2
DMARC and how it actually works with SmarterMail?
Question asked by Steve Guluk - 2/11/2023 at 12:39 PM
Answered
Hello, 
1) When we set our DMARC record to p=quarantine does SmarterMail know how to handle this by default or do we need make other settings in SmarterMail to determine where the quarantined email goes?

2) I use a subdomain to send and receive all emails for my customers. I currently have a DMARC DNS record for that subdomain within the parent DNS record, but think it may not be needed as the DMARK element sp=none is in place.

Thank you to anyone that can help shed light on these questions.

12 Replies

Reply to Thread
0
Douglas Foster Replied
The subdomain record is optional, but if you use it, it is configured at _dmarc.subdomain.parentdomain.topdomain.   The p= term on the subdomain takes precedence over the sp clause on the parent.

Search for "RFC 7489" to read the full DMARC specification.
1
Douglas Foster Replied
Marked As Answer
On thoughts on your post:
DMARC works across forwarding, as long as the message is not altered, while SPF does not.  You have no way of knowing in advance whether messages will be forwarded, but some forwarding is likely. Consequently, you should ensure that your messages are being signed.   There are several ways to verify that messages are signed correctly.  You can search for "DKIM TEST" to find them, or you can send a message to a gmail.com account and then review the source view.    

The policy that you publish can be used by recipients to decide how to handle messages you send, not how incoming messages are handled.

For incoming messages, you choose whether to enable DMARC in the Antispam options.   But the implementation disappoints me.
1) The documentation says that Spam Quarantine is only for outbound messages.   This is confirmed by the fact that weight-based options do not provide for a quarantine option.   A logical inference is that DMARC FAIL with p=QUARANTINE will cause the message to be delivered to the user's spam folder, which is not a safe way to quarantine.   

2) You need good log-parsing tools to evaluate DMARC decisions.   If it truly detected a malicious source, you need to identify the responsibile identifiers and configure rules to block them.   If DMARC threw a false positive, you need to be able to configure a rule to cause DMARC to be ignored for that   
To fix the errors, you need to be able to configure multiple-attribute rules, like "If MailFrom=ConstantContact.Com and SPF=PASS and FROM=Example.com, then treat equivalent to DMARC PASS".   SmarterMail doesn't seem to have the tools to do this.  False positives will most definitely occur.

3) Log files do not facilitate detecting and evaluating problems on a quick-response or even same-day basis.

Essentially all of these issues apply to SPF FAIL processing as well.

Because of these limitations, I do a crude approximation of DMARC using heavily customized Declude and a downstream commercial-product spam filtering appliance.
3
Zach Sylvester Replied
Employee Post
Hey Steve, 

Thanks for reaching out with this question. Currently, I would say that DMARC half works. 

The reject works but the quarantine does not. 
I'm going to have a meeting tomorrow or Wednesday with management regarding this and talk about how we should handle quarantine. 

Kind Regards, 

Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
0
Steve Guluk Replied
Hey Zach,
Hopefully, this will be addressed as more entities are blocking mail if SPF, DKIM and DMARC are not properly in place.

Does the Quarantine to Spam work as Douglas noted? Or does this require some rules or code on the Declude level to implement?
0
Douglas Foster Replied
Steve, you are still confusing the two.    As long as you have a policy in place, your messages produce SPF PASS (to validate the MailFrom domain, and are DKIM signed (to vaidate the From domain), you should not need to worry about messages being blocked.  Whether you specify None, Quarantine, or Reject does not matter as long as the message produce PASS.

If you turn on SmarterMail DMARC,  you will filter incoming traffic based on the domain policy of the From address.   One form of spam uses  your domain for both From and To, and these messages will be detected as DMARC FAIL., so your DMARC policy will apply to those messages.   Based on the support comment, it appears that your policy will be ignored if it specifies Quarantine.

Unfortunately, there are legitimate sites that will do the very same type of impersonation, including a US Government website and the secure email feature of two big email filtering vendors.    That's why I consider the review process and exception mechanism of equal importance with DMARC FAIL detection.

About Declude:   The built-in SPF test does not handle multi-segment SPF records, causing incorrect results on a non-trivial percentage of messages.   So I have replaced it with a Declude custom filter that calls Pythom PYSPF.   The Python module DKIMPY does my DKIM evaluation.   (Both modules are open source.)   We customized DKIMPY a little to check all signatures that are similar to the From domain, and return a PASS or FAIL result.    We use a heuristic to define "similar", rather than the public suffix list, which is why I call it a poor man's implementation of DMARC.   A Python programmer should be able to build the missing PSL lookup logic into DKIMPY.

I am happy to share scripts from my implementation.

For receiving and processing DAMRC feedback reports, I use a free account at postmarkapp.com.   Limited features for free, advanced features for a price.

