcing works for them.

This is so cool! I would love to see this for other protocols actually, maybe SSL or something!

DMARC is and has always been...fine, save for the fact that most phishing &#x2F; exploits are sent using cousin domains. Is a DMARC policy necessary and a great security measure? Sure. Is it a domain identity security game changer?... no way.

Bunch of discussion from 2022:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29869266">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29869266</a>

Appears to be operated by uriports.com, in case anyone wondered where their email was going..

Dope af