DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that verifies email senders and provides insights for enhanced email security. It allows domain owners to set domain-level policies for mail handling, including preferences for message verification, failure responses, and reporting. DMARC is described under RFC 7489 of the Internet Engineering Task Force (IETF).
DMARC helps combat email fraud and phishing attacks by allowing email recipients to determine the authenticity of a message using SPF and DKIM protocols. Based on the verification results, domain owners can choose to reject, quarantine, or deliver the email. These functions are controlled by DNS-level instructions uploaded by the domain owner.
DMARC Full Form
DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance”. Here’s a breakdown of the components:
Domain-based: DMARC operates at the domain level.
Message Authentication: Domain owners designate authentication protocols to validate incoming emails. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are two such protocols.
Reporting: Feedback reports can be enabled within the DMARC configuration. Receiving MTAs send XML reports to a designated email address, containing DMARC aggregate or forensic data.
Conformance: Domain owners use DMARC to describe the actions of receiving mail servers when an email fails the DMARC check.
How Does DMARC Work?
A message is sent from an authorised server to the DMARC-compliant domain’s SPF record and/or DKIM signature, which are stored at the DNS level. If either check passes, the message is marked as “DMARC PASS”; if both fail, the message fails DMARC as it didn’t meet SPF or DKIM requirements. Depending on the configured DMARC policy, the message can be rejected, flagged as spam, quarantined, or delivered as is.
Once DMARC is correctly set up for your domain, you can enable DMARC reports to identify suspicious messages and take swift action to protect your subscribers.
Why is DMARC Important?
DMARC plays a crucial role in enhancing your email security efforts. While email systems have spam filters, these are ineffective against direct-domain spoofing attacks. By impersonating companies, attackers can retrieve login credentials and sensitive information. According to IBM’s Cost of a Data Breach Report, compromised credentials lead to 19% of all data breaches.
DMARC provides visibility through report-based feedback, ensuring email authentication, protecting from domain spoofing and phishing attacks, and complying with standards required by Google, Yahoo, and PCI-DSS. BIMI also requires DMARC enforcement.
Benefits of DMARC
DMARC benefits companies by preventing impersonation attacks and reducing spam and deliverability issues. Major ESPs like Yahoo and Google require DMARC, and emails without it can be rejected. Implementing DMARC is highly recommended for compliance and security.
Email Fraud Prevention: DMARC reports help identify spoofed emails and sources impersonating you.
Improves Brand Reputation: Ensures only legitimate messages reach your recipients, enhancing your brand’s reputation.
Minimises Spam: Reduces spam in customer inboxes by blocking fraudulent messages.
Provides Visibility: Quickly identify unauthorised email senders using detailed reports.
Improves Deliverability: Increases your email’s deliverability rate by 10% over time with correct implementation.
How to Enable DMARC for Your Domain?
Setting up DMARC can be technical. Here are the general steps involved:
Assess Your Email-Sending Infrastructure: Note marketing automation platforms, customer service tools, and email delivery services.
Configure SPF or DKIM Records: Use SPF record and DKIM record generator tools to create these records. Publish the generated records on your DNS with your DNS registrar’s help.
Create a DMARC TXT Record: Sign up with Powermail to create your record using their DMARC record generator tool. Mandatory fields include protocol version “v” (always DMARC1) and policy mode “p” (configured according to your preference).
Select a DMARC Policy: Choose how email receivers should handle messages that fail DMARC checks. Options include “none”, “quarantine”, or “reject”.
Publish Your DMARC Record: Access your DNS management console, enter “_dmarc” in the Host field, and set the resource type as TXT. Keep TTL at 1 hour.
Verify Your DMARC Setup: Use a DMARC checker tool to ensure your record is valid by entering your domain name and clicking “lookup”.
What Do DMARC Records Look Like?
A DMARC record is defined in the DNS (Domain Name System) as a TXT record associated with the domain. It includes several tags specifying the policy mode and reporting options. Here’s an example:
_dmarc.example.com. IN TXT “v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; sp=reject”
In this example:
“_dmarc.example.com.” refers to the specific domain where the DMARC record is set up (in this case, example.com).
“IN TXT” indicates the record type as a text record.
“v=DMARC1” signifies the protocol version.
“p=reject” sets the DMARC policy to reject, instructing receiving email servers to discard emails that fail DMARC.
“rua=mailto:” specifies the email address for aggregate reports.
“ruf=mailto:” designates the email address for forensic reports.
“sp=reject” sets the subdomain policy to reject, applying this DMARC policy to subdomains.
DMARC, SPF, and DKIM – Pillars of Email Authentication
SPF (Sender Policy Framework) authorises legitimate senders by creating SPF records in the domain’s DNS. DKIM allows the sender to digitally sign the message with an encrypted signature, verified against the public key in the sender’s DNS records.
Combining DMARC, SPF, and DKIM Against Email Fraud
Implementing DMARC, SPF, and DKIM together provides robust protection against email spoofing and phishing attacks. This layered approach enhances email deliverability, protects your brand reputation, and improves overall security. DMARC provides valuable reporting insights, helping to identify and address email authentication failures promptly.
Should You Use SPF and DKIM if You Already Have DMARC?
Yes, it is highly recommended to use both SPF and DKIM alongside DMARC. Together, they form a powerful email authentication framework.
