Domain-based Message Authentication Reporting and Conformance (DMARC) is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms. By having DMARC in place, business owners large and small can fight the massive cybersecurity problems caused by phishing and reputation damage caused by spoofing.
With DMARC you can tell the world how to handle the unauthorized use of your email domains by instituting a policy in your DMARC record. The three DMARC policies are:
Monitors your email traffic. No further actions are taken.
Sends unauthorized emails to the spam folder.
The final policy and the ultimate goal of implementing DMARC. This policy ensures that unauthorized email doesn’t get delivered at all.
How does DMARC work?
DMARC is based upon the results of SPF and/or DKIM, so at least one of those has to be in place for the email domain. To deploy DMARC, you need to publish a DMARC record in the DNS.
A DMARC record is a text entry within the DNS record that tells the world your email domain’s policy after checking SPF and DKIM status. DMARC authenticates if either SPF, DKIM, or both pass. This is referred to as DMARC alignment or identifier alignment. Based on identifier alignment, it is possible that SPF and DKIM pass, but DMARC fails.
A DMARC record also tells email servers to send XML reports back to the reporting email address listed in the DMARC record. These reports provide insight on how your email is moving through the ecosystem and allow you to identify everything that is using your email domain.
Because reports are written in XML, making sense of them can be tricky, and they can be numerous. dmarcian’s platform can receive these reports and provide visualization on how your email domains are being used, so you can take action and move your DMARC policy towards p=reject.
What is a DMARC Record?
As a mission-driven company, dmarcian is focused on spreading the adoption of DMARC. Because of this, we interface with a wide range of people with varying degrees of knowledge. We thought we’d take a step back and take a look at something fundamental: What is a DMARC record?
A DMARC record is a text entry within the DNS record that tells the world your email domain’s policy when it comes to checking to see if your SPF and/or DKIM has passed or failed.
A DMARC record also tells the servers that touch your email on its way to its final destination to send XML reports back to the reporting email address listed in the DMARC record. These reports provide insight on how your email is moving through the ecosystem and allow you to identify everything that is using your email domain.
More information on publishing DMARC records can be found here.
The DMARC Record; what does it look like?
- “v=” indicates this is a DMARC record
- “p=” indicates the DMARC policy
- “rua=” indicates where data should be sent
RUA is reporting that provides an aggregate view of all of a domain’s traffic. The other option is RUF reports that are redacted forensic copies of the individual emails that are not 100% compliant with DMARC. While RUA reports show the traffic of the email, RUF reports contain snippets from the actual emails themselves. While RUA reporting is all that is needed for DMARC deployment, more advanced users may also add the RUF tag, which will send more sensitive information.
These reports are in Extensible Markup Language (XML), which isn’t easy to read:
There are tools that can translate these XML files into a human-friendly format. Services like Dmarcly, where the RUA reports can be pointed to, automatically process the reports and give you insight via a powerful dashboard to make identifying the valid uses of your email domain easier while disallowing abuse. A dmarcian account will store past reports so you can observe trends and be alerted when new threats arise.
Why Use DMARC for Email?
Email is involved in more than 90% of all network attacks and without DMARC, it can be hard to tell if an email is real or fake. DMARC allows domain owners to protect their domain(s) from unauthorized use by fighting phishing, spoofing, CEO fraud, and Business Email Compromise.
By always sending DMARC compliant email, the operator of an Internet domain can tell the world “everything I send is easy to identify using DMARC—feel free to drop fake email that pretends to be me.”
DMARC’s utility as an anti-spoofing technology stems from a significant innovation; instead of attempting to filter out malicious email, why not provide operators with a way to easily identify legitimate email? DMARC’s promise is to replace the fundamentally flawed “filter out bad” email security model with a “filter in good” model.
If you’re curious about the health of your domain or anyone’s, use this free Domain Checker for a quick check. It inspects DMARC, SPF and DKIM and tells you which actions you need to take to reach compliance.
Benefits of DMARC
If you use email, you’ll benefit by incorporating DMARC.
When strong security controls are deployed against fraudulent email, delivery is simplified, brand reliability increases and visibility is granted to domain owners on how their domains are being used around the Internet.
Disallow unauthorized use of your email domain to protect people from spam, fraud, and phishing.
Gain visibility into who and what across the Internet is sending email using your email domain.
Use the same modern plumbing that mega companies use to deliver email.
Make your email easy to identify across the huge and growing footprint of DMARC-capable receivers.
If you are interested in a fully managed email security, domain alignment, Dmarc service