1
Zach Sylvester Replied
Employee Post
Hey All, 

I just wanted to give you an update on this. I had a meeting last week and it looks like we are going to add a spam weight that you can edit for when DMARC fails and the policy is set to Quarantine. 
We are not going to use the percentage tag inside of the DMARC records so using this feature would be the same as having DMARC PCT set to 100%. 
At this time we are also not going to be sending DMARC reports. But those two things may be added in the future if you guys submit a feature request and enough people want it. 

Kind Regards, 

Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
3
Douglas Foster Replied
No need to implement the PCT parameter.   It was a bad idea from the start, and it makes no sense for evaluators to pay attention to it.   The DMARC working group, which I have been monitoring, is writing an updated specification.  The PCT parameter is dropped in that draft.

0
David B. Alexander Replied
This is generally related to the above conversation: a business colleague is sending emails to a user email address that is hosted on SmarterMail. That SmarterMail-hosted email address then forwards to the user's Gmail address. Gmail determines that DMARC was not followed, and since the original sender (the business colleague) has their DMARC policy set to Reject, their emails are getting bounced back.

When I send to the same user and the email gets forwarded to that user's Gmail account, and I look via "Show original", both SPF and DKIM show as "PASSED".

Is the business colleague doing something wrong when he sends (in his email setup)? Is there any way to have SmarterMail forward emails and keep DKIM or SPF intact for the business colleague? And, is there a way you know of to tell Gmail to ignore DMARC for this one particular sender? As you can tell, I am not sure what is going on, other than the fact that the bounce message says the emails for the business colleague failed DMARC and have a Reject setting.
0
Zach Sylvester Replied
Employee Post
Hey David, 

Thanks for reaching out. It sounds like they need to enable SRS. Per our documentation. 
  • Enable SRS when forwarding messages - Enable this to allow the mail server to re-email (as opposed to "forward") an email message so that it passes any SPF checks on the recipient's end.
I hope this helps. 

Thanks, 
Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
0
David B. Alexander Replied
Thank you, Zach. I have updated the SRS to "Enabled" and propogated it to all domains, and asked that colleague to try a test when he gets my email message. So hopefully that did the trick. Will let you (and others) know.

Is forwarding from an email address handled the same way as forwarding that an alias does?
0
Douglas Foster Replied
I have to disagree with Zach.  SRS will no do nothing to fix your DMARC problem.   SRS rewrites the SMTP MailFrom address to use your domain.   That allows the forwarded message to pass SPF based on your domain, but does nothing for DMARC FAIL, because DMARC is based on the message From address, not the SMTP MailFrom address.   

Since DMARC checks the message's From header, the domain being verified is the originator's domain.   DMARC looks for alignment with a verified MailFrom address or alignment with a verified DKIM signature.   Forwarded mail will lose SPF alignment or SPF verification, so the only surviving authentication option is DKIM.

Given that the rejected message failed DKIM verification, it had one of two problems:
1) It never had a valid DKIM signature for the originator domain, or
2) Your environment added or altered content so that the DKIM signature became invalid.

A domain should never publish a "Reject" policy until they are certain that all messages are transmitted with signatures, but not everybody does what they should.    Given  your other comments, this seems like the most likely case.

But your environment could be causing the problem if 
(a) SmarterMail or your spam filter add any text, such as "This message received from an external source"
(b) You have a fancy spam filter that rewrites all links to provide "click-time" protection.
(c) You have SmarterMail configured to add a footer or signature to every outbound message.
(d) The target address is a SmarterMail mailing list address, and you have configured the list to add content to the subject or body to identify it as a list message.

If any of these apply, the solution is to disable any feature that is adding or altering message content.

Note that when Gmail (or anybody else) blocks a message, your server's reputation takes a hit.    If you take enough hits, you could have all of your messages to that organization getting blocked.  One organization posted in this forum about getting a temporary infection that led to a Gmail block.   The block was cleared after 30 days, during which time they lost all communication to the world's largest email system.   You could also end up on an RBL, and discover that your messages to lots of organizations are getting blocked.

Given that every email client handles multiple email accounts, there are very few good reasons to do message forwarding, and lots of downside risks.   I suggest reviewing whether you want to allow forwarding off of your system at all.  Unfortunately, SmarterMail has primitive options:   everybody can forward, or nobody can forward.

Product Directions:
SmarterMail (and every other mail product) should change the way that auto-forwarding is implemented.   Instead of applying a user forward setting automatically, the setting should generate an approval request to the domain admin or system admin.   The request should only be approved if the admin gets a message from the forwarding target account to confirm that it wants the forwarding stream.   This prevents mistakes and abuse.   Then the admin can decide whether the forwarding request is acceptable based on admin policy:  lots of organizations are subject to data privacy regulations which are violated as soon as the organization's communications are forwarded to a personal account.

Doug Foster

0
Douglas Foster Replied
On the other hand, I know that Gmail has a relaxed approach to DMARC enforcement, so perhaps SRS will be sufficient for them. 

Reply to Thread