DMARC from a Sender and Receiver's perspective

Florian Vierke 0:28
So, hello and welcome, everybody, first of all for session DMARC from senders and receivers perspective. And I'm very happy to do that together with honour. Fun, big ISP and revenue. And yeah, myself, I'm working for ESP. Oh, we would like to, to discuss the topic DMARC from both sides. Hi on.

Arne Allisat 0:57
Hi. I'm looking really forward to this.

Florian Vierke 1:03
So let's kick it off. Um, I would like to share my screen. Yeah, let's start. First of all, with the topic. I guess most of you have already heard about DMARC or DMARC. Experts already using it. But let's have a really quick reminder, we keep that short. What is DMARC? Or what's the idea behind DMARC? When we think about communication via email, then the first question is if the person we are talking to or the person pretending to be someone, really the person that we think it is, if you remember maybe the last movie from that we have a lot of women attending, owning, because women are not allowed to actually attend stonings at that time. And, yeah, probably it's not desired from the government at the time, but at least it doesn't cause such a big harm. But there are also cases where it may be worse. And if we think about today, and of course, fishing and opening and, and whatever may cause harm. So that's one of the major reasons for DMARC. And, yeah, we have, we would like to speak about the topic and five sections. First of all, instead of simply explaining DMARC, we would like to show the workflow, what does it look like what needs to be done, and what is actually happening? Then secondly, we will speak about the benefits and challenges that DMARC brings. And again, here, we, we were discussing this from both sides send us and procedures, then we speak about the the report part that comes with DMARC how that looks like and how it should be consumed. And then probably the most interesting part for all of you is the information from Ana and one on one because they recently launched or implemented DMARC. And there, and he has some really, really hot first impressions last week was go live. So that's really new. And then last, but not least, we say goodbye, and then that's it, you've done it. So let's start what Mark, first of all, before he starts an email, he has to do some changes the DNS domain name, he needs to add the information, which IPS are allowed to send email. That's what we know. As I know, all of you know about that. Then we add the information about the deacon signature, the public key, so that the recipient can actually validate the deacon signature. And last but not least, we can add the DMARC entry and that includes the policy and also the reporting address. Then, let's first of all, we can start sending email to the receiver receiver site and the receiver See, can check some information you can check the envelope from which was not the same as the body from as you know, and you can also check and you You must report. The from in case you don't know is the part that inside the body of email. And that's usually being displayed within SPF while the envelope envelope communicated during the SMTP dialogue, that's how the server authenticate. And in the past, these two from fields have not been necessarily equal and market forming. And as we have sent the email to the receiver side, I had a lot going on. Yeah.

Arne Allisat 5:39
And the next question is then once the email was sent, and we have authentication, but what do we do with that? So our ticket authentication, tracks, SPF and DKIM around for quite a while and also at our site. And, of course, we checked out indication status. But the question is, what what do we do if something fails, and just as where DMARC comes in play, so we can check if if there is a policy for for the domain. And then, if there is no policy, we continue as we would have continued anyway with our local policy, but if there is a policy, next slide, please. Yeah, if there is a policy, of course, we can then use the policy to make another decision. If the authentication is okay, then we still proceed as we would have proceed. Anyway. So our local policy, all the spam filtering order, reputation checks, and checks whether our customer likes that mail or not, are still in place. But if the authentication fails, then we can act accordingly. And as you all know, there are basically two policies, current time, so we chunk this email or reject, which would allow us to even recheck the image and not even put it into the spam folder, because we all know that customer also click on image that can be found in spam folder. And if there are still get tricked by spoofed email in there, it's dangerous to the customer. So that's what DMARC allows from a recipients perspective.

Florian Vierke 7:13
And finally, two cents

Arne Allisat 7:15
higher. And finally, of course, sorry, yeah. And what also allows us to have to send us is to send data back. Sorry for that. So it the interesting part for us, the centre is a brand, having a team of policy is what happens to my image. And also who who was spoofing my from. So with the data you get back from the recipients that send data, you get insights, and that actually enables you as a sender to implement DMARC, and enables all the senders out there to increase coverage of DMARC, which helps us in the end,

