How does DMARC work with domains and subdomains in email addresses?

Page 1

How does DMARC work with domains and subdomains in email addresses?

DMARC stores data specifying how email recipients should verify incoming messages for authenticity using the Domain Name System (DNS). However, how receivers use DMARC when subdomains are involved is one of the lesser understood parts of DMARC. While it may appear straightforward at first, the behavior may get complex. There are a few critical aspects to grasp while dealing with subdomains. In this article, we'll look at the first issue, which is how the DMARC policy records are queried. In other words, which DNS TXT entries are checked by receivers? Basic rules of email transmission and DMARC  

Receivers look for DMARC records based on the domain in the RFC5322 From address, also known as the 'From' address. Receivers will only perform one or two DNS requests to find a DMARC record for a message.


If the message's From address contains a subdomain, the DMARC policy specified on that subdomain's parent domain only applies if the parent domain is the 'organizational domain' (see below) and no DMARC policy is defined for the subdomain. Any additional domains in the tree's DMARC policies are ignored.

Read Also: https://thepcmagazine.com/dmarc-quarantine-vs-reject-whichshould-you-use-to-protect-business-email-from-sender-fraud The lookup procedure is terminated if a DMARC record is located at the first DMARC record domain. No additional DMARC record requests are conducted, and the DMARC record acquired from DNS for that domain is utilized for DMARC processing. If no DMARC record is available, the receiver may look for a DMARC record in another domain. DMARC provides the concept of 'organizational domain' to define this second location. While the definition is rather complicated, the procedure for identifying the organizational domain is essential as follows:

  

Take the domain from the address in the 'From' field. Check the public suffix list for the domain's biggest suffix. The suffix for.com,.edu, and many other prominent TLDs are just the TLD itself. Keep one label after the public suffix and discard the others.

The sp tag Unless a DMARC record has been published for a single subdomain, the DMARC policy specified for an organizational domain will apply to all subdomains by default. Domain owners, on the other hand, can use the "sp" tag to specify distinct rules for all subdomains (for subdomain policy). It has the same syntax as the p tag. sp=none instructs email recipients that, regardless of the policy selected for the organizational domain, they should employ a policy of "none" for subdomains. Receivers are told to quarantine failed messages from subdomains when they see sp=quarantine, and they are told to reject them when they see sp=reject.


Working with subdomains Subdomains must be safeguarded through enforcement procedures. Spoofers can send messages from email.company.com if company.com is set to p=reject but email.company.com is set to p=none. In this situation, even with an organizational p=reject, spoofers may mimic the brand and create all of the issues that DMARC is supposed to alleviate since DMARC was not implemented consistently across the domain. Your organization may not utilize subdomains to send an email, but receivers are unaware. As a result, these subdomains can be just as effective as the main domain as impersonation vectors. In this scenario, DMARC is analogous to sunscreen: It is only effective where it is used. Therefore, you must use it everywhere. Read Also : https://www.reddit.com/user/emailauthio/comments/siir1l/how_dmarc_handles_subdomains_and_the_sp_tag/ Moreover, it's quite simple to accomplish. Put p=reject on your corporate domain and don't change it on any subdomains. You are now completely secured, and no one may send you emails without your specific permission! This may seem self-evident, but we regularly encounter unprotected subdomains in the wild, which might negate the anti-impersonation and antifraud advantages of bringing DMARC to enforcement. Furthermore, if the brand-enhancing features of BIMI are of importance to you, you must have DMARC enforced on your organizational domain— without sp=none—in order to benefit from this new standard. Take precautions. Keep your brand safe. Keep your consumers safe. Keep your staff safe. Don't make your subdomains vulnerable to impersonation. Implement DMARC today using EmailAuth.


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.