DMARC Dictionary

Aggregate reports are in the form of XML and communicate data about the received, quarantined and failed emails and which emails are authenticating against SPF, DKIM and DMARC.

Assess, Implement, Manage (AIM) is dmarcian’s methodology of moving domains from p=none to p=reject in a controlled and structured manner.

When three header fields (From, ReturnPath (SPF), DKIM d=) in an email are matching, proving it is a trustworthy email coming from where it’s supposed to be coming from. Strict alignment matches exactly; relaxed alignment matches on the organizational domain level with a combination of the primary/subdomains. See also DKIM Alignment, DMARC Alignment, SPF Alignment.

(Anti-Phishing Email Client Standards) – a dmarcian initiative for a security protocol to inform email receivers about fraudulent outbound links.

(business email compromise) – a type of cyber crime that uses email fraud/spoofing to attack organizations in order to achieve a specific goal like extracting user credentials or financial details/transfers.

Brand Indicators for Message Identification (BIMI) – a standard that associates a brand’s logo with an authenticated piece of email. BIMI gives brands an opportunity to reinforce their logo while building trust as a sender within their subscriber’s inboxes. To implement BIMI, both SPF and DKIM must be set up for the email domain, with DMARC deployed with a policy set to either reject or quarantine.

the practice of disallowing certain sender domains, email addresses, IP addresses, etc. through security infrastructure because of poor reputation in the ecosystem.

(Classless Inter-Domain Routing) – method for allocating IP addresses and for IP routing. The IETF introduced CIDR in 1993 to replace the previous classful network addressing Internet architecture. CIDR’s goal is slow the growth of routing tables on routers across the Internet and to help slow the exhaustion of IPv4 addresses.

(canonical name) – a type of DNS record that allows the ability to alias one name to another.

(computer security incident response team) – an organizational team that coordinates and supports the response to a computer security event or event.

DNS-based Authentication of Named Entities (DANE) – an Internet security protocol allowing TLS certificates to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

(distributed denial-of-service) – a DDoS attack is a nefarious attempt to disrupt normal traffic of a network by overwhelming the infrastructure with traffic.

process of advancing DMARC domain policies from p=none to p=quarantine to p=reject.

(DomainKeys Identified Mail) – a free technology used to link a piece of email to a domain. When an email is sent, it is signed using a private domain key and then validated on the receiving mail server (or ISP) using a public key that is located within the DNS. This action authenticates that the content of the email was not modified during its transfer. It prevents someone from intercepting your email, altering it, then sending it along with altered information. DKIM signatures can survive forwarding, which makes it superior to SPF and a great way to secure your email.

when the domain from the d= value of DKIM authenticated signature and the RFC 5322 (from) match.

(Domain-based Message Authentication, Reporting and Conformance) – a DNS record that provides reports and instructs receivers about what to do with passed or failed messages.

when the visible FROM domain in an email matches with at least the DKIM d= or SPF/ReturnPath domain.

We include this entry because many people ask about the pronunciation of dmarcian. Stress the first syllable, letter d, then say martian—[dee märSHən]. While you’re here, we’ll also tell you that dmarcian was founded in 2012 by a primary author of the DMARC specification. His name is Tim. dmarcian is dedicated to upgrading the entire world’s email by making DMARC accessible to all. dmarcian has global operations and staff in seven countries. Fully self-funded, dmarcian’s focus is on our clients, not an investor group.

the components of the DNS TXT record:

• Tag v: version of DMARC. A mandatory tag so ESP knows how to process the record.
• Tag p: policy for the domain. A mandatory tag so ESP knows what to do with emails that fail alignment. Modes: none, quarantine, reject, none (only reports); quarantine (sends emails to spam); reject (mail is not delivered to Inbox).
• Tag sp: subdomain policy that specifies a different policy for a subdomain.
• Tag pct: percentage of messages subject to policy. Default is 100%.
• Tag adkim: Alignment mode for DKIM. Modes are strict and relaxed. Default is relaxed.
• Tag aspf: Alignment for SPF. Modes are strict and relaxed. Default is relaxed.
• Tag rua: defines what email address should aggregate reports.
• Tag ruf: defines what email address should aggregate forensic reports.
• Tag rf: Defines the format of forensic reports.
• Tag ri: Defines the interval of sending aggregate reports.

(domain management function) – an organization’s centralized authority that performs the procurement, management and monitoring of Internet domains.

(domain name system) – a database that connects domain name to Internet address. DNS also has additional records about the domain and plays a crucial role in enabling email authentication systems.

Domain Name System Security Extensions (DNSSEC) – a set of specifications designed to secure DNS information.

(email service provider) – a supplier/source who provides the ability to send emails using its infrastructure.

(extended SMTP protocol) – updated version of SMTP (simple mail transfer protocol) with enhanced capabilities.

these reports, also knows as RUF, define who is trying to send failed emails. Forensic reports include additional information such as the subject line and header information as well as any URLs (URIs) included in the message. Even though the reports can be redacted, some report generators do not send them to avoid any issue related to privacy because individual Forensic/Failure reports can contain Personally Identifiable Information (PII), and some major email receivers are sensitive to any potential privacy-related issues.

defined in RFC5322 with two components—Display Name and Address Field. The Address Field includes the email address itself; the Display Name or Friendly From is intended to hold a more human-readable identifier for the author of the message like “John Smith.” Email clients typically show the Display Name by default.

