How does DMARC work with Proofpoint Essentials?

Created by Abderrahim Ibnou el kadi, Modified on Mon, 15 Mar, 2021 at 11:32 AM by Abderrahim Ibnou el kadi


SituationYou want to know how DMARC works with Proofpoint Essentials.
Solution

This article explains how to enable DMARC authentication in the new Anti-Spoofing section, as well as the following:

  • How Proofpoint decides what to do with an email based on the sender's DMARC policy.
  • How DMARC Authentication works.
  • What SPF & DKIM Alignment are. 

 

How To Enable DMARC Authentication

Enable_Dmarc.png

  1. In the sidebar, under Security Settings, navigate to Malicious Content > Anti-Spoofing.
  2. Under Inbound DMARC, select Allow the sending domain's DMARC policy to determine whether or not to block messages.
  3. Click Save

If the setting is enabled AND the From header domain of the sender has a valid DMARC record, then the individual DKIM and SPF policies are ignored and the sender’s DMARC policy determines the action taken on the email.

Anybody can buy a domain, including those with malicious intent. However, it is the From Header domain that is most often spoofed. As such, we look up the DMARC record of the From header domain and NOT the record of the Envelope Sender/Return Path domain (which is used to authenticate SPF).

How Proofpoint Uses The DMARC Policy

Some Definitions

Return-Path:  <splinter@tmnt.org> Delivered-To: <shredder@turtlesoup.com> Authentication-Results: mail.tmnt.org; spf-pass(tmnt.org: domain     of splinter@tmnt.org designates 1.2.3.4 as permitted sender)    smtp.mail-splinter@tmnt.org; dkim=pass header.i=@tmnt.org Received: From ..    DKIM Signature v=1 a=rsa-shal : c=relaxed/relaxed d=tmnt.org        s=february 2021; i=@ alignment q=dns/txt; h= .. Date: Wed, 4th Feb 2021 From: "Splinter" <splinter@tmnt.org> To: "Shredder" <shredder@turtlesoup.com> Subject: Recipe Ideas

Email Headers contain multiple fields with addresses/domains, and it is important for DMARC to be able distinguish between them. 

  • Envelope From Domain - The return path (sometimes called the reverse path, envelope sender, or envelope from — all of these terms can be used interchangeably) is the value used in the SMTP session in the MAIL FROM command. The domain from this field is the value used for typical SPF authentication. 
  • From Header Domain - The FROM address is the value found in the FROM header. This is supposed to be who the message is from, and what you see as the "FROM" in most mail clients. 
  • DKIM Signature Domain - In the DKIM signature field, d= indicates the domain used with the selector record to locate the public key. The value is a domain name owned by the sender. 

Anatomy Of A DMARC Record

dmarc_record_example.PNG

Tag Name

Purpose

Sample

v

Protocol version

v=DMARC1

p

Policy for organizational domain

p=quarantine

rua

email address to send aggregate reports to.

rua=mailto:dmarc-reports@domain.com

 

In total there are 11 tags. The only mandatory tags are and p. It is strongly recommended that the rua tag is included so that organizations receive reports. Proofpoint is mainly concerned with the tag, of which there are three options; none, quarantine, and reject. For more information, and for a full list of each tag and what it does, see the following third party resource: https://dmarc.org/overview/ 

What Action Will Proofpoint Take Based On DMARC Policy

Proofpoint will never bounce or reject mail based on a domain's DMARC policy

Depending on the DMARC policy of the From Header domain, Proofpoint will take one of two actions. 

  1. If the DMARC policy is p=reject or p=quarantine and the email fails DMARC authentication, then the email is quarantined and categorized as Fraud
  2. If the DMARC policy is p=none (referred to as monitor mode) and the email fails DMARC authentication, then no action is taken, and the email is sent for additional processing i.e. Custom Filters, Spam Engine etc.

Emails categorized as Fraud will not appear in the digest of end users, and can only be released by Organization Admins and above. 

How DMARC Authentication Works

For a message to pass DMARC Authentication, at least one of the following conditions must be met:-

  1. The message passes SPF Authentication and SPF Alignment
  2. The message passes DKIM Authentication and DKIM Alignment

A message will fail DMARC if it fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment. The table below shows potential combinations (not all) and the outcome of the DMARC evaluation.