Florian Vierke 7:53
exactly. That's directly leads us to the benefits and benefits are good and go to screen. That's why the slightest screen is where. And, yeah, what this slide should show you immediately is that there's benefits on both sides. It's not just a win situation for the sender, or the recipient. That's been hopefully, what's the what's the best part for the centre site. First of all, is monitoring, we can check if authentication works, if all of our mail flow flows are working. And if that's what the client is actually received, receiving is not only sent by us, but it's also authenticated, correctly, ever ongoing monitoring. That's really, really beneficial. And the second part, yeah, of course, we can also decide what should have to decide what should happen was made that are not authenticated correctly, and faster. So centre. First thing we implement as non, then we check the reports. And once we are confident that everything we sent is fine, then we can set it to reject and protect our domain. That's actually Yeah, what is good for us. And last but not least deliverability. Advantages, whether this is true or not, probably depends. Also on the receiver side. You have just heard from Ana, how they see it and how they work with it. But basically, it's a matter of implementation and the more good stuff and good technology you implement, the better may be your reputation within

Arne Allisat 9:44
Yeah, and so receiver the big question is what do my customers what benefit today have from from all that? No. Technology matters if our customers don't have any benefit? And so the first first question I always ask is What do my Customers hear from it. And as a customer, if you receive an email, it's it's within your eyes. Whether you like that email or not aside from really is that ordinary spam or dangerous mail like phishing or virus, us or receiver, you always decide, do I like that email or do I don't like that email, especially today where you're receiving tonnes of marketing information. Other very important information like from your school homeschooling or vaccination information. Beside of all the advertising, you get every day floating in your inbox, you need to stay on top, and you make a quick judgement. Most likely you look on the visible from and maybe the subject, and then you already make a decision whether this male is interesting to you, whether you omit whether you discard it, or even mark it as spam in the first place. And so what, what brings out the indication to it and a DMARC, of course, with the strict alignment you need here, domain alignment for the visible from it, it actually helps our customers, if we can prove out education status, that the customer can do a more reliable decision. And it's then sure that he clicks on on or interacts with his banking email, that this is really the banking email or the info important information he gets. And, of course, everything comes also down to reputation as a receiver. So aside from the personal judgement of the customer, whether we place an e mail into the inbox or spam folder elsewhere from the customer, reputation comes in place, that if you want to have a reliable domain based reputation, of course, it needs authentication for that. And again, with alignment with the command DMARC. That helps quite a lot. And of course, it also helps a little on spam and phishing. At least if it's really spoofing from a particular domain that is protected by DMARC policy, then it actually helps to sort out to phishing, and spoofing. And with all all that together that that increases the possibilities for us to sort out spam and unwanted or lower reputation email for more customers.

Florian Vierke 12:20
Okay, thanks. Let's go over to the challenges. And I don't think that challenges disadvantages in that sense. But it's not that easy sometimes to implement. The first thing that we see quite a lot with our customers is that they are not only implementing DMARC, on the centre domain that they use with us, but also on the octoman, which is parent domain, whatever you want to call it. One reason for that is that this is a requirement for beamy. That's the next session after this one. And it absolutely makes sense to do that as well on an ox level optimind level. But it's tricky, because the bigger the company is, the more main streams are going out the not more processes, sent email, then probably their ticket systems and customer communication and b2b mates and shop mates and order confirmation, whatever, that's a lot of mainstreams going on, and probably not all of them are authenticated correctly. And it's a challenge to find that that's also a benefit to see that in the reports, what you actually send out. Because I'm pretty sure most companies are not aware of all mail going out from that domain. And, yeah, the second issue on second challenge on my list is exactly that we cannot suggest to enforce a policy unless we have aligned everything. Because if we do that before, then we lose, we risk losing email that we sent from our side. And that's definitely a challenge. And for some clients, it's also not that easy, because probably they host their mates on a on a server that is not supporting decom for instance, and decoding thunder, not a requirement for DMARC. But it's you can also prove your authentication just with SPF. But yeah, there's other challenges like SPF is failing for forwarding. So sometimes having all that technologies in place correctly is a challenge. And last but not least, I don't know if that's a challenge or not. But you need to read the reports, you cannot just say I implement DMARC. Because it sounds secure or something, you also need to know that this means ongoing work, you will receive reports. And if you do that, make sense. also read them and act accordingly. How does the receiving side look like? Of course, there

