A guide to detecting DMARC problems using the pentesting techniques
While DMARC has proven its ability to keep spoofing and phishing attacks at a distance, DMARC records can have errors and misconfigurations. So, if you are seeing multiple instances of false positives, false negatives, delivery issues, etc., then it’s suggested that you check your DMARC record to see if it has issues. This can be done by running your DMARC TXT record through an online lookup tool. You can also come across errors and misconfigurations using penetration testing.
Penetration testing (or pen testing for short) is a method to explore vulnerabilities by performing an authorized and strategized simulated cyberattack. Pen testing requires a professional pen tester or white-hat hacker who understands your IT system in and out, followed by creating a thorough plan to attack the system. This simulated and strategized cyberattack helps the pen tester and you know about all the vulnerabilities in the attacked segment. The whole process allows you to patch the vulnerabilities before a threat actor takes advantage of them. In simpler words, you hire a pen tester to break into your system like a malicious actor to know the existing security loopholes and vulnerabilities.
Now, in the context of DMARC, pentesting helps you validate the configuration and effectiveness of your DMARC record. With the help of a professional pentester, you can uncover potential issues like policy misconfigurations, improper alignment of SPF and DKIM, weaknesses in DNS records, etc., by allowing them to break into your email system to send phishing emails.
The three DMARC policies
Before we talk about how a pen tester conducts the test and brings the vulnerabilities to the surface, it’s important that you clearly know about the three DMARC policies.
When you create a DMARC record, you have to set one of the three DMARC policies- none, quarantine, or reject. The purpose of the set policy is to instruct the recipients’ servers on how they should deal with unauthorized and potentially fraudulent emails sent from your domain. The policies are-
None
This policy instructs recipients’ mail servers to handle unauthorized emails as usual. It is basically just for monitoring how your outgoing emails are being handled by different email service providers. You should use the ‘none’ policy only for the new DMARC records. After 2-4 weeks of monitoring, it’s better to move to stricter policies that prevent email phishing.
Quarantine
The ‘quarantine’ policy is stricter than the ‘none’ policy. It tells recipients’ servers to mark unauthorized emails sent from your domain as spam. Such emails don’t get placed in the inboxes but in the spam or junk folders.
Reject
The ‘reject’ policy is the strictest, as it tells recipients’ mail servers to stop such emails from entering the mailboxes. Emails subjected to the ‘reject’ policy bounce back to senders.
The general approach of pen testers for exploring vulnerabilities in a DMARC record
Pen testers follow a structured approach, leveraging pentesting techniques for email security and proper DNS configurations.
Reconnaissance and information gathering
The first step a pen tester takes involves understanding the current situation of your email-sending domain by gathering information about SPF, DKIM, and DMARC. They query DNS records using tools like ‘dig,’ ‘nslookup,’ or online platforms to extract the existing SPF, DKIM, and DMARC records. Then, they see which DMARC policy (none, quarantine, or reject) and SPF rules are applied in these records, along with checking the DKIM key. This helps them understand your domain’s email protection configuration and condition.
SPF and DKIM record testing
They analyze the SPF record to spot vulnerabilities, such as the use of the +all mechanism or not removing an ex-vendor’s sending source.
For DKIM, they inspect key lengths and signature algorithms to ensure they meet the best practices.
The objective of this step is to come across misconfigurations or weak SPF and DKIM rules that could allow threat actors to bypass DMARC protection.
Email spoofing and phishing simulation
They send fake emails from your domain to different mailboxes, like work or personal accounts, to see if DMARC is doing its job. If these fake emails get through, it means there’s an issue with your DMARC setup or how SPF/DKIM is aligned.
Alignment testing
In the fourth step, pen testers check if the domains used in SPF, DKIM, and the ‘From’ address align correctly, as DMARC requires. They do this by sending emails in which the SPF and DKIM signatures don’t match properly, like when an email passes SPF but fails DKIM or the other way around.
They also test cases where the domain in the ‘From’ address doesn’t match the domains used in SPF or DKIM to see if DMARC is correctly enforcing these checks.
Review of DMARC reports and logs
Pen testers review the recent DMARC aggregate (RUA) and forensic (RUF) reports to see if there is any pattern of unauthorized email sources. Analyzing these reports also helps them identify unrecognized servers that are sending potentially fraudulent emails on your behalf.
By this step, they know the anomalies, if any.
DNS record manipulation testing
The pentester attempts to manipulate DMARC records by exploiting DNS misconfigurations, such as improper delegation, weak TTL values, or cache poisoning. DNS-based attacks may also include temporarily altering the SPF, DKIM, or DMARC records to allow spoofed emails to pass authentication checks.
The outcome of the step is to be able to see if there are any DNS-related vulnerabilities that could defy the purpose of DMARC.
Report and remediation suggestions
Once the pen tester is done with the simulated attack and has spotted all the vulnerabilities, they compile a report. The report contains all the vulnerabilities they found in the process, along with the recommendations for fixing vulnerabilities and hardening the DMARC policy. They might suggest you to use the stricter DMARC policy (quarantine or reject) or leverage the ‘pct’ tag (percentage tag).
Final words
A comprehensive pentesting approach gives domain owners valuable insights into the exact situation of their email security posture. We suggest that you don’t limit the pen testing to just the emailing segment. It’s good to extend it to other parts, as cybersecurity requires a holistic and multi-angular approach.