M3AAWG’s Best Practices Document On DMARC Authentication Checklist Aims To Reconcile Gaps And Enhance Email Security
M3AAWG published a concise list of best practices on email authentication the right way.
With businesses using emails as the preferred communication channels for internal and external communication, it becomes crucial to establish user trust. Email authentication is one measure that helps establish this trust. M3AAWG (The Messaging, Malware, and Mobile Anti-Abuse Working Group)’s best practices document on email authentication based on SPF, DKIM, DMARC, and ARC lists out the most effective and efficient practices for senders, intermediaries, and receivers to get the most out of such authentication standards.
Table of Contents
M3AAWG Best Practices Document
As M3AAWG represents a coalition of the largest email services, which comprises Yahoo Mail, Microsoft, Gmail, among others, this document can prove influential in delivering recommendations to the broad universe of email stakeholders.
Here are some crucial recommendations concerning SPF, DKIM, and DMARC for email senders that can be used following the technical recommendations listed out in this document for the best results.
Sender Policy Framework – SPF
Following the below guidelines recommended by the best practices document for SPF could prove beneficial to email senders.
- Publish SPF records for MAIL FROM and EHLO domains.
- Ensure that SPF records end in ‘~all.’
- SPF records should not authorize more IPs than required.
- SPF validating the Return-path should align with the domain used in the ‘From’ field.
- Publish SPF ‘-all’ on domains not sending any emails.
Domain Keys Identified Mail – DKIM
These best practices for key management that can prove useful include:
- Sign all outbound emails with a domain aligning with the one used in the ‘From’ field.
- Healthy key-management practices such as rotating keys regularly, storing private keys successfully, and maintaining the industry-standard minimum key-sizes must be followed.
Domain-based Message Authentication, Reporting, and Conformance – DMARC
These guidelines for DMARC are worth following.
- Policy statements should be ‘p=reject’ wherever possible. Otherwise, it should be ‘p=quarantine.’
- ‘p=none’, ‘sp=none’, and pct<100 are transitional states. Removing them as quickly as possible should be the aim.
- DMARC policy records should include a reporting tag (such as the ‘rua’ tag).
Why Do You Need Guidelines For DMARC, SPF, And DKIM?
M3AAWG tries to resolve the lack of clarity around the renowned technical requirements involved in decision-making processes. Stochastic or algorithmic rules are used for making decisions like percentages of the likelihood that the content is malicious, behavior analysis, spam scores, and general recommendations.
However, email authentication follows a binary process, which means there are only two states, such as ‘pass’ and ‘fail’ or ‘accepted’ and ‘rejected.’ This gap between the decision-making and authentication processes results in many undesirable results and improper authentication.
The BCP (Best Common Practices) document proves useful as a reference point to reconcile the above differences. Anyone dealing with authentication can refer to its guidelines to know the best procedure and get the best results.
The ‘No Auth, No Entry’ Concept
The email ecosystem has the ultimate goal of ‘No Auth, No Entry’. It signifies that the email does not get delivered unless the source is traceable. It attributes the emails to their respective senders, thereby allowing the proper deployment of anti-abuse protections.
However, currently, the industry is a far cry from the concept of ‘No Auth, No Entry,’ though authentication procedures are standard. Organizations like M3AAWG provide the roadmap for the idea to become a reality. The BCP document is perhaps the first step in the right direction.
DMARC Email Authentication Is Becoming Popular
Today, SPF, DKIM, and DMARC standards are gaining prominence because of the significant shift in the industry’s functions. Today, more than a million domains globally use DMARC monitoring. M3AAWG members track updates and publish regular research reports. Though the updates are encouraging, there is a long way to go before achieving the desired penetration level.
The best aspect is that the industry is trying its best, but it requires resolving a few technical and processing issues to deploy email authentication effectively. Many organizations deploying DMARC get up to the monitoring level (p=none); however, there remain hurdles in enforcing DMARC to the authentication levels (p=reject or p=quarantine) (‘p’ refers to the policy tag).
What Can BCP Help To Achieve?
Email authentication can prevent exact domain impersonation, the most damaging fraud vector. A malicious actor can misuse the email address of a user and easily defraud people who trust them. It explains why W-2 phishing and executive impersonation are distressing and expensive issues. Thus, it becomes critical to implement email authentication.
Besides domain impersonation, other frauds require immediate solutions. They include registering lookalike domains and using throwaway accounts on open signup systems. Also, despite deploying DMARC at the enforcement level as outlined by M3AAWG’s BCP, there are different ways by which impersonators can pass authentication or get the process mixed up with others using shared services. M3AAWG is discussing these issues as they understand the significance of resolving them.
By establishing the sender’s identity, authentication makes email a secure and trusted communication medium for all. However, it is not entirely perfect as there is a wide gap between how technical decision-making occurs and how actual authentication processes work. This gap is what the M3AAWG BCP guidelines document aims to fix. The document is a crucial step in the right direction. It gives domains (whether they send emails or not) a solid foundation to build a robust and in-depth defense strategy.
Join the thousands of organizations that use DuoCircle
Find out how affordable it is for your organization today and be pleasantly surprised.