(Fully Qualified Domain Name) – fully qualified domain name where a domain has both an A record (IP) and PTR record (hostname) that match.

a mailbox for collecting spam and malware. The mailbox may be created for this purpose, or it may be a pre-existing mailbox taken over after it has ceased being used for some period. The concept is that any mail arriving at the honeypot is automatically suspect, and some operators will assume all received messages are spam. The term spam trap is also used to refer to this type of mailbox.

(Internet Engineering Task Force) – the IETF mission is to make the Internet work better by producing high quality, relevant technical documents that influence the way people design, use and manage the Internet.

(Internet message access protocol v.4) – protocol to retrieve mail from a mail server. The server syncs the contents of the mailbox and the devices that connect with it. Messages remain on the server.

(Internet protocol) – an address that is a numerical label assigned to a device connected to the internet.

(internet service provider) – a company that provides access to the internet and other related services such as email, website building and hosting. ISP can also refer to the inbox service provider aspect of Internet providers.

(local area network) – a group of connected computers and network devices.

(Messaging, Malware and Mobile Anti-Abuse Working Group) – an organization where the industry comes together to work against botnets, malware, spam, viruses and DoS attacks.

(metropolitan area network) – a large network that typically spans several buildings in the same city or town.

(multipurpose Internet mail extensions) – allows the sending of more than plain text, like images and files.

(message submission agent) – receives email messages from a mail user agent (MUA) and cooperates with a mail transfer agent (MTA) for delivery of the mail. The MTA accepts incoming mail, while the MSA accepts outgoing mail. Using a specific submission server is a requirement when sender policies or signing practices are enforced.

(managed service provider) – a company that offers managed IT services to customers. MSPs generally host and manage servers, applications and networks.

(managed security service provider) – a company that offers cybersecurity services to customers. MSSPs offer cybersecurity management that can include email authentication, DMARC, firewalls and virtual private network (VPN) administration.

(message transfer agent) – mail server that sends and receives mail.

(mail transfer agents – strict transport security) – a standard to improve the security of SMTP by enabling domain names to opt into a strict transport layer security mode that requires authentication (valid public certificates) and Transport Layer Security (TLS).

(mail user agent) – application-based mail tool like Outlook, Thunderbird, Gmail, Hotmail.

(mail exchanger) – destination mail server.

a DNS record that lists servers that will accept email messages for domains.

the primary domain of an organization, aka, top-level domain.

when a cyber criminal impersonates someone via email in an effort to carry out an illicit action such as installing ransomware, stealing confidential information, or gaining access to a private network. Phishing attacks are the most common and costliest cyber attacks.

(Post Office Protocol v.3) – protocol to retrieve mail from a mail server. Simpler and only retrieves inbox. POP3 does not synchronize. Can be viewed offline since it downloads mail.

pointer record that lists a human readable name/hostname for an A record/IP address.

receiving servers that accept messages to be delivered to inboxes. Receiving servers decide what to do with messages because not all emails are accepted and might go to junk/spam or not be delivered at all.

a server that receives email to be delivered to inboxes and generates RUA and RUF reports. Not all RUA reporters send RUF reports.

(request for comments) – IETF documentation that covers many aspects of computer networking, including protocols, procedures, programs and concepts, as well as meeting notes, opinions and sometimes humor.

• RFC 5321 – RFC about SMTP
• RFC 5322 – RFC about internet message format
• RFC 7489 – RFC about DMARC
• RFC 7960 – RFC about DMARC issues with indirect email flows

XML reports that provide a comprehensive view of all of a domain’s traffic. RUA reporting is the only requirement for building and maintaining DMARC compliance.

type of MTA that allows an SMTP server to route email to an intermediate mail server rather than directly to the recipient’s server.

(single sign on) – a session and user-authentication service that permits a user to use one set of login credentials (e.g. name and password) to access multiple applications.

(secure/multipurpose Internet mail extensions) – the standard for public key encryption and signing of MIME data. An SMTP server to route email to an intermediate mail server rather than directly to the recipient’s server.

(simple mail transfer protocol) – an internet transport protocol that is used to send and receive email from one server to another. SMTP is the original internet protocol used for mail transmission (RFC 821).

a company that sends emails on behalf of others. Following are the most notable types of sources:

*ESPs – offer the ability to send bulk (marketing and/or transactional) emails with their own domain
*ISPs – offer the ability to receive and send emails with your own domain (business or personal communication, but not bulk messaging)
*Other services allow you to send emails with your own domain. Those can be support/ticketing systems, payment providers, e-merchant services, etc.

(sender policy framework) – a way for Internet Service Providers to verify that a mail server (IP address) is authorized to send email for a specific domain.

substituting SPF include clauses in the record with direct IP addresses in order to not exceed the allowed DNS lookup requests. dmarcian doesn’t recommend flattening because it presents security risks.

illegitimate imitation of a domain name with nefarious aims.

(secure sockets layer) – cryptographic protocol designed to provide communications security over a computer network.

(transmission control protocol/Internet protocol) – one of the two underlying internet protocols that are commonly used today to transmit reliable, ordered and error-checked delivery of a stream of data packets across the internet.

(transport layer security) – Protocol extension to SMTP and successor of SSL.

type of DNS record used to associate arbitrary text with a host or other name.

(uniform resource identifier) – string of characters that identifies a particular internet-based resource.

(Vendor email compromise) – a specific type of business email compromise scam that targets vendors or suppliers via phishing emails and then sends fake invoices to their customers.

(wide area network) – connects LANs and may be limited to an enterprise or accessible to the public. The technology is high speed and relatively expensive. The internet is an example of a public WAN.

the practice of allowing sender domains, email addresses, IP addresses, etc. through security infrastructure.

a type of markup language that uses text to allow data to be both human readable and machine readable.