The DMARC mechanism checks the domain of the real sender of an email and can thus expose fake emails. Kaspersky experts have eliminated the disadvantages of Domain-based Message Authentication Reporting and Conformance (DMARC) with newly developed technology.
Throughout the history of email, people have come up with many technologies to protect recipients from fraudulent emails (mainly phishing). DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) had significant disadvantages, so the Domain-based Message Authentication Reporting and Conformance (DMARC) mail authentication mechanism was developed to identify messages with a spoofed sender domain. However, DMARC did not prove to be a panacea. Therefore, Kaspersky researchers have developed additional technology to eliminate the disadvantages of DMARC.
How DMARC works
A company that wants to prevent others from sending e-mails on behalf of its employees can configure DMARC in its DNS resource record. This essentially allows message recipients to ensure that the domain name in the “From:” header is the same as it is in DKIM and SPF. In addition, the resource record specifies the address to which the mail servers send reports on received messages that have not passed the check (e.g. if an error has occurred or an attempt to impersonate the sender with fraudulent intent has been discovered).
In the same resource record, one can also configure the DMARC policy to determine what happens to the message if it fails the check. Three types of DMARC guidelines cover such cases:
- Reject is the strictest guideline. If you choose this option, all emails that fail the DMARC check will be blocked.
- With the quarantine policy, depending on the mail provider, the message either ends up in the spam folder or is delivered but marked as suspicious.
- If you choose None, the message will reach the recipient's inbox even though a report will still be sent to the sender.
Disadvantages of DMARC
Disadvantages of DMARC
By and large, DMARC is quite capable. The technology makes phishing much more difficult. But when solving one problem, this mechanism causes another: false positives. Harmless messages can be blocked or marked as spam in two types of cases.
- Forwarded messages: Some mail systems break the SPF and DKIM signatures in forwarded messages, regardless of whether the messages are forwarded from different mailboxes or whether they are redirected through intermediate mail nodes (relays).
- Incorrect settings: It is not uncommon for mail server administrators to make mistakes when configuring DKIM and SPF.
When it comes to business email, it's difficult to tell which scenario is worse: letting a phishing email pass through or blocking a legitimate message.
Kaspersky's approach to addressing the DMARC flaws
This technology is undoubtedly useful, so Kaspersky decided to strengthen it by adding machine learning to the validation process, thus minimizing false positives without undermining the benefits of DMARC. And that's how it works:
When users compose e-mails, they use a Mail User Agent (MUA), an e-mail program such as Microsoft Outlook. The program is responsible for generating the message and sending it to the Mail Transfer Agent (MTA) for further forwarding. The e-mail program adds the necessary technical headers to the message text, subject and recipient address (which are filled in by the user).
To circumvent security systems, attackers often use their own e-mail programs. Usually these are homemade mail engines that generate and fill out messages according to a predefined template. For example, they generate technical headers for messages and their content. Each e-mail program has its own "signature".
Distinguish legitimate email from phishing email
When the received message fails the DMARC test, our technology comes into play. It runs on a cloud service that connects to the security solution on the device. It begins by further analyzing the sequence of the headers as well as the content of the X-Mailer and Message-ID headers using a neural network, which enables the solution to detect a legitimate email from a phishing email to distinguish. The technology has been trained on a huge collection of email messages (approximately 140 million messages, 40% of which are spam).
The combination of DMARC technology and machine learning helps protect users from phishing attacks while reducing the number of false positives. We have already implemented the technology in each of our products that have an anti-spam component: Kaspersky Security for Microsoft Exchange Server, Kaspersky Security for Linux Mail Server, Kaspersky Security for Mail Gateway (partly in Kaspersky Total Security for Business) and Kaspersky Security for Microsoft Office 365.
More on this in the blog at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/