DMARC tightening

Since I first implemented DMARC back at the beginning of the year I wanted to tighten the policy we had initially set. The idea behind DMARC is to allow recipients of email to better differentiate genuine content from spammers who spoof email addresses for nefarious and malicious purposes. Our policy has cautiously (and slowly) evolved from the bare-minimum towards today’s more typical DMARC value: email which fails legitimacy checks should be delivered to recipients’ spam folder.

The ultimate aim is that everything that is sent out from a genuine Oxford email address should be verifiable with a legitimate source, be provably unaltered in transit, and therefore always delivered to recipients’ inboxes. Meanwhile, spammers who impersonate our email addresses should no longer have their email treated with the same degree of respect, they’ll fail the validation checks, and will thus see their messages sent to recipients’ “junk” folders.

The challenging part of this has been a number of mass-mailing services being used within the University that sent out valid messages, using Oxford email addresses, but which had not been configured with SPF and DKIM to allow for validation checking to take place. It has taken some time to try and track those down, find the people who manage those services – many of whom are not technical – and work with them to get SPF and DKIM in place so that their outgoing email is verifiable and legitimate. There may still be some services within the University which we have not yet found. I will be continuing to look at DMARC logs to identify those where possible but please log a support ticket with central IT Services if you believe that your genuine mailshot will fail these validation checks. Ask for help configuring SPF and DKIM and please name the service you’re using (Adestra, Mailchimp, Blackbaud etc. in the ticket).

Our policy’s evolution:

The bare minimum: yes, we have a DMARC policy, no please don’t take any action:

v=DMARC1; p=none

A slight improvement: we’d like you to quarantine messages which fail authentication checks, but please undertake those checks on zero percent of our messages.

v=DMARC1; p=quarantine; pct=0

And today’s value:

v=DMARC1; p=quarantine

For the curious, our DMARC values have also included a section which uses the National Cyber-Security Centre’s MailCheck service to analyse recipients’ DMARC outcomes for us.

rua=mailto:dmarc-rua@dmarc.service.gov.uk

 

Posted in Uncategorized | Leave a comment

Leave a Reply