Tag Archives: email

DMARC-Related Recommendations Included in NIST Guidance on Trustworthy Email


Another important milestone was recently achieved for Domain-based Message Authentication Reporting and Conformance (DMARC), one of the PayPal Ecosystem Security team’s major undertakings in making the internet a safer, more secure place.

After several years of collaboration with the email security community, the U.S. National Institute of Standards and Technology (NIST) included recommendations for supporting DMARC in NIST’s SP 800-177, Trustworthy Email. SP 800-177 was released in September and is intended to give recommendation and guidelines for enhancing trust in email. While the audience for NIST publications is typically US federal agencies, its guidance does tend to influence other global organizations and industry tides. The recommendations for DMARC in the publication include the following:

  • Security Recommendation 4-11: Sending domain owners who deploy SPF and/or DKIM are recommended to publish a DMARC record signaling to mail receivers the disposition expected for messages purporting to originate from the sender’s domain.
  • Security Recommendation 4-12: Mail receivers who evaluate SPF and DKIM results of received messages are recommended to dispose them in accordance with the sending domain’s published DMARC policy, if any. They are also recommended to initiate failure reports and aggregate reports according to the sending domain’s DMARC policies.

DMARC is a way to make it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t. This makes it easier to identify spoofed email messages, a common phishing technique, and reject them. Users often can’t tell a real message from a fake one, and mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which might harm users. Senders are also largely unaware of problems with their own email being abused and want feedback from receivers about fraudulent messages. DMARC addresses these issues, helping email senders and receivers work together to better secure email, protecting users and brands from costly abuse.

Our 2015 post on the publication of DMARC within the IETF highlighted a critical step towards making it a widely adopted policy layer that builds on top of Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). In addition to the inclusion by NIST, the U.K.’s Government Digital Service and Germany’s Federal Office for Information Security have incorporated similar DMARC guidance into their recommended email security posture. These global recommendations clearly indicate that DMARC is a required component of effective email security and PayPal is proud to have lead such an important initiative as DMARC that protects not just our company and customers, but anyone that uses email.

[1] https://www.gov.uk/government/publications/email-security-standards/domain-based-message-authentication-reporting-and-conformance-dmarc

[2] https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_098.html

RFC Issued for DMARC


The PayPal Product and Ecosystem Security Team is pleased to announce that on March 18, 2015, the Internet Engineering Task Force (IETF) published RFC 7489 for Domain-based Message Authentication Reporting and Conformance (DMARC).

Starting in 2009, PayPal began work with several major mailbox providers to explore the effectiveness of combining common email authentication technologies in order to improve their effectiveness. Soon, other companies sharing our need to secure email as a trusted channel of communication joined the collaboration. In 2011, the experimental solution was proven effective at combatting spoofed domain email attacks, those types of attacks where the malicious actor intentionally tries to send email masquerading as coming from another domain. At this point, the group made the DMARC specification available to the public. As a review of the 3rd year since it was made public, we detailed DMARC’s broadening adoption and performance in a post on our PayPal Forward on February 18, 2015.

DMARC is essentially a policy layer that builds on top of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Taken together, SPF (server authorization), DKIM (message integrity), and DMARC form a robust system designed to authenticate email has having been sent from or on behalf of the claimed domain. Further, DMARC enables senders to tell receivers what to do when a message fails to authenticate and requests that receivers send information back to senders about those failures. DMARC’s policies are published in the public DNS and are available for anyone to use. The system removes guesswork from the receiver’s detection of spoofed domain messages, how to handle them, and nearly eliminates the user’s exposure to potentially fraudulent & harmful messages spoofing a protected domain.

While the work to review and update the specification will continue as needed via the IETF DMARC Work Group, the publication of RFC 7489 was a critical step in developing a stable reference point for DMARC’s credibility. Steps like this illustrate our commit to, and the value of, open standards to protect email as a trusted means of communication.

For more technical information: