What Is DMARC in Email?

What Is DMARC in Email?
Yurii Bitko Yurii Bitko 13 october 2023, 12:27 323
For beginners

There are over 4.2 billion active email users worldwide, and this figure is projected to be about 5 billion by 2030. Email remains the most popular form of online communication, making it the common target for malicious actors. Hackers, spammers and phishers often aim at impersonating trusted email sources to trick unsuspecting users into giving them their money or sensitive information.

Luckily, mail users can protect themselves with email authentication techniques; DMARC is one of them.

What Is DMARC In Email?

Impersonation is a common trick of hackers, spammers, phishers, and other malicious actors. They spoof legitimate domains and send emails to unsuspecting customers to trick them into giving away sensitive information. If the recipient is not vigilant, they might fall for the trick.

DMARC helps you protect your customers from interacting with fraudulent parties. The customer’s email server will either reject the false email or attach a warning for the recipient that the message may not be authentic.

DMARC is an abbreviation for Domain-based Message Authentication, Reporting, and Conformance. It works as a part of an email authentication framework. Email authentication is a collection of techniques which help mail users verify that an email has really originated from a particular domain. DMARC allows organizations to tell a receiving mail server what to do if an email pretends to be sent from their domain but fails the authenticity check.

DMARC doesn’t work alone. It is built on top of two other email authentication protocols: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). You can’t set up DMARC without first implementing SPF and DKIM.

How DMARC Works With SPF and DKIM

As we’ve said, DMARC doesn’t work alone. It is based on the actual email authentication techniques, SPF and DKIM. DMARC is not an email authentication protocol by itself; instead, it tells mail servers which action to take if they can’t validate an email using SPF and DKIM. Let’s first see how these two technologies work.

Sender Policy Framework (SPF)

Imagine you’re hosting a conference, and you give the door attendant a list of all your expected guests. When someone arrives, the attendant checks if their name is on the guest list. If the guest’s name is on the list, they can go in. If the guest’s name is not on the list, but they claim to have been invited, the attendant might just deny entry or, alternatively, call for your attention. This illustration is analogous to how SPF works together with DMARC.

An SPF record defines the list of IP addresses allowed to send emails on behalf of your domain. Whenever a mail server receives an inbound message claiming to come from your domain, it queries the DNS (Domain Name System) database for the IP addresses of mail servers authorized to send messages on your behalf. If the IP address of the sending server matches the SPF record, the message is deemed authentic. If the check fails, the server refers to your DMARC policy for further action.

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is another protocol for authenticating emails. Just like SPF, it involves adding an entry to your DNS records.

DKIM uses corresponding public and private keys to digitally sign emails. You post the public key as a DNS TXT entry on your domain settings and use the private key to digitally sign certain technical headers in your messages.

If a mail server receives your message, it notes the digital signature in your email’s DKIM header. It then queries the DNS system for the domain’s public key and uses it to verify the signature. If the check passes, the receiving server deems the message authentic and allows it to go through. If not, the server refers to your DMARC record for further actions.

How Does DMARC Work?

Again, DMARC involves publishing a special TXT record in the DNS database. This publicly accessible record tells mail servers what action to take if they can’t authenticate an email that claims to come from your domain.

SPF and DKIM are the two protocols mail servers use to authenticate emails. If someone sends an email claiming to originate from your domain, the recipient’s mail server runs SPF or DKIM checks to verify that it actually came from your domain and not an impersonator. If the receiving server cannot verify the authenticity of an email, it won’t be sure what actions to take. However, a DMARC record tells the incoming server what exactly to do.

The technique offers three ways to deal with emails that do not pass the authentication check. In certain cases, for instance, when you’re making major modifications to your domain’s DNS records, you may temporarily want to allow any email in, even if it does not pass the checks. Most often, however, you’ll instruct the receiving server to either discard the message or quarantine it (that is, put it into a spam folder).

DMARC records also contain an email address to which servers can send reports if they fail to authenticate any email supposedly coming from your domain. This report will alert you to potential impersonation issues you can warn your customers about.

What Are the Benefits of DMARC?

DMARC allows domain owners to prevent malicious actors from spoofing and impersonating their domains. It’s so essential now that many countries have mandated government agencies and contractors to implement DMARC.

