DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance” is an email authentication policy and reporting protocol. DMARC is a protocol that uses Sender Policy Framework SPF and DomainKeys identified mail DKIM to determine the authenticity of an email message. DMARC requires both SPF and DKIM to fail in order for it to act on a message. DMARC extends previously established authentication standards for email and is the only way for email senders to tell email receivers that emails they are sending are truly from them. DMARC allows companies that send email to:
Authenticate all legitimate email messages and sources for their email-sending domains including messages sent from your own infrastructure as well as those sent by 3rd parties.
Gain intelligence on their email streams by letting them know who is sending mail from their domains. This data helps companies to not only identify threats against their customers but also discover legitimate senders that they may not even be aware of.
Publish an explicit policy that instructs mailbox providers what to do with email messages that are probably authentic. These messages can either be sent to a junk folder or rejected outright protecting unsuspecting recipients from exposure to attacks.
How Does DMARC Work?
DMARC ensures that legitimate email is properly authenticated against established DKIM and SPF standards.
Senders can either:
Monitor all mail to understand their brand’s email ecosystem without impacting the delivery of messages that fail DMARC.
Quarantine messages that fail DMARC and redirect them to a spam folder.
Reject messages that fail DMARC and divert them entirely from an inbox.
DMARC’s alignment feature prevents spoofing of the “header from” address by:
Matching the “header from” domain name with the “envelope from” domain name used during an SPF check
Matching the “header from” domain name with the “d=domain name” in the DKIM signature
To pass DMARC a message must pass SPF authentication and SPF alignment and DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.
Mailbox providers send regular DMARC aggregate and forensic reports back to senders, giving them visibility into what messages are authenticating, what messages are not.
A DMARC record is the core of a DMARC implementation in which the DMARC record rule sets are defined. This DMARC record informs email receivers if a domain is set up for DMARC. If so the DMARC record contains the policy which the domain owner wants to use. In essence a DMARC record a DNS (Domain Name Service) entry. One can start using DMARC by implementing a DMARC DNS record. This DMARC record will be used by email receivers who have adopted DMARC. This will result in keeping track of all the messages which have been sent to your domain taking your DMARC policy into account.
The bottom line is that this will empower the organization publishing the DMARC record to instruct how non-compliance should be handled. The messages can be monitored and delivered moved to the junk folder or rejected.
DMARC policies:
P=NONE
Under this policy, the email receiver does not take any action if emails fail DMARC authentication. Emails are simply sent into the receiver’s inbox while the domain owner gets the information of spoofed emails with the DMARC report data.
P=QUARANTINE
Here, email receivers are instructed to inspect emails that have failed the DMARC authorization. The email is delivered into either junk or spam folder. Although the policy entirely depends upon how the user sets it.
P=REJECT
This policy indicates that all the emails that have failed any of the parameters are rejected and restricted from being sent to the receiver. In any case, if a user wishes to change any policy it might take days to regenerate new policies.
Parts of a DMARC policy
Each part of the policy is defined as follows:
dmarc: identifies the TXT record as a DMARC policy.
v=DMARC1 indicates the version of DMARC used.
p=quarantine: is the policy action.
none: Do nothing/reporting only
quarantine: Treat the mail as spam
reject: Refuse mail that fails DKIM and SPF
rua= identifies the destination for the aggregate reports.
pct=100 specifies how much traffic should be subject to policy validation.
DMARC Reports:
As we saw in the previous section, the reports can be two different types: aggregated and forensics. Those reports help you ensure that you are properly authenticating your outbound emails. You can check out the difference between both of them below.
Aggregate Reports
They are XML documents showing data about the messages received that claimed to be from a particular domain. Those reports are meant to be machine-readable.
Forensic reports
These are individual copies of messages which failed authentication, each enclosed in a full email message using a special format called AFRF. Those reports are easily read by a person, too. The information that those reports could contain is:
Subject line
Time when the message was received
IP information
Authentication results
SPF result
DKIM result
DMARC result
From domain information
From address
Mail from address
DKIM from address
Message ID
URLs
Delivery result
What was the applied policy, the message could be rejected if there’s a reject policy in place, or quarantined, or delivered because of a none policy.
ISP information
Now we know how a DMARC works, how it looks, and what information it provides. We’re pretty certain you already know how useful this could be for you. But let’s see all advantages in the next section.