After a month of reading DMARC reports I find I’m still asking myself – What is the next step? How does this help me (and in turn you)? I’ll hopefully have better answers later this week after my meeting with a couple of DMARC data experts. Remember I’m running in reporting only mode at the moment and just trying to grasp how bad the spoofing issues for email addresses @emailkarma.net are… Sadly Pharmacy Bots send more email as EmailKarma.net than I do on a daily basis
While I don’t have currently any answers about what to do with reports, I do have a few significant notes about DMARC to consider based on my observations:
- May Not Be For Everyone: DMARC is probably less useful for a hobby domains where there is typically very little out bound email traffic unless you are heavily spoofed in spam. However I have found that tracking these reports and understanding the patterns of spam bots faking users at my domains has become quite enlightening.
I’m hoping to learn more in the upcoming weeks as I get more in touch with the data and the options available for my domains.
- Mailing List Issues: DMARC may fail when participating on discussion lists as some fail to authenticate the sender appropriately. Yahoo Groups seems to fail both SPF and DKIM tests for messages I have posted to a few lists. This could be an issue for some users if policy rules are implemented incorrectly or too aggressively.
- Information Overload: Seeing the number of forensic reports, individual reports for each message evaluated by the receiving domain, that are being generated for messages (both pass and fail). The number of messages reports could be excessive for large domains, domains that mail frequently or domains frequently attacked by spammers.
This problem is exponential as more domains check DMARC records and begin sending reports on the messages they are processing.
- Reporting Data: Seeing all the links in spoofed emails could be very useful to commonly phished services by reducing the time to receive notifications of the attack (and shorten take down time) during spam runs. Also I could see services like the URIBL being utilized to quickly list spam sources. This would need to be automated as it can be a lot of data to review.
- Automation is Key: You will never be able to process these reports manually, building a solution or partnering with a reporting service that is already DMARC capable will be key to making use of it.
More on these solutions later
So far it’s been an interesting learning experience for me on this and I hope that these learning points will help you build your policies and encourage you to test DMARC against your email domains. If you are testing DMARC I’d love to hear your experiences either in the comments or send me an email: contact at emailkarma.net.