DMARC best practices according to the NSA

A joint cybersecurity advisory released by the NSA and FBI includes their recommended DMARC security policies. 

What is a DMARC policy?

A DMARC policy is a security measure for email that helps prevent fraud and phishing. It ensures that emails claiming to come from your domain are genuinely sent from your domain. If an email fails the checks, it can be quarantined (sent to spam) or rejected.

You set a DMARC policy in your domain's DNS settings. 

DMARC examples

The bare minimum DMARC record that aligns with the advisory's recommendations is:

v=DMARC1; p=quarantine;

This configuration ensures a basic level of protection by instructing email servers to quarantine suspicious emails, preventing them from directly reaching a recipient's inbox.

A simple but more detailed DMARC policy is:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100;

This configuration quarantines suspicious emails and helps you monitor emails through aggregate reports. The pct rule references the percentage of emails sent that are subject to the DMARC policy. Starting at around 50% let's you test the DMARC policy's impact before applying the policy to all outbound emails.

What happened

Published May 2nd, 2024, the advisory titled "North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts," recommends updating your organization's DMARC security policy to one of the two configurations found below.

• "v=DMARC1; p=quarantine;" which indicates that email servers should quarantine emails that fail DMARC, considering them to be probable spam.
• "v=DMARC1; p=reject;" which instructs email servers to block emails that fail DMARC, assuming them to definite spam.

The advisory also states, 'In addition to setting the "p" field in DMARC policy, the authoring agencies recommend organizations set other DMARC policy fields, such as "rua" to receive aggregate reports about the DMARC results for email messages purportedly from the organization's domain.'

Going deeper

There are several additional rules one can add to a DMARC policy:

• v=DMARC1: Specifies the DMARC version used.
• p=reject: Indicates that emails failing DMARC checks should be rejected. This is the strictest policy, preventing potentially malicious emails from reaching a recipient's inbox.
• rua=mailto:dmarc-reports@example.com: Specifies the email address where aggregate reports (summary of email authentication results) should be sent. These reports help in analyzing email traffic and authentication issues.
• ruf=mailto:dmarc-failures@example.com: Specifies the email address where forensic reports (detailed reports of individual email failures) should be sent. These reports provide in-depth information about specific emails that fail DMARC checks, aiding in troubleshooting and identifying security issues.
• pct=100: Indicates that the DMARC policy applies to 100% of the emails sent from the domain. If you set pct=50, only 50% of your emails will be subject to the DMARC policy's actions.
• aspf=r: Sets SPF alignment to relaxed mode, meaning the SPF check will pass if the domain in the "From" address aligns with the domain in the SPF record and subdomain matches are allowed.
• adkim=r: Sets DKIM alignment to relaxed mode, meaning the DKIM check will pass if the domain in the "From" address aligns with the domain in the DKIM signature in a relaxed manner with subdomain matches allowed.
• sp=reject: Specifies that subdomains should also reject emails failing DMARC checks. This extends the strict policy to subdomains, enhancing overall security.

A DMARC policy with these rules set would look like this:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; pct=100; aspf=r; adkim=r; sp=reject;

How to set a DMARC policy

Each hosting provider is slightly different, but below are broad steps you can follow to set up the DMARC policy.

1. Log in: Access your domain registrar or hosting provider's control panel.
2. Find DNS settings: Look for DNS management or DNS settings.
3. Add a DMARC record: Create a new TXT record with the following details:
   • Name: _dmarc
   • Type: TXT
   • Value: v=DMARC1; p=quarantine; rua=mailto:your-email@example.com
   • Save the changes

You can use a DMARC inspector like this one to check the setup.

In the news

As reported by Paubox, the Joint Cybersecurity Advisory (CSA), consisting of the Federal Bureau of Investigation, the U.S. Department of State, and the National Security Agency, issued an alert to highlight threat actor Kimsuky. 

Kimsuky, also known as Emerald Sleet or APT43, is a subunit of the North Korean military's Reconnaissance General Bureau (RGB), which aims to gather information on issues that could impact North Korea. 

The advisory determined that Kimsuky is conducting spearphishing campaigns–emails sent by a malicious actor posing as a trusted individual to gather information related to geopolitics or foreign policy strategies. Currently, the actors are posing as legitimate journalists, academics, and other experts with links to North Korean policy. 

To help reduce the threat, the CSA advises organizations to ensure they are implementing DMARC security policies. It also recommends that organizations follow the CISA's Cross-Sector Cybersecurity Performance Goals, which provide security policies and procedures that organizations can implement to protect data. 

How SPF, DKIM, and DMARC work together

SPF Validates that an email sent from your domain comes from an authorized server. It checks the sender's IP address against the domain's SPF record.

DKIM adds a digital signature to your email, ensuring the content hasn't been altered.

DMARC builds on SPF and DKIM, instructing receiving email servers how to handle emails that fail SPF or DKIM checks (e.g., quarantine or reject).

1. SPF Check: The receiving server checks if the sender's IP address is authorized to send emails for the domain.
2. DKIM Check: The receiving server verifies the digital signature in the email header.
3. DMARC Check: If the email fails both checks, the DMARC policy dictates what to do and generates reports.

Related: HIPAA Compliant Email: The Definitive Guide