Windows/Exchange: Understanding DMARC and How to use it with your Exchange-based Email Solution alongside SPF, and DKIM

Created: 8-7-21

Updated: 8-15-21

Email security can be confusing and one thing that is often misunderstood and/or never used is DMARC. SPF and DKIM are used more often, but sadly I still see DKIM now used either. But that’s a topic for another day. I have discussed SPF at length, here:

Let start by asking, “What is DMARC?” Domain-based Message Authentication Reporting and Conformance (DMARC) is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM controls; it was created in 2012. DMARC helps fight email compromise, phishing, and spoofing.

I have people ask me all the time, what is DKIM used for?  …in short its used by receiving email domains of your emails to determine the validity of your emails being sent. It helps to ensure emails aren’t flagged as spam from your email domain.

Let’s start by explaining SPF, DKIM, and DMARC:

  • SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.
  • DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered. DKIM is provided by O365 and simply needs to be enabled.
  • DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.

I will try to explain this as clearly as I can; its quite technical. 😀

::::::Relaxed Posture:::::

Typically, a DMARC record is setup in your TLDN DNS like Godaddy as an example. This record is defined as a TXT record. The name is usually defined like this “_dmarc.contoso.com” and a, “Relaxed“, example would look like this:

 _dmarc.contoso.com IN TXT “v=DMARC1; p=quarantine; rua=mailto:websecure-aggregated@contoso.com; ruf=mailto:websecure-forensic@contoso.com; pct=100”

Note: Relaxed Posture allows SPF Authenticated domain that share a common organizational Domain with a email’s header-from: domain to pass the DMARC check. My default, unless specified, all DMARC configs are set as relaxed.

What this means is as follows:

v=DMARC1 specifies the DMARC version

p=quarantine specifies the preferred treatment of the DMARC policy (Ref. 1)

rua=mailto:websecure-aggregated@contoso.com is the mailbox to which aggregate reports are received

ruf=mailto:websecure–forensic@contoso.com is the mailbox to which forensic reports are received

pct=100 is the percentage of mail to which the domain owner would like to have its policy applied

::::::Strict Posture:::::

Alternatively, this is the same setup but with a “Strict” Posture:

_dmarc.contoso.com IN TXT “v=DMARC1; p=quarantine; rua=mailto:websecure-aggregated@contoso.com; ruf=mailto:websecure-forensic@contoso.com; adkim=s; aspf=s; pct=100”

Note: Strict Posture requires exact matching between the SPF Domain and an the email’s header-from: domain.

What this means is as follows:

v=DMARC1 specifies the DMARC version

p=quarantine specifies the preferred treatment of the DMARC policy (Ref. 1)

rua=mailto:websecure-aggregated@contoso.com is the mailbox to which aggregate reports are received

ruf=mailto:websecure–forensic@contoso.com is the mailbox to which forensic reports are received

pct=100 is the percentage of mail to which the domain owner would like to have its policy applied

adkim=s describes the alignment of the DKIM with DMARC, essentially the DKIM record (example: mail.contoso.com as it’s in DKIM) must match exactly with the record in the “DKIM Domain is” and  “Header from Domain is”.

If a email is sent from mail.contoso.ru and the “adkim=s” is set to mail.contoso.com then the email won’t be delivered. This is a good method of preventing email and/or server spoofing.

aspf=s describes the alignment of the SPF with the DMARC, essentially the SPF record (example: mail.contoso.com as it’s in SPF and DNS) must match exactly with the record in the “MailFrom Domain is” and “Header from Domain is”.

If a email is sent from ‘mail2.contosoo.com’ or ‘contoso.mail.com’ or ‘smtp.contoso.ru’ and the “aspf=s” is set to mail.contoso.com then the email won’t be delivered. The DNS records must be exact in the “MailFrom Domain is” and must match the “Header From Domain is” exactly  This is a good method of preventing email and/or server spoofing.

(Technical explanation (ADKIM): https://mxtoolbox.com/dmarc/details/dmarc-tags/adkim)

(Technical Explanation (ASPF): https://mxtoolbox.com/dmarc/details/dmarc-tags/aspf)

::::::Reference:::::

Reference 1: Bear in mind there are 3 different DMARC Policies you can select:

  1. none: treat the mail the same as it would be without any DMARC validation

  2. quarantine: accept the mail but place it somewhere other than the recipient’s inbox (typically the spam folder)

  3. reject: reject the message outright

Now you might be asking, this is a bit much, can we just create the DMARC record with a generator? – simple answer, yes: Click here: DMARC Generator 

Another Generator is found here: DMARC Generator #2

In conclusion I know this write up was quite long, and I might reword it over time, but this is quite distilled as it is. Hopefully this makes sense to others as it does for me. 🙂

Cheers! 😀