What is DMARC – (Domain-based Message Authentication, Reporting, and Conformance)

IT Service & Support Sydney Posted on by

What is DMARC ?

DMARC (Domain-based Message Authentication, Reporting, and Conformance), is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. It builds on two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to ensure that emails are properly authenticated against established policies in an attempt to limit fraudulent email. 

How does DMARC work ?

DMARC policies work by allowing domain owners to publish a policy in their DNS records that specifies which mechanisms (SPF and/or DKIM) are employed when sending emails from their domain. It also provides instructions on how to handle emails that fail authentication checks and offers a reporting mechanism to monitor and improve email authentication practices. 

What are the key components of DMARC ?

  1. SPF (Sender Policy Framework) :
    1. SPF authentication allows domain owners to specify which mail servers are permitted to send emails on behalf of their domain and IP addresses. This is done by publishing SPF records in the DNS.
    2. When an email is received, the receiving server checks the SPF record to verify if the email is coming from an authorized server and is a legitimate email. 
  2. DKIM (DomainKeys Identified Mail)
    1. DKIM authentication adds a digital signature to the email header, which can be verified by the recipient’s mail server. This ensures that the email content has not been altered in transit and confirms the sender’s identity.
    2. The DKIM signature is created using a private key, and the corresponding public key is published in the DNS.
  3. DMARC Policy
    1. The DMARC policy is published in the DNS as a TXT record. It specifies how to handle emails that fail SPF and/or DKIM checks (e.g., reject, quarantine, or do nothing).
    2. It also includes an email address to which aggregate and forensic reports should be sent.

What is the History of DMARC ? 

In 2010: The journey began when a group of leading organizations – including major email receivers like Microsoft, Google, AOL, Comcast, Gmail, Hotmail, NetEase, and Yahoo! Mail, as well as Email senders such as American Greetings, Bank of America, Facebook, Fidelity, JPMorgan Chase & Co., LinkedIn, and PayPal started collaborating to create a protocol to combat email fraud at an internet scale.

By Spring 2011: These organizations had formed a working group to develop a method for senders to publish policies on unauthenticated emails and for receivers to provide authentication reporting.

In early 2012: The first DMARC specification was published.

By 2013: The specification was publicly circulated as an Internet Draft

And by 2014: DMARC was switched to the Independent Submissions track

What are the benefits of DMARC ?

  • Enhanced Email Security: DMARC authentication helps prevent email spoofing and phishing attacks by ensuring that only email from legitimate email senders are delivered.
  • Brand Protection: By preventing unauthorized use of your domain, DMARC protects your brand’s reputation.
  • Improved Email Deliverability: Authenticated email messages are less likely to be marked as spam, improving deliverability rates.
  • Visibility and Reporting: DMARC reports, provide detailed information on email authentication, helping you monitor and improve your email security posture.

How do I implement DMARC ?

Of course if you are a PIP client, all you need to do is request DMARC implementation on your Domain and Email services via you PIP account representative.

  1.  Setup SPF and DKIM on your Email Servers and DNS Record 
    1. For instructions on this please visit – How do I setup SPF & How do I setup DKIM
    2. And ensure that your domain has valid SPF and DKIM records published in the DNS.
  2. Create a DMARC Record
    1. Publish a DMARC record in your DNS. A basic DMARC record might look like this:
      v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100

      Where:

      v=DMARC1: Specifies the DMARC version.
      p=none: Policy for emails that fail DMARC checks (none, quarantine, or reject).
      rua: Address to send aggregate reports.
      ruf: Address to send forensic reports.
      pct=100: Percentage of emails to apply the policy to.

  3. Monitor and Adjust
    1. Start with a `p=none` policy to monitor the impact without affecting email delivery.
    2. Review the reports to identify and fix any issues.
    3. Gradually move to stricter policies (`quarantine` or `reject`) as you gain confidence in your email authentication setup.

DMARC Best Practices

  • Regularly Review Reports: Use the DMARC reports to identify unauthorized use of your domain and adjust your policies accordingly.
  • Keep DNS Records Updated: Ensure that your SPF, DKIM, and DMARC records are always up-to-date.
  • Educate Your Staff: Make sure your team understands the importance of email authentication and follows best practices.

Comments are closed.