14
Mar 16

dmarcian maintains rules to classify DMARC data into 4 high level categories.  Our categories are:

  • DMARC Capable
  • Non-compliant Sources
  • Forwarders
  • Threat/Unknown

When we investigate data to add a rule, we try to identify where email is coming from and whether or not the source can be configured for DMARC compliance.  We publish the results of our investigations under a creative commons license on dmarc.io -- a site that dmarcian runs for the benefit of the email community.

Explanations of the four categories follow.

DMARC Capable

If we discover a source of email that is capable of sending DMARC compliant email, we'll note if the source is meeting compliance via SPF and/or DKIM.  We'll also document how the source can be configured to send DMARC compliant email.  When displayed in the dmarcian tools, DMARC Capable sources are often accompanied by statistics showing the current level of DMARC compliance for email associated with the source.

Non-compliant Sources

When we investigate a source of email and find that it is not capable of sending DMARC compliant email, the source ends up being categorized as "Non-compliant".  We do this 1) to save our users time so they don't waste their lives trying to get a source of email to send DMARC compliant email, and 2) to raise awareness of sources that haven't yet figured out how to send DMARC compliant email.  If you find yourself using a service that shows up in "Non-compliant Sources", you can refer them to How to send DMARC compliant email on behalf of others.

Forwarders

Forwarding of email happens on the Internet.  Forwarding typically happens when you send email to someone@EXAMPLE.ORG and that someone has configured their email to be forwarded to someplace else like someone@SAMPLE.NET.  People who have an email address from long ago but have decided to move to a webmail provider often fall into this category.  Other examples: people with alumni addresses that get forwarded to someplace else, and mailing lists.   In all cases, from the perspective of the email receiver (the one that is generating DMARC XML reports) your email appears to be coming out of infrastructure that otherwise has nothing to do with you.

DKIM signing can survive forwarding.  If your domain is covered with DKIM, dmarcian's ability to detect forwarding increases.   SPF does not work in the context of forwarding, as SPF is simply a list of servers that are authorized to send on behalf of your domain.  It is not possible for a domain owner to maintain a list of forwarders.

dmarcian maintains a small set of rules to identify well known forwarders.  Some forwarders preserve DKIM if it is present, others appear to always break DKIM signatures.

Threat/Unknown

If we do not have a rule to classify a piece of data, we'll place that data into the "Threat/Unknown" category.  Users will sometimes find legitimate sources of email in this category.  When that happens we create rules to pull the source out.

Lastly, we maintain a small number of rules that call out specific campaigns of "Threat".  Our philosophy isn't to emphasize the different and changing ways that criminals can send fake email, though, and so these rules are generally not very useful.  Why classify the ever changing pile of dung that criminals create, when simply blocking it all is possible?

2 Responses for "How does dmarcian identify sources/forwarding/threat?"

  1. Thank you for this very helpful explanation of your categorization process.

    I would like to provide some feedback on part of this which continues to frustrate me. Specifically, the "SPF-authorized" section of the "DMARC capable" category includes sources which are _not_ authorized by our SPF records.

    I find myself wishing there were an entirely separate top-level category for truly SPF-aligned and/or DKIM-aligned sources rather than having them mixed in among DMARC capable sources. (This is what I imagined the old "Your sources" category was intended to be.) This would make it easier for me to see at a glance how our implementation and compliance efforts are progressing without having to dig through other reports.

    The DMARC Capable category could still include everything for the big picture view, but a way to quickly display only aligned sources would be very useful.