How to repair DMARC

The DMARC mechanism has its drawbacks, but we have developed a technology to fix them.

Over e-mail’s history, people have come up with a lot of technologies designed to protect recipients from fraudulent (mainly phishing) e-mails. DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) had significant drawbacks, so the Domain-based Message Authentication Reporting and Conformance (DMARC) mail authentication mechanism was designed to identify messages with a fake sender domain. But DMARC also turned out to be far from an ideal solution. Therefore, our researchers have developed an additional technology to eliminate the disadvantages of this approach.

How DMARC works

A company seeking to prevent others from sending e-mails using the names of its employees can configure DMARC in its DNS resource record. In essence, that allows message recipients to make sure the domain name in the “From:” header is the same as in DKIM and SPF. In addition, the record indicates the address to which mail servers send reports concerning received messages that did not pass verification (for example, if an error occurred or an attempt to fraudulently impersonate a sender was detected).

In the same resource record, you can also configure DMARC policy to specify what happens to the message if it fails to pass the check. Three types of DMARC policies cover such cases:

  • Reject is the strictest policy. Choose it to block all e-mails that do not pass the DMARC check.
  • With the Quarantine policy, depending on the mail provider’s exact settings, the message will either end up in the spam folder or be delivered but marked suspicious.
  • None is the mode that lets the message reach the recipient’s mailbox normally, although a report is still sent to the sender.

Disadvantages of DMARC

By and large, DMARC is capable. The technology does make phishing much more difficult. But in solving one problem, this mechanism causes another: false positives. Legitimate messages may be blocked or marked as spam in two types of cases:

  • Forwarded messages. Some mail systems break the SPF and DKIM signatures in forwarded messages, whether messages are forwarded from various mailboxes or they are redirected between intermediate mail nodes (relays).
  • Incorrect settings. It is not uncommon for mail server administrators to make mistakes when configuring DKIM and SPF.

When it comes to business e-mail, it’s difficult to say which scenario is worse: letting through a phishing e-mail or blocking a legitimate message.

Our approach to fixing the DMARC’s flaws

We find the technology unquestionably useful, so we decided to strengthen it by adding machine-learning technology to the validation process to minimize false positives without undermining the benefits of DMARC. Here’s how it works.

When users compose e-mails, they use a Mail User Agent (MUA) such as Microsoft Outlook. The MUA is responsible for generating the message and sending it to the Mail Transfer Agent (MTA) for further routing. The MUA adds the necessary technical headers to the message body, subject, and recipient address (which are filled in by the user).

To bypass security systems, attackers often use their own MUAs. As a rule, they are homemade mail engines that generate and fill in messages in accordance with a given template. For example, they generate technical headers for messages and their content. Each MUA has its own “handwriting.”

If the received message fails the DMARC check, then our technology comes into play. It runs on a cloud service that connects with the security solution on the device. It begins further analysis of the sequence of headers as well as the contents of the X-Mailer and Message-ID headers using a neural network, thereby enabling the solution to distinguish a legitimate e-mail from a phishing one. The technology was trained on a huge collection of e-mail messages (about 140 million messages, 40% of which were spam).

The combination of DMARC technology and machine learning helps ensure the user’s protection from phishing attacks while minimizing the number of false positives. We have already implemented the technology in every one of our products that have an antispam component: Kaspersky Security for Microsoft Exchange Server, Kaspersky Security for Linux Mail Server, Kaspersky Security for Mail Gateway (parts of Kaspersky Total Security for Business) and Kaspersky Security for Microsoft Office 365.