Arne Allisat 15:29
are also some challenges you have to tackle, once you activate DMARC. So that you're that you apply the policies and then you have to deal with false positives. So there is allegedly method comes with a good purpose, the customer wants it, but it ends up in the spam folder, or maybe even rejected because of authentication failure that might happen or that might happen to you too, for once and other intermediate, or even due to bad deema configuration just on the first day on pilot, we activated DMARC, we saw some false positive reports from the German police that sent out returns for applications top application. So it's definitely important may a customer don't want to miss that you may be gets an invite to an Trump interview or even a recipient confirmation. And it was due to a bad configuration, they use SPF only no DMARC, the SPF configuration was wrong, maybe outdated was the wrong IP. And so with DMARC policy in place, the problem was there. So customers now find their domains into the spam folder where they don't belong. And the sender needs to fix this. And even in this case, it doesn't need to be the policy doesn't really even had a reporting address. So how do we contact them and tell them about it. So there was no obvious way to contact them say, hey, you have a demo problem. And false positives are always annoying to the customer. Maybe even more annoying than a false negative. If you have a unwanted advertising in the inbox, it's maybe annoying. But if you don't find your important email, because it's sitting in the spam folder, then that's really causing a problem. Also implementation effort, especially in complex environments, with our brands, we are on the market for quite some years. It's a complex environmental implementation effort was quite high. And even it's so it's still ongoing. And this is quite some effort you have to tackle and you have ready to to communicate the purpose, what does it help us? And what is the purpose for it in order to be able to spend that effort and implementation. And last but not least, privacy concerns? It's about the reporting. Aside from maybe privacy laws you have in your country, like the GDPR, we have in the EU, you might have a local company policy that even stricter than that, and then you really have to make sure that which reporting, you don't harm your policy or don't harm privately privacy regulations.

Florian Vierke 18:20
Yeah. Thanks. Um, that's to two key areas that clients have problems with are two typical mistakes. First one is that clients activate DMARC and then suddenly get a DMARC failed and and wonder if the authentication was wrong for the last five years? No, it was probably not because you can have a perfectly authenticated name with DKIM and SPF, but the domain alignment part can lead to a DMARC failure as well. So I'm Kate's domains have not been aligned before. And that is a common mistake. And the second one is what Ana just mentioned, setting up gemach Records and some are actually doing it with quarantine or reject without reporting or without having checked on males authenticate correctly. And yeah. And one other topic that's coming with the Magus some, some people are not really aware that they receive reports, they activate DMARC and then they say, I get some, some texts, fights and I don't know what to do with it. Yeah, the these text fights are excellent fights, actually. There's two ways of reports aggregated and forensic ones and why the forensic ones are not really relevant or existing because of data protection reasons. The aggregated ones are the ones you should receive on a Usually on a daily base aggregates for each destination that you send to. And then the Enter tells you how many emails have been received from your domain. And what what are the results, it definitely makes sense to use an A tour to visualise that in that set and this one here is without advertising anybody, so I don't mention it. The red part shows the the amount of mates with failing authentication, green is correct authentication and greatest forwarding and forward us are sometimes interesting because they will fail SPF usually. And then the next question is, are we actually expecting that and wanting that, whatever we should do with it. Anyway, that's so expect that you will receive reports, there is open source free tools, and also paid service out there helping you to visualise that but it's important, for sure. And with that, we handle what the implementation of

Arne Allisat 21:17
Yeah, thanks. So now I'm happy to give you some insights from our still hot and fresh implementation. So a few words about the company, I work for one on one, we are fairly big company and I'm within the melee media branch. That means we operate genomics web.dma.com. And I am responsible, therefore all my security for these brands. With genomics and web p, we have roughly a 50% market share for personal use email, email us in Germany, but we have presence in many other countries as well, especially in Europe, and Austria, Switzerland, Italy, France, for example. And also with gmail.com via minor brand in the US. Overall, we have more than 200 recipient domains we operate most of them on mail.com, but also g mix and web D has a bunch of domains you can have as a customer, most of our customers are free users or they use the advertise free product and some of them are also paying for it. And on all these brands, if you please go to the next slide. We are live now with with DMARC on all incoming mails since last week, so since March, for now, we treat every policy that is rechecked or current time as a current tight and we trunk the trunk domain we are not rejecting yet, like I mentioned earlier, it's first of all, it's a huge implementation effort for us to recheck Actually, it's there's some ongoing effort we have to do. But also the strategy is to look at false positives first, because if he wants to check the email, it's going to take a for a customer. If he can find it in the spam folder and reported as a false positive to us. It gives us a hint where we have problems and maybe get a need to get in contact with brands or senders to solve the problems first. It's also to protect our customers for not getting the messy ones. Also aggregated reports they will come I don't have an announcement date for that. We are still working on it. But it will come. And now I have some stats for you. So how does the traffic look like on incoming site? If I look on average week, I can already say 44% of all the incoming traffic has an and policy we can apply to it. It's either current high nor reject. And we see another 25% of traffic that has at least a nun policy. And 31% of the traffic has no DMARC policy. But these 44% of DMARC policies we could apply come down to only 3% of the sending domains. So it's very clear to say that mostly the big brands, big espys are able to implement a DMARC and already have it and they make of course a lot of traffic. We usually say the top 1000 from domains they make roughly 80% of the inbound traffic. That's the short tail and then we have on a daily basis another six to 800,000. From domains that said to us, it includes everything all the trunk or the him and others 600 to 800,000 from domains at its centre the rest of the fight 20% of the traffic and the same picture here so only a few domains make a big portion of the DMARC traffic, but also in the long tail. There's a lot of code Email, like I mentioned from the German police or from your vaccinations that are from your school or whatever, it's very important email. And it's clearly within the long tail. And there we have a big gap in DMARC. And, and coverage of the mark and maybe even authentication and not next slide, I have some more stats. Because if there is no DMARC policy, that doesn't mean that there is no authentication, we have almost 90% of the traffic that has SPF D came in place. some minor, only SPF only or decom, only an old, only 4% of the traffic of the traffic not of the domains isn't authenticated at all. So again, it's most DNA in the shortest or the top centres, the biggest ciders, they leverage DKM and SPF and authenticate the traffic.