SPF Authentication

SPF Alignment

DKIM Authentication

DKIM Alignment

DMARC Evaluation

Pass

Pass

Pass

Pass

Pass

Pass

Fail

Pass

Fail

Fail

Pass

Pass

Fail

Fail

Pass

Fail

Fail

Pass

Pass

Pass

Fail

Pass

Pass

Fail

Fail

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To drive home the point, it bears repeating: a message must have at least one complete pair to pass DMARC Authentication.

What Is SPF & DKIM Alignment

By design, SPF only authenticates the Envelope Sender address, leaving the From Header  address unchecked.

Similarly, DKIM only authenticates the d=domain.com value in the DKIM signature, which can be different to the domain value in the From Header address.

Identifier alignment is a mechanism introduced in DMARC to ensure at least one of the domains authenticated by SPF or DKIM to align with the domain found in the from header address.

SPF Alignment

SPF alignment passes when the domain portion of the Envelope From address matches the domain found in the From Header address. 

If the Envelope From address is empty, alignment is checked against the EHLO domain presented in the initial SMTP greeting.

EXAMPLE OF SPF ALIGNMENT PASS

Return-Path:  <splinter@tmnt.org> Delivered-To: <shredder@turtlesoup.com> Authentication-Results: mail.tmnt.org; spf-pass(tmnt.org: domain     of splinter@tmnt.org designates 1.2.3.4 as permitted sender)    smtp.mail-splinter@tmnt.org; dkim=pass header.i=@tmnt.org Date: Wed, 4th Feb 2021 From: "Splinter" <splinter@tmnt.org> To: "Shredder" <shredder@turtlesoup.com> Subject: Recipe Ideas

The Envelope From, i.e. Return-Path domain (tmnt.org) and the From Header domain (tmnt.org) are identical, and therefore SPF Alignment Passes.

EXAMPLE OF SPF ALIGNMENT FAIL

Return-Path:  <splinter@tmnt.org> Delivered-To: <shredder@turtlesoup.com> Authentication-Results: mail.tmnt.org; spf-pass(tmnt.org: domain     of splinter@tmnt.org designates 1.2.3.4 as permitted sender)    smtp.mail-splinter@tmnt.org; dkim=pass header.i=@tmnt.org Date: Wed, 4th Feb 2021 From: "Splinter" <splinter@ninjaturtles.com> To: "Shredder" <shredder@turtlesoup.com> Subject: Recipe Ideas

The Envelope From, i.e. Return-Path domain (tmnt.org) and the From Header domain (ninjaturtles.com) are different, and therefore SPF Alignment Fails.

DKIM Alignment

DKIM alignment passes when the domain value in the d= field of the DKIM signature of the email header matches the domain in the From Header address field.

EXAMPLE OF DKIM ALIGNMENT PASS

Return-Path:  <splinter@tmnt.org> Delivered-To: <shredder@turtlesoup.com>    DKIM Signature v=1 a=rsa-shal : c=relaxed/relaxed d=tmnt.org        s=february 2021; i=@ alignment q=dns/txt; h= .. Date: Wed, 4th Feb 2021 From: "Splinter" <splinter@tmnt.org> To: "Shredder" <shredder@turtlesoup.com> Subject: Recipe Ideas

The d= domain (tmnt.org) and the From Header domain (tmnt.org) are identical, and therefore DKIM Alignment Passes.

EXAMPLE OF DKIM ALIGNMENT FAIL

Return-Path:  <splinter@tmnt.org> Delivered-To: <shredder@turtlesoup.com> DKIM Signature v=1 a=rsa-shal : c=relaxed/relaxed d=tmnt.org        s=february 2021; i=@ alignment q=dns/txt; h= .. Date: Wed, 4th Feb 2021 From: "Splinter" <splinter@ninjaturtles.com> To: "Shredder" <shredder@turtlesoup.com> Subject: Recipe Ideas

The d= domain (tmnt.org) and the From Header domain (ninjaturtles.com) are different, and therefore DKIM Alignment Fails.

There is another scenario in which SPF/DKIM alignment can pass even if the domains are not identical. If the DMARC policy is relaxed, and the Envelope From domain or d= domain is a subdomain of the From Header domain or vice versa e.g. “mail.domain.com and “domain.com”, then alignment will pass. You can read more about this at a third party website here.