DMARC Dabblings

posted Feb 20, 2014, 5:52 AM by Tom Pedersen [ updated Mar 16, 2015, 4:07 AM ]

DMARC is a relatively new technical standard designed to help email senders/receivers identify and combat spam, spoof, and phishing type activity. The standard appears to be an effective email authentication strategy for organizations concerned with fraud and/or reputational risk. Implementation is a tad convoluted, but worth the effort and somewhat of a social responsibility! Here are a few resources I found useful, hopefully helpful to others.

Backgrounders

DMARC Overview from Official Site @ DMARC.org
A nice Introduction from the Online Trust Alliance
DMARC Training videos from the Messaging, Malware & Mobile Anti-Abuse Working Group (M³AAWG)

Adoption, Momentum and Motivation

Industry & Business Momentum from the Online Trust Alliance
Interesting Email Trust Index published quarterly by Agari (registration required)
DMARC Annual Reports - Year 1 Report (pdf) - Year 2 Progress - from DMARC.org

Step-By-Steps

How to Implement DMARC in your organization. A 2-Pager from networkwold.com
Practical overview w/ risks/limitations from McAfee - "SPF, DKIM and DMARC Demystified" (5 page PDF)
Excellent Guide with an interesting list of email providers who send DMARC reports from unlocktheinbox.com
DMARC Guide for Google Apps Admins but potentially useful to others

For Banking Friends

An evolving set of tools and scorecards @ www.phishingscorecard.com including Bank Adoption
Interesting Article "Can DMARC Hook Online Phishers" from Bankinfosecurity.com (registration required)
Email Authentication Policy & Deployment Strategy for Financial Services Firms from BITS.org (50+ pg PDF)

Handy Technical Specs & Considerations

Internet Draft DMARC RFC (02) @ submitted to Internet Engineering Task Force (IETF)
DMARC Report Schema (proposed) @ http://dmarc.org/draft-dmarc-base-00-01.html#xml_schema
DMARC Record tags (proposed) @ http://dmarc.org/draft-dmarc-base-00-01.html#iana_dmarc_tags
DMARC Security Considerations @ http://dmarc.org/draft-dmarc-base-00-01.html#sec_considerations

Favorite DMARC Tools

Create your very own DMARC record using http://kitterman.com/dmarc/assistant.html
DMARC Record Inspector from dmarcian.com - See what others are (or *not*) doing with DMARC
Check your email Authentication State by sending blank email to checkmyauth@auth.returnpath.net
Interesting Set of DMARC, DKIM and SPF test tools from NIST @ https://www.had-pilot.com/py/had.html

Odd/Ends

Domainkeys Identified email details @ http://dkim.org/
Sender Policy Framework details @ http://www.openspf.org/
My Google Apps Message Authentication Step-by-Step from a couple of years ago

Thats it, hope it helps

Navigation

Ongoing Projects

DMARC Dabblings