But Didi there's still some some arrests, and maybe a few words about what's next, what's upcoming I, I already said something about that. So one of the next things is that we will send reports aggregated reports that are compliant to our privacy policies. And the goal is here to increase the coverage of DMARC. And helping the brands to implement the market, the obvious and the first and best way is to provide data with standardised reports. And also, we want to go further and also recheck if there is a policy. I cannot give a date for that. It's quite some effort we need to spend there, but it will come.

Florian Vierke 26:43
Quick. Thanks a lot, Anna. Very interesting. I thought, what else costs? Yeah, that's almost the end of our presentation. The question is that now is the mark now helping us answering all the open questions regarding regarding authentication and policy and desert, white phishing and spam and fighting all of that stuff? No, obviously not. It's happening with a lot of things in mainly for the centre sites, actually. It helps for the, to protect our brand. And it's also mainly what I haven't meant alignment, which has had for that the from address doesn't show anything different than then the envelope from, of course, all of you on we know how email works, and that there is actually true or even more possibilities to say who we are. But the average email user probably doesn't. And that's why it's important also to make this technology easy and understandable for them. Because as I mentioned, emails for clients, where we are talking about sender and recipients, and we don't only talk about Ana and myself, USPS and ISP, in fact, we are the technology, suppliers behind that. But the real email goes from the centre, the actually actual centre, whether it's a client or personal, whatever, to recipient, which may also be a person or b2b or whatever. But in fact, those two are communicating and those two need to understand the technology. What it doesn't solve at all is abuse. Because, first of all, if you receive an email from map.com, how do you know that map.com belongs to map, we could also operate map.net or map dot info or I don't know there's a lot of possibilities and the domain is free. Nobody can prevent anybody to register any domain, perfect, perfectly authenticate mates, and then spoof our mates and send out phishing and whatever that's absolutely possible. We have for example, in Germany, we have a big shop that is called Bauhaus and if you go to Bauhaus dot d, you actually you don't, you're not on the on the shop side, you are on, on the on the sides of an art gallery about both the official domain of that shop is all in or nobody expected in Germany. And again, that's that's like the one from the stoning. It's not nice, but nothing harmful. But if the wolf comes inside our house and it's raining, that's something it's a different story. So how to solve that. Probably, you should stay here because that's being covered in the next session. Probably because that's the topic that we should solve. I don't know if Ana has anything to contribute. Otherwise, we are open for questions in case that's one. Any lot?

Arne Allisat 30:16
No, I think thanks. I think you're set everything. And speaking out of my mind, though, it's always about the customer, protect the customer. And even if you're looking for what comes next and what is up after the mark, does something cool and cool and making with pay me what could actually help customers even more? And that's also something we are looking at. So receive, of course.

Florian Vierke 30:50
Quick, do we have any questions? At least we don't know how to access them.

Arne Allisat 31:00
And notice no question so far.

Florian Vierke 31:06
Everything answered even better. Okay. Then I would like to say thanks, everybody. Thanks. Thankful for the organisers. Enjoy the next presentations. And yeah, thank you. Thanks, Donna.

Arne Allisat 31:21
Thanks. Thanks. Bye