DMARC Management
Overview
Organizations use SPF, DKIM and DMARC to ensure attackers cannot launch phishing attacks impersonating to senders from their domain.
Emails from the organization’s domains are not sent only from the organization itself (for example, their Microsoft 365 tenant), but also from many other sending sources like Salesforce, Marketo and others.
To ensure the business is not harmed by partners/customers blocking legitimate emails from the organization’s domains, you should make sure your SPF and DKIM records are properly maintained and include all legitimate sending sources.
The organization’s DMARC DNS record – specifically the p tag - states what should be done with emails that fail authentication checks.
Three possible values to the p tag in the DMARC record:
-
none – recipients should report failures but should also deliver emails allegedly from the domain even if they fail authentication.
-
quarantine – recipients should quarantine emails that fail authentication. They would usually be marked as spam.
-
reject – recipients should not even accept the email and never deliver it to their end users.
Since this is usually a difficult task, most organizations do not have a DMARC policy (p) tag at all or assign the value none to it.
DMARC Management helps organizations make sure all legitimate senders are allowed so that you can confidently apply a restrictive policy tag in your organization's DMARC DNS record.
Benefits
DMARC Management helps you safely transition to a restrictive DMARC policy. It includes:
-
Visibility to all the services sending emails on behalf of your domains and subdomains
-
Search all DMARC failed emails sent on the organization's behalf
-
Actionable DMARC record change recommendations.
Prerequisites
Periodically, email receivers send aggregated reports containing information on all emails they received from your domain, the IP address from which they received the emails, and the authentication results (SPF and DKIM) for each IP address. These reports are sent to the email addresses (RUA mailbox) defined in your domain's DNS DMARC record with the rua tag.
Sample DMARC record content:
Harmony Email & Collaboration needs to get the aggregated DMARC RUA reports. To do that, you must configure the rua tag of your DMARC record:
Present RUA value |
Change to |
---|---|
An internal mailbox |
No changes required. Harmony Email & Collaboration reads the value from the DNS record and monitors the internal mailbox. |
An internal distribution list |
The distribution list forwards the aggregated report to an internal mailbox. You must point the internal mailbox to Harmony Email & Collaboration. To do that: |
A hosted mailbox |
If you wish to use a hosted mailbox, you must add a Check Point hosted mailbox to your rua tag. For more information, see RUA Mailbox Hosted by Check Point. |
RUA Mailbox Hosted by Check Point
Organizations that send large amounts of emails to external recipients often get a lot of DMARC RUA reports in a short period of time. The amount is so large, that Microsoft and Google often reject some of them, to meet their maximum allowed incoming emails rate.
Harmony Email & Collaboration automatically creates a dedicated RUA mailbox for every tenant (account) in the Harmony Email & Collaboration Administrator Portal.
To use the dedicated RUA mailbox:
-
Access the Harmony Email & Collaboration Administrator Portal and click DMARC > Overview.
-
From the top of the page, click Configuration.
The DMARC Configuration pop-up appears..
-
From the Your Hosted reports mailbox field, copy the dedicated RUA mailbox created for your tenant (account).
-
Click OK.
-
Add the RUA mailbox to the list of email addresses for the rua tag in your DMARC DNS record.
Note - DNS changes might take up to 24 hours to reflect in the Harmony Email & Collaboration Administrator Portal.
External Reporting Authorization Record
To make sure that the DMARC records for your domain are accepted by Check Point, after you add the Check Point hosted mailbox to your DMARC record, Check Point automatically adds an External Reporting Authorization Record.
It creates a domain name in the format: <your_domain>.com._report._dmarc.dmarc-cp.com
. In this domain, a TXT record is added with this content: "v=DMARC1":
Text |
Description |
---|---|
TXT |
<your_domain>.com._report._dmarc.dmarc-cp.com |
|
Note - This process could take a couple of hours after Check Point detects the update to your DMARC record. |
Reviewing the DMARC Status of your Domains
The Overview page shows a list of all the organization's protected domains and subdomains.
To view the Overview page, click DMARC > Overview.
Column |
Description |
---|---|
Status |
Monitoring status of the domain.
|
Domain |
Domain name. |
DMARC % Failures |
The percentage of emails that failed DMARC (DKIM and SPF) out of the total numbers of reported emails sent by the domain. |
DMARC Policy |
The recommended enforcement on emails that failed DMARC sent on behalf of the sub domain. It is a description of the value defined in the policy (p) tag in the subdomain DMARC record.
|
Reported Emails |
The total number of reported emails for the domain. |
Tags |
Custom annotation tags added to the domain. |
Tracking Improvements in SPF and DKIM Hygiene
From the Overview page, you can view a graph that shows the trend of the DMARC failure rate per subdomain over time.
The graph allows you to track improvements in the SPF and DKIM hygiene for these domains, resulting in a lower DMARC failure rate.
To filter specific domains in the graph, click on the legend of the other domains to turn them off.
Changing View to Top Level Domains
By default, the Overview page shows the status of different subdomains. To change the DMARC status view to aggregate the results based on top level domains, click Group Domains.
