Ensuring email security is critical when sending an email. Therefore, you'll have to employ an email validation system to prevent your company's email domain from being exploited by cybercrimes. This is where DMARC becomes a must-have for any domain owner. When you use DMARC to secure your email, email recipients can be confident that an email is legitimate and came from you. As a result, it substantially impacts email delivery while preventing others from sending emails from your domain.
What is DMARC?
DMARC, the Domain-based Message Authentication Reporting, and Conformance is an email authentication protocol that helps prevent unauthorized use of email domains. It was first introduced to prevent email abuse in 2012. DMARC uses SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) mechanisms to decide the legitimacy of the email messages, protecting the domain from spoofing, email scamming, and phishing.
To enable DMARC in a particular domain, we have to add a DMARC record in the domain's DNS settings. A DMARC record is a DNS TXT that email senders can publish to specify the measures to take if an email fails authentication. A DMARC record contains tag-value pairs containing instructions on handling emails that are not authenticated with SPF or DKIM and where to send DMARC reports. This record enables the email receivers to understand whether DMARC authentication is available for that domain.
How Does DMARC Work?
DMARC operates through DMARC records, as mentioned above. Therefore, an email message passes as authenticated by DMARC only if SPF or DKIM, or both pass. If the email fails the check, the domain owner can instruct what procedure to execute based on the following three policies:
- none - only monitor the email traffic and perform no further actions
- quarantine - navigate the unauthorized emails to the spam section
- reject - reject the email and make sure it doesn't get delivered
The DMARC records publish in DNS under a subdomain label ''_dmarc'' (example: _dmarc.mydmain.com). Given below is an example of a DMARC record.
"v=DMARC1; p=none; pct=100; rua=mailto:firstname.lastname@example.org"
There are several vital components in a DMARC record. Considering the above example:
- "v=DMARC1" is a compulsory component that declares the DMARC version. The whole verification gets skipped if it is missing as the receiving server consistently checks for a text record starting with "v=DMARC1" to initiate a check.
- "p=none" - This "p" stands for the DMARC policy. As mentioned above, there are three policies for DMARC, none, quarantine, and reject. The domain owner can use this to tell the recipient email server what operation to perform if the DMARC fails.
- "pct=100" - To what percentage of the emails the domain owner wants to enforce the policy. This value can vary between 1 to 100.
- "rua=mailto:email@example.com" - This component informs the recipient email server where to send the reports regarding any DMARC failures. Daily aggregate reports containing individual data on each failure deliver to the domain administrator.
There are many other attributes that we can include in a DMARC record, including the aggregate report format (“rf=afrf”), how often to send reports ("ri="), and where to send forensic reports on DMARC failures ("ruf="), etc.
Why Use DMARC for Email?
Most of the network attacks all around the globe occur majorly through emails causing companies to lose millions of money. So, DMARC is an essential solution that helps prevent email spoofing and instructs the email servers on how to handle emails that fail authentication. So, the domain administrators can stay rest assured that their domain is healthy and free of unauthenticated emailing that may involve phishing or CEO fraud.
Benefits of DMARC
- It protects your email domain from being used in scams by anyone over the internet.
- It is more straightforward and fast to monitor who is sending fraudulent emails using your email domain with informative reports.
- Protect your brand's identity by preventing sending spoofed emails that may harm the brand's reputation.
- Increase email deliverability by monitoring which emails are fraudulent and which are trustworthy. Based on that, send only the unauthenticated emails to spam.
- Ensure you have complete control over every email sent by your domain and make it easier to identify any anomalies indicating possible email spoofing.
Common Misconceptions About DMARC
- DMARC is only there for security reasons - DMARC is mainly beneficial to prevent spoofing and improve security. Yet, that is not all. DMARC can help you maintain and improve the brand reputation and improve legitimate email deliverability.
- Having only a DMARC record published with "p=none" makes you safe -There is no prevention of spoof emails reaching the inboxes if you have set up a DMARC policy only to "p=none." You must see that the policy enforces "quarantine" or "reject" with the desired percentage to prevent spoofing.
- Having DMARC solves all the problems - Not quite. There may be instances where your company allows other vendors to send emails on your behalf for specific reasons or may register a new subdomain for marketing purposes. Constant observation and keeping up to date with the email ecosystem are compulsory to ensure there is no fraudulent activity.
How To Create & Setup DMARC?
- As the first step, log in to the DNS hosting provider and navigate to the section where you can create a new record. The interfaces vary depending on the hosting provider.
- Click create a new record and fill the following fields:
- Name - "_dmarc" or if the record is for a subdomain, then "_dmarc.subdomainName"
- Record Type - TXT
- Value - DMARC record (the "v=" value and "p=" value are mandatory in the record)
3. Click Create/Save button
4. Verify your DMARC setup by using a tool. (Example: Dmarcian)
What Is a DMARC Failure?
A DMARC failure occurs when the email message does not pass SPF and DKIM, making it considered illegitimate by DMARC. There are several reasons why DMARC failure occurs, such as DMARC alignment failures, not specifying a DKIM signature for your domain, email forwarding, or if your domain is spoofed.
DMARC Best Practices
- Instead of jumping straight to enforce quarantine or rejection, start with a DMARC policy of "p=none" to monitor the ecosystem for a certain period.
- Use both RUA (Aggregate) and RUF (Forensic) reports when using the DMARC reporting capabilities.
- Do not go over the SPF hard limit (10 lookups) as there are specific guidelines on the number of DNS lookups per authentication check.
- Constantly monitor your DNS and DMARC record to ensure you are up to date and improve the configurations as required.
DMARC is an essential protocol to consider as one should never underestimate the value of email security. Thank you for reading!
Frequently Asked Questions
Is DMARC free?
DMARC is free and open-source for anyone to use in their domain.
Who sends DMARC reports?
The receiving email servers generate the DMARC reports.
Is DMARC a protocol?
Yes. DMARC is a protocol that determines email legitimacy.
Who invented DMARC?
PayPal, Google, Microsoft, and Yahoo came together to create the DMARC standard.
Is DMARC mandatory?
More than a million domains use DMARC to ensure they are safe from phishing attacks and spoofing. One may acquire many benefits if DMARC is used, including improved email deliverability and enhanced safety. So, it is always the best option to use DMARC on your email domain.
Does DMARC prevent spoofing?
Yes. DMARC prevents the possibility of the email domain being spoofed by validating the emails using SPF and DKIM.
Why does DMARC fail?
Multiple reasons may cause a DMARC to fail, including neglecting to set up a DKIM signature, your domain facing a spoofing threat, using third-party service providers to send emails on your behalf, or DMARC alignment failures.
Does DMARC require both SPF and DKIM?
One can use only SPF or DKIM, but using both is highly recommended. For instance, if DKIM is not there and only SPF, in instances where emails are forwarded, SPF fails if the IP address is not in the SPF IP address list even if the email is legitimate. So, it is considered both DKIM and SPF failure in such instances and makes even the legitimate email pass unauthenticated. So, it is always best to have both SPF and DKIM with DMARC.
How to stop DMARC reports?
You can stop receiving DMARC reports by removing the `rua=mailto:` record from the DMARC record. Likewise, to stop forensic reports, remove the 'ruf=' record.