DMARC is designed to fit into an organization's existing inbound
email authentication process. The way it works is to help email
receivers determine if the purported message "aligns" with what the
receiver knows about the sender. If not, DMARC includes guidance on how
to handle the "non-aligned" messages. For example, assuming that a
receiver deploys SPF and DKIM, plus its own spam filters, the flow may
look something like this:
In the above example, testing for alignment according to DMARC is
applied at the same point where ADSP would be applied in the flow. All
other tests remain unaffected.
At a high level, DMARC is designed to satisfy the following requirements:
- Minimize false positives.
- Provide robust authentication reporting.
- Assert sender policy at receivers.
- Reduce successful phishing delivery.
- Work at Internet scale.
- Minimize complexity.
It is important to note that DMARC builds upon both the DomainKeys
Identified Mail (DKIM) and Sender Policy Framework (SPF) specifications
that are currently being developed within the IETF. DMARC is designed
to replace ADSP by adding support for:
- wildcarding or subdomain policies,
- non-existent subdomains,
- slow rollout (e.g. percent experiments)
- SPF
- quarantining mail
No comments:
Post a Comment