DNS is the foundation for DMARC: Understanding the overlap

When the threat of SubdoMailing was newly discovered, we wrote a comprehensive guide and worked to get our impacted customers remediated within 72 hours of the discovery being published by Guardio Labs.

We are proud of what we accomplished, but through the process, we also discovered that many people don’t fully understand the overlap of DMARC and DNS. Because of the widespread nature of SubdoMailing, it is critical that security teams understand how these two protocols are related to make sure their domain is protected.

Here, we aim to give a non-technical overview of DNS and DMARC to better illustrate the interdependencies of these core pillars of email security using a castle metaphor.

DNS is the foundation for DMARC

Domains, subdomains, DNS and DMARC are all deeply interconnected. Let’s first discuss each one of these topics independently, and then cover the overlap.

Domains and Subdomains

Imagine your company website is a castle, and your domain name is the main gate. The smaller buildings and courtyards outside the main gate are your subdomains. These subdomains are like side entrances, tunnels, and even hidden entrances to your castle. 

To help you visualize our castle metaphor, we asked DALL-E for some assistance

What’s DNS?

Now imagine the DNS (Domain Name System) as the castle’s map system. It helps visitors find the main entrance (domain) and other entrances (subdomains).

When someone asks, “Where is example.com?” the DNS translates this request into a specific location (IP address). This would be equivalent to guiding the visitor to the right place inside the castle.

Similarly, if someone asks for blog.example.com, the DNS provides the exact directions to the side entrance – in this case, the blog section.

When DNS works correctly, users effortlessly reach the desired website, just like finding the right entrance on a well-maintained castle map.

What’s DMARC? 

At Red Sift, we are big fans of DMARC (Domain-based Message Authentication, Reporting, and Conformance). Building on our metaphor of a castle and map, think of DMARC as the diligent guards who protect the castle from the wrong people entering and exiting.

How DMARC works

  • Verification: Just as the guards verify the identity of messengers claiming to represent the castle, DMARC verifies emails claiming to come from the domain. It ensures that the emails are genuinely from authorized senders and not from malicious imposters.
  • Policies for Action: The guards have specific policies for dealing with messengers based on the verification requirements the organization has set:
    • None: They let the messenger pass without any special action but note down their details for review.
    • Quarantine: They detain the messenger in a secure area for further inspection, ensuring no immediate harm is done.
    • Reject: They outright refuse entry to the messenger, ensuring no fake or malicious messages reach the castle.
  • Security: The guards protect the castle from receiving harmful or unwanted packages. In the digital world, DMARC adds a layer of security by preventing phishing attacks and email spoofing, ensuring that only verified emails reach their intended recipients.

The Overlap of DNS and DMARC

DMARC policies live in the DNS. DMARC checks DNS to verify the policy, sees if a given domain is allowed to send emails on your behalf (through SPF) and if it’s been tampered with (through DKIM).

Said another way – the castle map (DNS) guides the emails to the correct domain, while the diligent guards (DMARC) ensure that only legitimate emails gain access to the inbox.


Confused about DMARC? Check out our email security guide.

Exploiting Poor DNS Hygiene to Bypass DMARC

In the case of SubdoMailing, bad actors proved that even organizations with the highest levels of DMARC enforcement (p=reject) can still be victims to bad actors sending fraudulent mail from their domain if their DNS hygiene is poor.

Revisiting our metaphor one last time – what happens if the map is up to date but the guards have forgotten about one of the secret entrances and left it unlocked and unprotected? This is akin to poor DNS hygiene, where DNS records are not properly maintained, allowing cybercriminals to take control of these secret entrances and get past the guards undetected.

Poor DNS hygiene enables bad actors to bypass security measures and deliver malicious emails to unsuspecting recipients because it looks legitimate.

Introducing DNS Guardian – Now in Red Sift OnDMARC

We know with the SubdoMailing attack being widespread, bad actors are capitalizing on poor DNS hygiene. We are compelled to give our customers the tools they need to protect their domains from takeover, abuse, and supply chain attacks.

That’s why today, we are pleased to announce DNS Guardian – a new feature available in OnDMARC that helps users continuously monitor and manage DNS hygiene.

Get all the details on DNS Guardian here.

PUBLISHED BY

Rebecca Warren

25 Jun. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
News

Meet Red Sift Radar: The Skilled Up LLM That Finds and Fixes…

Rahul Powar

After months of beta testing and feedback, we are excited to announce that Red Sift Radar, our skilled up LLM offering seamless integration with Red Sift OnDMARC, is now commercially available.  With Red Sift Radar, security teams can detect exposures, prevent configuration drift, and classify assets or suspicious activity without adding additional headcount. By…

Read more
News

G2 Fall 2024 Report: Red Sift OnDMARC Wins Big

Francesca Rünger-Field

We’re delighted to share that Red Sift OnDMARC’s winning streak continues. This Fall, we’ve once again been named a Leader in G2’s DMARC category, achieving recognition in both the overall Leader category and Europe for the first time. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more