DMARC and Other Email Security Information From DNS: February 2021

Share on facebook
Share on twitter
Share on linkedin
I take many inquiries on DMARC. In preparation for my client calls, I often do a quick lookup for the client’s MX, SPF and DMARC records. You can learn surprisingly much from just looking at DNS. Since I picked up some Python in my machine learning security work, my new weekend project became: “Write a Python script that gets relevant information from DNS and stores it for analysis.” After some frustrating attempts to write this from scratch, I found checkdmarc which greatly simplified my scripts. I asked my colleagues for a list of the domains of the Fortune500 (F500) companies and started working. Here are my most important findings, generated in February 2021 (for details, see later): 30% of all F500 domains on my list have a DMARC record with reject or quarantine policy 4% of these domains have BIMI records, and 4% use DNSSEC 75% of the F500 MX records point at well-known hosted secure email gateways (SEGs). I plan to repeat this quarterly, to identify trends, hopefully one of them being an upward trend in DMARC adoption. The remainder of this post has more details. If you are interested, let me know and I’ll send you my scripts. Also, if you have a favorite lists of domains, please send them to me and I will run my scripts. If you want to read more on email security and the role of DMARC, see “How to Build an Effective Email Security Architecture.” DMARC Policy For my research interest, checking DMARC records and policies was the most interesting. Using checkdmarc the code is simple: results = checkdmarc.get_dmarc_record(domain) results_str = str(results['record']) #use the following for the policy: results['parsed']['tags']['p']['value'] Interestingly, 30% of the F500 domains on the list have DMARC in reject or quarantine policy (see figure). Another 43% have DMARC, be it with p=none. Only 27% of DMARC DNS requests came up as error or non-existing. [caption id="attachment_18" align="alignnone" width="839"] DMARC policies for the Fortune 500, February 2021[/caption] Many organizations in the F500 use third party services for parsing DMARC records. The most popular vendors that appear in DMARC records for these organizations are Proofpoint (32%) and Agari (11%), but I identified 14 other vendors being used. The use of multiple vendors for DMARC reporting is not uncommon. MX Records MX records provide information on routing and SEG usage. For each domain in the F500 list, the script runs the following and drops it in a file for later parsing. results = checkdmarc.get_mx_hosts(domain) results_str = str(results['hosts']) Parsing applies a simple mapping from string in MX host record to a cloud hosed SEG service. I manually identified 18 of these services. Analyzing IP addresses was out of scope for this exercise. Some results (February 2021): 75% of the F500 MX records point at a well-known hosted secure email gateway. The other 25% either have no MX record in DNS (10%) or have an unidentified SEG (15%, typically on-premises) Proofpoint’s hosted SEG is included in most F500 MX records, with 37% of all MX pointing at the domain. Next on the list of most popular MX records pointing at a hosted service is Microsoft. 15% of the MX records in the F500 domain list point at Microsoft. Note that these results do not say anything about on-premises SEG products nor supplemental email security solutions that are not the MX record. SPF Records SPF records tell something about what services are being used to send information using the organization’s domains. Parsing SPF is non-trivial, but checkdmarc makes it simple. I was only interested in services that send on behalf of the domain, so I only looked for domains. This is what my script looks like: results_str = str(results['parsed']) #find all matches of ('domain', 'string') SPFdomains = re.findall(r''domain's*,s*'(S+)'', results_str) I manually identified 178 email sending services from all F500 domains, and here are some of the results from February 2021: The SPF blocks that are included most often in SPF records are form Microsoft. 41% of the F500 have Microsoft SPF blocks included. Proofpoint follows with 25%. Then Salesforce at 14%. Then it drops to around 6% with several email (marketing) automation services, such as SendGrid, MailChimp, Pardot, Marketo and others. There is a long tail of services included in SPF. Around 100 out of the 178 services that are allowed to send on behalf of one of the F500 domains are used only once. Azure From the MX and especially SPF records we already saw that the adoption of Microsoft 365 is large among the F500 domains. We can do another check here, just to see if there is an Azure tenant associated with the domain: response = requests.get(""+domain+"/.well-known/openid-configuration") openid = json.loads(response.text) tenantinfo = '' if "error" in openid: tenantinfo = "Error: No tenant" else: tenantinfo = openid['userinfo_endpoint'] Doing this reveals that a high number of F500 domains, 87%, respond with tenant info. Other results Incidentally, my clients ask about the use of other, less common, email security capabilities revealed through DNS. I briefly looked into two: BIMI records are found for 4% of the F500 domains DNSSEC is found for 4% of the F500 domains.
About the author: CIO Minute
Tell us something about yourself.

Leave a Comment