How does dmarcian identify sources/forwarding/threat?
dmarcian maintains rules to classify DMARC data into 4 high level categories. Our categories are:
- DMARC Capable
- Non-compliant Sources
When we investigate data to add a rule, we try to identify where email is coming from and whether or not the source can be configured for DMARC compliance. We publish the results of our investigations under a creative commons license on dmarc.io—a site that dmarcian runs for the benefit of the email community.
Explanations of the four categories follow.
If we discover a source of email that is capable of sending DMARC compliant email, we’ll note if the source is meeting compliance via SPF and/or DKIM. We’ll also document how the source can be configured to send DMARC compliant email. When displayed in the dmarcian tools, DMARC Capable sources are often accompanied by statistics showing the current level of DMARC compliance for email associated with the source.
When we investigate a source of email and find that it is not capable of sending DMARC compliant email, the source ends up being categorized as “Non-compliant”. We do this 1) to save our users time so they don’t waste their lives trying to get a source of email to send DMARC compliant email, and 2) to raise awareness of sources that haven’t yet figured out how to send DMARC compliant email. If you find yourself using a service that shows up in “Non-compliant Sources,” you can refer them to How to send DMARC compliant email on behalf of others.
Forwarding of email happens on the Internet. Forwarding typically happens when you send email to someone@EXAMPLE.ORG and that someone has configured their email to be forwarded to someplace else like someone@SAMPLE.NET. People who have an email address from long ago but have decided to move to a webmail provider often fall into this category. Other examples: people with alumni addresses that get forwarded to someplace else and mailing lists, like Google Groups. In all cases, from the perspective of the email receiver (the one that is generating DMARC XML reports) your email appears to be coming out of infrastructure that otherwise has nothing to do with you.
DKIM signing can survive forwarding. If your domain is covered with DKIM, dmarcian’s ability to detect forwarding increases. SPF does not work in the context of forwarding, as SPF is simply a list of servers that are authorized to send on behalf of your domain. It is not possible for a domain owner to maintain a list of forwarders.
dmarcian maintains a small set of rules to identify well known forwarders. Some forwarders preserve DKIM if it is present, others appear to always break DKIM signatures.
If we do not have a rule to classify a piece of data, we’ll place that data into the “Threat/Unknown” category. Users will sometimes find legitimate sources of email in this category. When that happens we create rules to pull the source out.
Lastly, we maintain a small number of rules that call out specific campaigns of “Threat.” Our philosophy isn’t to emphasize the different and changing ways that criminals can send fake email, though, and so these rules are generally not very useful. Why classify the ever changing pile of dung that criminals create, when simply blocking it all is possible?
Want to continue the conversation? Head over to the dmarcian Forum.