DMARC-Related Recommendations Included in NIST Guidance on Trustworthy Email

By and

Another important milestone was recently achieved for Domain-based Message Authentication Reporting and Conformance (DMARC), one of the PayPal Ecosystem Security team’s major undertakings in making the internet a safer, more secure place.

After several years of collaboration with the email security community, the U.S. National Institute of Standards and Technology (NIST) included recommendations for supporting DMARC in NIST’s SP 800-177, Trustworthy Email. SP 800-177 was released in September and is intended to give recommendation and guidelines for enhancing trust in email. While the audience for NIST publications is typically US federal agencies, its guidance does tend to influence other global organizations and industry tides. The recommendations for DMARC in the publication include the following:

  • Security Recommendation 4-11: Sending domain owners who deploy SPF and/or DKIM are recommended to publish a DMARC record signaling to mail receivers the disposition expected for messages purporting to originate from the sender’s domain.
  • Security Recommendation 4-12: Mail receivers who evaluate SPF and DKIM results of received messages are recommended to dispose them in accordance with the sending domain’s published DMARC policy, if any. They are also recommended to initiate failure reports and aggregate reports according to the sending domain’s DMARC policies.

DMARC is a way to make it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t. This makes it easier to identify spoofed email messages, a common phishing technique, and reject them. Users often can’t tell a real message from a fake one, and mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which might harm users. Senders are also largely unaware of problems with their own email being abused and want feedback from receivers about fraudulent messages. DMARC addresses these issues, helping email senders and receivers work together to better secure email, protecting users and brands from costly abuse.

Our 2015 post on the publication of DMARC within the IETF highlighted a critical step towards making it a widely adopted policy layer that builds on top of Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). In addition to the inclusion by NIST, the U.K.’s Government Digital Service and Germany’s Federal Office for Information Security have incorporated similar DMARC guidance into their recommended email security posture. These global recommendations clearly indicate that DMARC is a required component of effective email security and PayPal is proud to have lead such an important initiative as DMARC that protects not just our company and customers, but anyone that uses email.

[1] https://www.gov.uk/government/publications/email-security-standards/domain-based-message-authentication-reporting-and-conformance-dmarc

[2] https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_098.html

Trent Adams

J. Trent Adams is a Senior Internet Security Advisor at PayPal working at the intersection of online identity, privacy, and security. Previously, he worked on Online Trust & Identity issues for the global non-profit Internet Society (ISOC).

His other claims to fame include earning three Super Bowl rings working for the New England Patriots and being an extra in Star Wars VII: The Force Awakens.