The benefits include:

  • Reputation: Publishing a DMARC record prevents people from impersonating your domain. This protects your reputation, which would be hampered if a hacker impersonates you and tricks your customers.
  • Email deliverability: It helps organizations establish a firm policy for emails that aren’t authenticated. This, in turn, eliminates spam reports and improves email deliverability.
  • Visibility: You can get detailed reports and know whenever someone attempts to send an email from your domain.

Adding DMARC Records For Your Domain

A DMARC record looks like this:

  • v=DMARC1;p=reject;rua=mailto:dmarc@myschoolsupplies.co;
    ruf=mailto:dmarc@myschoolsupplies.co;rf=afrf;pct=100

Let’s break down what’s in here.

“v=DMARC1” indicates the version of DMARC currently in use, which the receiving mail server should run a check for. If the record doesn’t begin with this entry, the server won’t know which version to adhere to.

“p=reject” is the action a receiving server should take when it detects an inbound email claiming to come from our domain that yet can’t be validated. You can choose any of these three instructions:

  • p=none: The server will not perform any action, but it'll still send reports of any failed authentication.
  • p=quarantine: The receiving server isolates the email, usually by sending it to the spam folder.
  • p=reject: The server automatically rejects any invalidated email. Only authenticated emails will be allowed into the recipient’s inbox.

“pct=100”

This part tells the receiving server whether to apply your DMARC policy to all failed messages or only part of them. You can choose any percentage value from 1 to 100.

“rua=mailto:dmarc@myschoolsupplies.co”

This text points the server to the email address you want to collect aggregate reports. The report of all DMARC failures for each day gets aggregated and sent to this email address.

“ruf=mailto:dmarc@myschoolsupplies.co”

This part points the server to the email address where you want to collect forensic DMARC reports. Forensic reports contain minute details on every DMARC failure the server gets. The report is sent immediately after the server detects an issue, allowing you to tackle possible impersonation or check if it’s a false positive.

The domain of this email address must be the same domain for which you published the DMARC record.

“rf=afrf”

This text defines the format in which you want to receive DMARC reports. "AFRF" means “aggregate failure reporting format," the default format for DMARC reports.

The record doesn’t end there. You can still add optional segments like:

  • “sp=”tells the receiving mail server which DMARC policy should apply to subdomains.
  • “adkim=”sets the DKIM authentication to either "s" for strict or "r" for relaxed. Strict means DKIM will only validate an email if the "d=" value in the DKIM email header matches the "from" domain. Relaxed means DKIM will validate the message if the “d=” value matches the root domain of the sending email address.
  • “ri=”sets intervals on how often you want to receive aggregate DMARC reports.

In the sample DMARC record, we want to protect our example domain, “myschoolsupplies.co”. Hence, we’ll log into our domain registrar and add the record as a DNS entry.

We use Namecheap, which makes managing our domain’s DNS settings easy. The procedure will be similar for any other registrar.

Here’s how the DMARC record will look in your account. “@” designates the root domain and the DMARC record will be the value, as shown below:

DMARC FAQs

What Is a DMARC Record?

It is a DNS record that specifies how mail servers should react when they receive an email that claims to come from your domain but fails authentication check. It’s a publicly accessible entry that any mail server can fetch from your DNS records and treat the unauthenticated emails just the way you want.

How Does DMARC Work?

Your DMARC record is an instruction for receiving email servers. It tells the servers what action to take if they try to authenticate an email claiming to come from your domain and come up short. They will either let the message in, quarantine it or reject it. You as the domain owner will be informed of all such cases via email report.

What Are the Advantages of Implementing DMARC?

Implementing DMARC helps you protect your brand reputation. This protocol prevents fraudulent messages from malicious actors from getting to your customers and causing them harm. It maintains your brand reputation because hackers can’t impersonate you and use your domain identity for nefarious purposes.

Conclusion

We have explained what DMARC is, how it works, and how to add a DMARC record for your domain. DMARC protects your brand from hackers, spammers, phishers and other malicious actors seeking to impersonate you and trick your customers into giving them sensitive information or money.

But above all, ensure you choose a secure and reliable email service provider (ESP) like UniOne. No matter how solid your authentication protocols are, if the platform you’re sending emails from can be easily compromised, hackers will take advantage of its weakness. UniOne offers secure and reliable email services for an affordable price.

Related Articles

Blog
For beginners
Email Authentication: SPF, DKIM, and DMARC
Email authentication technologies — what are they? Learn about SPF, DKIM, and DMARC settings for emails and find out how they work in our UniOne blog article.
Alex Kachalov
13 october 2022, 11:136 min