A time ago I got contacted by a white-hat hacker with an inquiry about the security of one of my emails. Specifically, that my DMARC record was not set up.

I immediately contacted my email provider, since I did not know if the whole thing was even legit, but I did not get a very satisfactory answer. Poking around I found that my DKIM and SPF records were set, presumably properly. I did not have too much information about the whole problem domain back then.

Since I had no idea what to do exactly, I did a simple risk analysis. With the SPF and DKIM records set properly, but without the proper DMARC, an attacker could possibly impersonate me via email, meaning they could send an email that would appear to originate from me. Or so I still believe.

This was not that much of a threat, as I am no business and many businesses are being run daily with possibly worse security problems, so I let it be. My plan at that time was to switch a mail provider soon anyway, and I thought the switch would change a thing or two, having the security related changes in mind as well.

Using TXT record for DMARC

I was doing some cleaning (of files obviously) and stumbled upon the files left over from the inquiry. Since I did not change the email provider yet, the issue of no DMARC record on my email was still there. I thought I try to fix it. In the end, it was not that difficult, but it took me some trial and error. The simplest solution is to configure DNS to include a TXT record for the _dmarc.domain.com like this:

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]

I won't go into details about what the above means today. Two other notable settings I came across are:

v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:[email protected]

And with forensics enabled:

v=DMARC1; p=reject; fo=1; rua=mailto:[email protected]; ruf=mailto:[email protected]

There are a few links down below that could definitely help explaining what is going on in case you stumble upon it here.

Closing words

I might need to tweak the DMARC a little bit in the future, because in technology, everything seems to constantly evolving, but for now my mails are coming through and the DMARC seems to be set-up correctly. There is however a multitude of options available and if misconfigured, they could backfire and result in all emails being rejected. I wish I have learned some tool that would work like unit tests but for email, simply to make sure everything required is always working after some changes. This feeling from programming is very addicting.

As to what the white-hat hacker did, hopefully they did not engage in a revenge for not paying him for the disclosure. I explained that I am not a business, so I have no revenue stream. In any means, I did not found any suspicious activity whatsoever regarding the issue, but it could change now that I have reporting (a feature of DMARC) set up.

But I must admire, that what they did, was quite inspiring, so to say. I believe they scraped web for emails and instead of just sending a plain spam to the obtained addresses, they instead run automated checks on the addresses and the ones that did not pass got send a personalized email with the security disclosure. Nice.