While viewing the aggregated results based on top level domains, to clear the aggregated results and view the status of different sub domains, click Ungroup Domains.
Annotating / Tagging Domains and Sending Sources
While analyzing the subdomains, administrators need to annotate domains to differentiate between them.
To add a custom tag to a domain or subdomain:
-
Click the icon in the last column of the domain.
-
Click Update Tags.
-
In the Tags field, enter one or more tags separated by a comma.
-
Click OK.
|
Note - Annotating / tagging domains does not impact the DMARC status of the domain and does not change the domain’s DNS. |
Investigating the DMARC Status of Domains
The Overview page allows you to drill down to domains and analyze the sources sending emails on the organization's behalf.
To analyze the DMARC status of a domain, click the domain from the table. The system shows these details describing the different sending sources:
Column |
Description |
---|---|
New |
Indicates if the source has recently started sending emails on behalf of the domain.
To see the first instance of the domain sending emails on behalf of the domain, hover over the source name / IP address. |
Sent via Source |
The service provider used to send the email. To investigate the IP addresses from which the sending source sent emails on behalf of the domain, see Investigating a Specific Sending Source. |
Reported Emails |
The number of reported emails sent from this source on behalf of the domain. |
Reported Failed Emails |
The number of emails sent from this source, which failed DMARC authentication. |
DMARC % Failures |
The percentage of emails that failed DMARC out of the total numbers of reported emails sent from the source. |
SPF % Failures |
The percentage of emails that failed SPF out of the total numbers of reported emails sent from the source. |
DKIM % Failures |
The percentage of emails that failed DKIM out of the total numbers of reported emails sent from the source. |
SPF Not Aligned |
The percentage of the emails whose SPF is not aligned out of the total numbers of reported emails sent from the source. |
DKIM Not Aligned |
The percentage of the emails whose DKIM is not aligned out of the total numbers of reported emails sent from the source. |
Number of Reporters |
The number of unique servers that reported emails being sent from this source. |
Distinct IP Addresses |
The number of unique IP addresses used by the source to send emails. |
Tags |
Tags assigned to the source. See Annotating / Tagging Domains and Sending Sources. |
Investigating a Specific Sending Source
You can drill down to a specific sending source for a particular domain to investigate the IP addresses from which the sending source sent emails on behalf of the domain.
To do that, after you drilled down to the specific domain, click on one of the source names in the Sent via Source column. The system shows these details:
Column |
Description |
---|---|
IP Address |
IP address of the sending source. For more information about the IP address, see Investigating a Single Sending IP Address. |
Location |
The geo-location of the IP address. |
Reported Emails |
The number of reported emails sent from this IP address by the source. |
Reported Failed Emails |
The number of emails sent from this IP address, which failed DMARC authentication. |
DMARC % Failures |
The percentage of emails that failed DMARC out of the total numbers of emails sent from the IP address. |
SPF % Failures |
The percentage of emails that failed SPF out of the total numbers of emails sent from the IP address. |
DKIM % Failed |
The percentage of emails that failed DKIM out of the total numbers of reported emails sent from the IP address. |
Number of Reporters |
The number of unique organizations that reported emails being sent from this IP address. |
Number of Envelope |
The number of unique envelop to values in emails sent from this IP address. |
Investigating a Single Sending IP Address
To view more information about the IP address of a specific sending source, click the IP address from the table. The system shows these details for the IP address:
Column |
Description |
---|---|
IP |
IP address |
Host name |
Host name |
Location |
The geo-location of the IP address |
ASN |
Autonomous System Number (ASN) of the IP address. |
Viewing Specific RUA Reports
To view a specific RUA report:
-
Click DMARC > RUA Explorer.
The system shows a table with all the RUA reports received.
-
Click on the link in the Report ID column to view its raw XML content.
Improving your Domains’ DMARC Enforcement
The Recommendations page shows a list of actionable recommendations to safely configure a restrictive DMARC policy for your domains and helps to maintain SPF and DKIM hygiene.
To view the Recommendations page, click DMARC > Recommendations.
To export the data in CSV format, click Export to CSV.
Possible recommendations:
-
Adding IP addresses to SPF
-
Properly configuring RUA mailboxes for your domains
-
Implementing a DMARC policy where p=none
-
Implementing a restrictive policy for certain domains
-
This is done when the percentage of DMARC failures is below 3%
-
-
and so on.
Monitoring SPF and DMARC Changes
The DNS Change-Log page shows changes to the SPF records and the DMARC policies of your domains.
To view the DNS Change-Log page, click DMARC > DNS Change-Log.
Column |
Description |
---|---|
Date |
The date and time of the change. |
Domain |
The domain whose SPF / DMARC record has changed. |
Type |
The record type that was changed.
|
Current Value |
The value after the change. |
Changes |
The previous value and the new value. |
Comments |
The custom comments added for the change. |
Annotating / Commenting on SPF and DMARC Changes
You and your team can add custom comments to every change. This is helpful in investigating or auditing a specific event.
To add comments to a specific change:
-
Click the icon in the last column of the change.
-
Click Update Comment.
The DMARC Action pop-up appears.
-
In the Comments field, enter the comments.
-
Click OK.