Django DMARC - Helping implement Domain-based Message Authentication, Reporting & Conformance

Implementing DMARC and managing aggregate reports

Email is essential in today's world, implementing DMARC ensures we are doing our best to ensure our email safely reaches its destination and reduce forgery and phishing. With these free tools help is at hand to deploy DMARC in three easy stages.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is bringing together two successful anti forgery tools (SPF) and DKIM to detect email spoofing.

Defending our reputation

Here at Persistent Objects we pride ourselves on impeccable service and reliability and so have always taken our reputation seriously.  By first implementing SPF then DKIM and now DMARC we help ensure our emails arrive, and keep forgeries at bay. These technologies protect our emails and our reputation by letting others know how we send our email so that when an email doesn't match our policy they can deal with it appropriately.

ISPs and businesses worldwide are increasingly turning to DMARC to protect their users from email spoofing and spam, by implementing DMARC ourselves we help everyone.

Although we can never stop someone masquerading as us, by implementing DMARC we help others in reducing phishing and spam at the same time as defending our reputation.

Reliability

Sending and receiving emails is essential to the smooth running of any business, preventing others to spoof emails purported to be from us is essential in today's connected world.

We consider it important enough to defend our reputation by discouraging others from spamming using our name as well as maintaining email reliability so have chosen to implement dmarc, spf and dkim.

Evaluation

Stage one. Before asking anyone to reject forged emails we needed to be confident that there aren't any edge cases where we might be sending any emails that could be interpreted that way.

Opting to receive aggregate dmarc reports, we get feedback on how emails purported to be from us are evaluated.

 

By implementing a dmarc policy of none and using the aggregated dmarc reports to assess where emails are coming from and their status helped us to ensure that all our outgoing email were signed (DKIM) and sent from one of our approved sources (SPF).  We can also see how many and where fraudulent emails are coming from.

It is this need for an easy to use report that offers an insight into how our emails are received that led to us developing the Django DMARC app so that we could incorporate this reporting into our regular monitoring both from an immediate implementation point of view and an ongoing one to give us comfort that errors in future changes will be noticed.

Stage two. With the comfort of reliable reporting and green lights, going from a policy of none to one of quarantine was not too difficult.

Rejecting forged emails

Asking others to reject email on our behalf is not a decision to be taken lightly, though it's essential for rejecting spam and phishing.

Stage three. The continued consistency of dkim and spf passes for our emails as well as failures for email that didn't originate from us make moving from a policy of quarantine to reject a straightforward one.  Not a decision to be taken lightly, but one where we are confident that our emails will get through and our reputation defended by those ISPs and organisations rejecting forged email on our behalf who implement dmarc.

We say to those organisations who have implemented dmarc, spf, dkim and are helping defend our reputation - Thank you.

by Alan Hicks

Django DMARC

This Django DMARC project aims to help with implementation of DMARC "Domain-based Message Authentication, Reporting & Conformance" and ongoing monitoring by importing feedback reports about messages that pass and/or fail DMARC evaluation into a more easily digested format.

Perhaps one of the main reasons DMARC is gaining traction amongst organisations of all sizes is a desire to protect their brand and reputation.  By defining and implementing a DMARC policy, an organization can help combat phishing, protect users and their reputation.

Choosing Django was an easy choice as it offers an easily built import mechanism and transformation from xml to database through to presentation.

Although it has options for importing either xml or zip files, the way it's used here at Persistent Objects is taking the email directly from SMTP and piping it through to the import routine.  Fully automatic with easy reporting.

We use Exim here and the configuration couldn't be easier

Router

dmarcreports:
  driver = accept
  condition = ${if eq{$local_part}{dmarc_report}}
  transport = trans_dmarcreports

Transport

trans_dmarcreports:
  driver = pipe
  command = "/usr/local/bin/python2.7 /path/to/manage.py importdmarcreport -"
  freeze_exec_fail = true
  return_fail_output = true

Final words

It's easier to defend a reputation and your clients from harm with DMARC.  Implementing DMARC with these three easy stages and helping others in identifying and rejecting spam sent in your name makes it easier to deliver your emails and harder for spammers to ruin your reputation.  There will always be spammers, defend your reputation and let them find easier targets.