DMARC - Domain-based Authentication Reporting and Conformance
What is DMARC?
Domain-based Authentication Reporting and Conformance (DMARC) is an email security protocol which helps to protect your organization's domain against phishing, spoofing and business email compromise (BEC). It is an additional layer of security which helps to protect an organization's domain reputation. Hence it is strongly recommended that administrators configure the DMARC policy as per the organization's requirements.
What is a DMARC policy?
A DMARC policy mentions the action to be taken by email servers when the SPF/DKIM validation is a pass/fail.
What does a DMARC policy look like?
There are multiple components in a DMARC policy some of which are optional. The actual policy value varies based on your organization's requirements. Refer to the table that follows, for more details:
DMARC component | Description |
v | Mentions the DMARC policy name. |
p | Action to be taken on emails based on SPF/DKIM verification. Typical values are:
|
rua | The admin email address to whom the aggregate DMARC reports should be sent. |
ruf | The admin email address to whom the forensic DMARC reports should be sent. |
sp | Specifies the DMARC policy for subdomains. |
adkim | Alignment of DKIM. Add the desired condition:
|
aspf | Alignment of SPF. Values could be:
|
pct (optional) | Percentage of emails for which DMARC policy needs to be applied. |
Example of DMARC policy
A typical DMARC policy is as follows:
v=DMARC1; p=quarantine; rua=mailto:admin@yourdomain.com; ruf=mailto:admin@yourdomain.com; sp=none; adkim=s; aspf=s; pct=50
What is a DMARC record?
The DMARC record is a TXT record added to the domain provider's DNS manager. This DNS record shall contain the DMARC policy of the organization. Email servers will validate the emails with this record and evaluate whether the DMARC is a success or failure depending on the policy.
How DMARC works?
DMARC record is generally added only after configuring the SPF and DKIM records. DMARC builds onto the existing email authentication setup of SPF and DKIM and adds reporting to the existing email environment. Adding DMARC to the system performs two functions:
- Tell the recipient server what to do with an incoming email: Reject, quarantine, or allow delivery.
- Send a status report on emails sent through a domain to an email ID published in the DMARC record.
How DMARC helps with email delivery?
Implementing the DMARC email authentication protocol gives information on how many emails are sent from a domain, who sent these emails, and reasons for email delivery failure. The DMARC report, allows you to see how many emails were delivered, rejected, and quarantined by the receiving server. This report also highlights the problems associated with SPF and DKIM authentication.
With a substantial amount of information in hand, it becomes easier to act quickly and ensure a good email deliverability rate.
Importance of DMARC record
Businesses today use email as their primary mode of communication. With the popularity of emails, fraudulent activities such as email account breaches, phishing and spoofing have taken a toll. Your domain reputation is critical to determine whether your email lands in the recipient's Inbox or junk. Publishing a DMARC policy protects your organization's domain from unauthorized usage by fraudsters. Following are some of the benefits of adding a DMARC record:
Improve brand reliability
Configuring a DMARC record minimizes the chances of a domain being misused for malicious activities. This increases domain reputation and improves email delivery rates.
Protection against phishing attacks
DMARC record aligns your organization's domain with your email sender's identity. It is helpful to identify phishing emails sent using your domain name. Email servers will mark such emails as spam if DMARC is configured for your domain.
Spoofing protection
Spammers can send spoofed emails by modifying the "From header" with a trusted sender address of your domain. Adding a DMARC record prevents spoofing attacks by rejecting spoofed messages from reaching the recipient's inbox.
Prevent email fraud
There can be situations where emails will be sent from your domain or sub-domains for marketing purposes. DMARC record helps to authorize your legitimate sending sources. This secures the outbound emails and prevents business email compromise.
Visibility
Email servers send DMARC reports at regular intervals for outbound emails. These reports provide a detailed analysis of each email sent from your domain and the status of SPF/DKIM. This provides better visibility and control over the emails sent from your domain. You can analyze your DMARC reports in detail and get an idea of the emails sent from your domain.
Compliance
Due to the rise in email scams, regulatory bodies demand businesses stay compliant with stringent rules and regulations based on industry standards. Having control over outbound emails, not only increases brand reliability but also lets you stay compliant with the industry-specific norms.