This risk vector does not impact the Security Rating at this time. DMARC will only begin impacting the rating after a Rating Algorithm Update. Although we do not have a specific timeline for when this will occur, the date for the Rating Algorithm Update will be announced a minimum of 5 months prior to the update itself.
When Are DMARC Findings Generated?
Only domains with one or both of the below criteria will generate a DMARC finding:
- The domain is protected by a DMARC record.
- The domain is not protected by a DMARC record and is associated with a MX record.
- If a MX record is present and no DMARC record configured, this will result in a finding with the issue Record does not exist and a Bad grade.
- If a MX record is NULL and no DMARC record is present, the domain can still be used by a malicious actor to send an email purporting to originate from that domain. By setting the from address with that domain, receivers will believe it is a legitimate email from the company.
How to Validate a DMARC Record
Run the command < dig _dmarc.domain.com txt >
where domain.com is replaced with the domain you are testing. We will use bitsighttech.com
as an example.
When reviewing the output, look at the answer section to see if any DMARC records are present.
Example Command
< dig _dmarc.bitsighttech.com txt >
Example Response
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> _dmarc.bitsighttech.com txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53320 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;_dmarc.bitsighttech.com. IN TXT ;; ANSWER SECTION: _dmarc.bitsighttech.com. 300 IN TXT "v=DMARC1; p=reject; fo=1; ri=3600; rua=mailto:dmarc@bitsighttech.com,mailto:wngm2pbd@ag.dmarcian.com; ruf=mailto:dmarc@bitsighttech.com,mailto:wngm2pbd@fr.dmarcian.com;" ;; Query time: 8 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Tue Oct 22 21:17:09 UTC 2024 ;; MSG SIZE rcvd: 233
Alternatively, you can use third party tools like EasyDMARC or MXToolbox to test for a DMARC configuration.
How to Validate a MX Record
Run the command < dig domain.com mx >
where domain.com is replaced with the domain you are testing. We will use bitsighttech.com
as an example.
When reviewing the output, look at the answer section to see if any MX records are present.
Example Command
< dig bitsighttech.com mx >
Example Response
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> bitsighttech.com mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54783 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;bitsighttech.com. IN MX ;; ANSWER SECTION: bitsighttech.com. 300 IN MX 10 mxb-00792c01.gslb.pphosted.com. bitsighttech.com. 300 IN MX 10 mxa-00792c01.gslb.pphosted.com. ;; Query time: 4 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Tue Oct 22 21:17:24 UTC 2024 ;; MSG SIZE rcvd: 117
Any configured MX record will generate DMARC findings even if no DMARC record is configured. If a MX record is present and no DMARC record configured, this will result in a finding with the issue Record does not exist and a Bad grade.
Remediation
Depending on the remediation steps taken, the DMARC findings will either be able to be refreshed or need to complete their remaining lifetimes before being removed.
Remediation options that can be refreshed:
- DMARC record can be updated.
- DMARC record can be added if it did not exist.
Remediation options that result in the finding needing to complete its remaining lifetime:
- MX record and DMARC record can be removed.
- DNS can be removed.
Feedback
0 comments
Please sign in to leave a comment.