DMARC stands for “Domain-based Message Authentication Reporting & Conformance” is an e-mail security protocol. DMARC verifies e-mail senders by leveraging on the DNS (Domain Name System) DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework) protocols.
The DMARC was created to prevent domain spoofing, in which attackers abuse an organization’s domain to impersonate its staff. It also adds to SMTP (Simple Mail Transfer Protocol), which is the standard protocol used for sending electronic (email) messages on the Internet but does not include mechanisms for email authentication.
It requires two other types of DNS records which are also used for email authentication and proper delivery of emails – DKIM and SPF. DMARC is also added as a resource record in DNS zone of a domain. All of them are “TXT” (or text) records.
The DMARC policy process, also known as DMARC alignment and identifier alignment, makes it possible for the email domain’s policy to be shared and authenticated after the DKIM and SPF records have been checked.
An SPF-DKIM-DMARC record asks email servers to send XML reports to the email address used in the record. A DMARC checker report provides information about how an email traverses through an emailing system and enables users to observe all traffic that uses their email domain.
A DMARC record enables domain owners to save their domains from unauthorized access and usage. This is very important since email is increasingly prone to cyber-attacks, such as phishing, spoofing, whaling, CEO fraud, and business email compromise (BEC).
Furthermore, email-based attacks have resulted in people losing trust in email despite it being one of the most extensively used communication ways. DKIM and SPF have been used to identify and validate senders for years but did not allow flexibility in case what happens if the sender of the domain is invalid. This prevented domain owners from taking complete control of their brand, hence the requirement for DMARC security.
* Can Boost Reputation – Employing DMARC record, in some cases, increases a domain’s or a brand’s reputation since it prevents unauthorized users from sending emails through the domain.
* Increasing Security – By DMARC, email domain owners can make a consistent policy for managing emails that are not being sent from authenticated users. Consequently, the email system becomes more trustworthy.
* Prominence – A DMARC report makes the domain owner’s email system prominent, showing that the owners are aware of who is sending emails from their domain.
Following are the ‘components’ of a typical DMARC record which are placed in a TXT record in DNS zone of a domain:
* v=DMARC1 – this specifies the version.
* p=none – this stands for Policy which is used to treat emails of any type.
* rua=mailto:[email protected] – The email address used for sending aggregate reports.
* ruf=mailto:[email protected] – The email address used to send forensic reports to.
* pct=100 – The percentage of emails that should be subjected to DMARC’s policy. Hundred percent means that if all messages fail to conform to DMARC policy, they will be rejected by the server.
The concept of matching a domain against the SPF and DKIM records is known as domain alignment. A DMARC record can have different levels of strictness of alignment, it could be relaxed or strict. The relaxed level will allow the emails to match the base domain but different subdomains whereas strict means the exact domain will be checked in the DKIM process.
Policies tell the receiving email server what to do with the messages it will receive based on the policy defined in the DMARC record. This is used for emails that do not conform to DKIM or SPF (fails) but claim to be from a domain.
There are three policies:
* None
* Quarantine
* Reject
None – or p=none advises the remote mail server to perform no action for unqualified incoming emails.
Quarantine – p=quarantine advises the receiving mail server to quarantine the emails that are unqualified. This is the factor involved in making emails to land in Junk/Spam folders.
Reject – p=reject makes emails to be accepted by receiving server only if they are 100% verified that it is coming from a domain.
DMARC, SPF, and DKIM are all standards relating to different areas of email authentication. SPF enables senders to define the IP addresses that are allowed to send email from their domain. DKIM verifies email messages using a digital signature and an encryption key, ensuring email messages cannot be altered or faked.
DMARC merges these two standards into a common framework. It enables domain owners to advise how they want email from their domain to be handled if it fails authorization.
Though useful, there are a few misconceptions exist about DMARC:
* it protects incoming email traffic, rather, it protects outbound emails verifying that it is being sent verily from your own domain.
* Making the DMARC policy too stringent can result in the rejection of too many emails and as a result, you will miss important legit emails.
* Always use DMARC parsing tools to understand the information you will get in your reports.
* Use professionals to set up DMARC records for you.
* Spend some time seeing/noticing legitimate email senders including 3rd party email providers. This will act as a baseline for you to further adjust/tweak it accordingly in the future.