BrianK007
asked on
What is doing the required checks on the SPF and DMARC records?
I can't find a definitive answer as to what entity is doing the checks on SPF and DMARC records. I understand the concept and the fundamental purpose, and have the records ready to submit to my ISP (who is also where we register our MX, www and https records.)
However, my boss and I have conflicting views on how this actually works under the cover. Can someone please take a minute (if you have a quick answer) and share some knowledge with me? It would be eternally appreciated!
I think our ISP does the check. The sending server has to reach out to our ISP to get our MX data. I think when that negotiation happens, It also checks if an SPF record is present. If yes, execute the check. Then it checks if there is a DMARC record present. If yes, execute the check. If DMARC determines the mail is misaligned, it forwards to the email address outlined in my DMARC record. QUESTION: Does the actual query, to ensure the records are adhered to, happen on the servers where the records are stored? Would my ISP (or DNS provider) be the one enforcing my records?
My boss is of the opinion that we need to do something on Exchange if we submit these records to our ISP. If not Exchange, to our spam/malware appliance to accommodate. His hypothesis is that the checking is either done on the senders email server or ours. One of the mail servers.
Is my understanding of this system way off target?
Also, quick yes/no question to close: Is DMARC a widely used protocol (still today) and does it offer substantial benefit towards phishing/spear phishing attempts that appear to come from internal employees?
Thanks very much for your reading and in advance for any droplets of wisdom or links to any resources you may have to share.
However, my boss and I have conflicting views on how this actually works under the cover. Can someone please take a minute (if you have a quick answer) and share some knowledge with me? It would be eternally appreciated!
I think our ISP does the check. The sending server has to reach out to our ISP to get our MX data. I think when that negotiation happens, It also checks if an SPF record is present. If yes, execute the check. Then it checks if there is a DMARC record present. If yes, execute the check. If DMARC determines the mail is misaligned, it forwards to the email address outlined in my DMARC record. QUESTION: Does the actual query, to ensure the records are adhered to, happen on the servers where the records are stored? Would my ISP (or DNS provider) be the one enforcing my records?
My boss is of the opinion that we need to do something on Exchange if we submit these records to our ISP. If not Exchange, to our spam/malware appliance to accommodate. His hypothesis is that the checking is either done on the senders email server or ours. One of the mail servers.
Is my understanding of this system way off target?
Also, quick yes/no question to close: Is DMARC a widely used protocol (still today) and does it offer substantial benefit towards phishing/spear phishing attempts that appear to come from internal employees?
Thanks very much for your reading and in advance for any droplets of wisdom or links to any resources you may have to share.
To my knowledge there is no configuration done on an Exchange server for DMARC, SPF or DKIM. I have admin'ed Exchange for the last 8 years and have not ran across it. My Barracuda spam appliance can and does check for SPF and can but does not check for DKIM because of performance issues. As for DMARC itself only the worlds largest email providers uses it to the extent of sending aggregate and forensic reports out to those who have DMARC configured at the domain hosting DNS.
ASKER
Thanks for the response. What I am trying to get to the root of, really, is WHERE do these check's happen? Assume I have a SPF record and a DMARC record on file with my DNS provider.
When those files are touched, by a sending mail server, the records presence triggers a battery of examinations. These examinations have to be performed by a computer/server somewhere, against the email being sent.
What computers are executing the checks and balances outlined in the SPF/DMARC records? Where do those computations take place?
The answer I am looking for will be in some similar type of format:
1- Is it my DNS provider's servers looking at this email and ensuring the criteria outlined in my SPF/DMARC records is correct? Then acting/redirecting if necessary?
2- It is the recipient mail server that "screens" this email, using the information obtained by our own ISP (where we have our records hosted.)
3- It is the sending mail server that does an mx lookup to resolve our ip, then require the SPF/DMARC checks and balances before further processing?
Do any of these three scenarios accurately describe the way this works under the covers?
When those files are touched, by a sending mail server, the records presence triggers a battery of examinations. These examinations have to be performed by a computer/server somewhere, against the email being sent.
What computers are executing the checks and balances outlined in the SPF/DMARC records? Where do those computations take place?
The answer I am looking for will be in some similar type of format:
1- Is it my DNS provider's servers looking at this email and ensuring the criteria outlined in my SPF/DMARC records is correct? Then acting/redirecting if necessary?
This is what I initially took away from everything I have read about DMARC, but I appear to be the only one.
2- It is the recipient mail server that "screens" this email, using the information obtained by our own ISP (where we have our records hosted.)
This seems like it would require some configurations for us on either the firewall, spam filtering or on Exchange. You said you didn't have to do anything on Exchange but did on your spam filtering device. I am not leaning towards this one but it was in our initial brainstorming
3- It is the sending mail server that does an mx lookup to resolve our ip, then require the SPF/DMARC checks and balances before further processing?
It seems like this option would require the sender to set up SPF and DMARC on their outgoing mail server for this option to be viable. This makes no sense to me, because if you were interested in scamming people, you just wouldn't set this functionality up on your outgoing mail apparatus.
Do any of these three scenarios accurately describe the way this works under the covers?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One other thing. You set these records up in the DNS of whoever is hosting your domain name. It may not be your ISP. Ours is GoDaddy.
Is it my DNS provider'sIf they are your domain hosting service - then yes
It is the recipient mail serverOnly if its a linux server and a clever admin
It is the sending mail serverNo.
ASKER
Our ISP and our DNS provider is one in the same.
I think you answered my question with the generic response.
The ISP is the one checking these records, at the most basic level. Whether you can get more granular and configure firewalls and spam filters to use those records is another issue for another day. I am only concerned with what does this checking if I do nothing more than submit a DMARC record to my DNS provider.
Thank you for the link and taking the time to help me work through this.
I think you answered my question with the generic response.
DMARC builds on SPF and DKIM, and tells ISPs like Gmail and Outlook what to do if your emails fail SPF or DKIM. ISPs will look to the DMARC record on your domain to know how they should handle mail that doesn't pass DMARC.
The ISP is the one checking these records, at the most basic level. Whether you can get more granular and configure firewalls and spam filters to use those records is another issue for another day. I am only concerned with what does this checking if I do nothing more than submit a DMARC record to my DNS provider.
Thank you for the link and taking the time to help me work through this.
ASKER
Thanks for the help!
Actually I'm wrong about this one
The IPS is of the receiving email does the check
Is it my DNS provider's
If they are your domain hosting service - then yes
The IPS is of the receiving email does the check
Your Welcome glad to help!
ASKER
Our ISP and DNS provider is one in the same. They host all of our records (mx, www, https, spf, etc)
Cool. Then they would be the ones doing the check.