How does DMARC work: why you should use DMARC?
Protecting your email domain can do more than just prevent hackers from sending embarrassing emails on your behalf. It can also help you build a trusted relationship with business partners and employees by assuring their information is secure. Research shows that phishing attacks are the most common type of cyber-attacks, increasing as much as 250% within the last year, according to Microsoft’s Security Intelligence Report. What is DMARC, how does DMARC work? Here’s what you need to know about DMARC.
With access to all of your personal information, phishers can scam you out of thousands of dollars, as well as your business reputation. Also, unprotected email domains are subject to missed emails. DMARC can help secure your account by providing email authentication to protect your data.
Thus, DMARC stands for Domain-based Message Authentication Reporting and Conformance. It’s an email authentication protocol that builds on the SPF and DKIM protocols to help protect and monitor your domain from fraudulent activity, including phishing, spoofing.
DMARC allows organizations to establish instructions that receiving mail servers must follow. While DKIM and SPF have been around for a while, they are usually not enough to fully protect your domain. For this reason, engineers from Microsoft, PayPal, Google, and Yahoo! created DMARC.
DMARC itself acts as a supplement to SMTP (Simple Mail Transfer Protocol), which is a basic protocol that people use to send emails. SMTP does not include any protocols for defining or implementing procedures for email authentication. That is why you’ll need DMARC in addition to SPF and DKIM for SMTP. Its job is to leverage DKIM and SPF to perform a more sophisticated and advanced check on every email it receives.
DMARC allows domain owners to set up a DMARC policy or a set of procedures for receivers, instructing an incoming email or server on what to do if it does not pass a DMARC check. You can also use the policy to provide reports detailing each check to help improve its procedures and immediately alert you if anyone hacks your account.
Specifically, DMARC can help you:
- Establish and enforce email authentication protocols;
- Determine specific needed actions if authentication checks fail;
- Report mail actions claiming to be from a designated domain.
How Does DMARC Work?
DMARC works by relying on the already established DKIM and SPF protocols for authenticating emails. It also piggybacks off the Domain Name System (DNS). To understand how DMARC works, it’s important to first review how DKIM and SPF systems operate. Companies published SPF records specifying what IP addresses or services it can use to send emails from their domain. If a sender uses an IP that doesn’t match what’s in the SPF records, then the SPF check fails.
DKIM digital signatures are sent with every email from a specific domain. It’s not like the typical signature you see at the bottom of an email message. Instead, DKIM signatures contain the headers or body of an email message along with a private key that identifies where a server is emailing from.
The receiving server uses the key to check the values and compares the signatures. If the values do not line up, then the DKIM check fails and the email doesn’t reach its intended destination. At least one of these protocols (either DKIM or SPF) needs to be in place in order for DMARC to be aligned.
When a mail server receives an email, it does a DNS lookup to check and see if there is an existing DMARC record on the incoming email’s domain. Not all servers operate this way, but most of the major ones do. Additionally, smaller servers are also starting to rely on this for every email they receive as well.
If a DMARC record is found and the check begins, then the DKIM or SPF protocol runs as usual. Then, the receiving server performs something similar to an alignment test.
The email will pass the test if it meets the following criteria:
- If DKIM is in place, then the value of the sender’s domain tag matches the domain from which the email was sent.
● In case SPF is in place, then the “envelope” from the email address will match the return address. The system checks if the email message was sent from the same address that a reply would go to.
If both protocols are set up to be used, then your server will perform both alignment tests. Alignments can either be strict, where the domains need to be an exact match, or they can be relaxed, which occurs when the base domains match but contrasting subdomains are allowed.
If only one of the applications is set up, then a DMARC check will be most successful with a respective alignment test. But if both protocols are set up, then one of them needs to be successful with an alignment test, but it’s not required for both. In other words, DMARC will be successful if DKIM alignment is successful but SPF alignment succeeds, or vice versa.
If an email fails an SPF or DKIM test or both, then this would not be enough to prevent an email from reaching an inbox or not. However, it would influence the decision to be sent through. DMARC allows you to tell the receiver server what will happen to an email if it fails a check. Generally, there are three options available, which are known as policies.
DMARC policy options
- Nothing or none: this means that an email will be treated the same as if DMARC was not set up. A message can still be delivered, placed in the inbox, spam, or discarded. The option usually watches the environment, used in report analyses without affecting delivery methods.
- Quarantine: option allows an email but does not make it to the inbox. These messages usually go straight to spam when DMARC check fails.
- Reject: discards any messages that fail the DMARC check immediately.
You can customize these options to suit your needs. For example, if you opt for a quarantine policy, then you can instruct the receiver server to send only a certain percentage of emails that failed the DMARC check to go to spam.
You could also ignore the other percentage and allow them to come through to the inbox. Even though you are directing the receiver server with a set of instructions, it doesn’t always follow these guidelines. However, this protocol puts you in control of more than just the normal DKIM and SPF authentications.
Additionally, the receiving server can send reports for all failed tests. This helps analyze the performance of your messages and will help warn you about fraudulent attempts.
How does DMARC work and what is a DMARC Record?
A DMARC record is a uniquely-formatted version of a normal DNS record, only with a special name. It usually looks like this: _dmarc.mydomain.com. These records are included in the domain’s DNS database.
A full DMARC record will have a lot of information following this initial text. Here’s a basic breakdown of what commonly used configurations mean:
- v=DMARC1: indicates what type of DMARC version you are using;
- p=none: this identifies the type of treatment or DMARC policy you are using;
- rua=mailto:[email protected]: the email address the reports need to be sent to;
- ruf=mailto:[email protected]: an email address that forensic reports are sent to;
- pct=100: the percent of mail that the domain owner wants to have the policy applied to.
You can find other configurations for your domain to use within your DMARC policy, too. Domain alignment refers to a DMARC concept in which the domain validation is expanded as a natural extension of SPF and DKIM.
It matches messages from a domain with the information needed to meet SPF and DKIM standards. SPF domain alignment must match the message’s ‘from’ domain and its return path domain. For DKIM, a message’s ‘from’ domain must match its DKIM d= domain.
The alignment can either be relaxed, which occurs when the base domains match but there are different subdomains, or it can be a strict match in which both values are identical. This technique can be specified in the DMARC policies issued by the user.
DMARC policies can only request that its domain owner follow these policies. It cannot enforce them. It’s up to the incoming server to decide whether or not to implement the policies. By default, all servers and services respect the DMARC policy who publishes the owner of the domain.
Types of DMARC reports
Incoming mail domains as part of the validation process create DMARC reports. They can be broken down into two primary formats:
- Forensic reports – include single copies of emails that failed the authentication tests, kept enclosed in a full email message that uses a format called AFRF. These reports are useful for both troubleshooting an email’s authentication issues and also identifying potentially harmful websites and domains.
- Aggregate reports – these reports are XML documents that show data about the messages that are from a specific domain. So, aggregate reports which are machine-readable, include the results of the authentication results and the message’s disposition.
What Are The Differences Between DMARC, DKIM, and SPF?
SPF, DKIM, and DMARC are all standard protocols that allow for different areas of email authentication. Each system complements the other. SPF allows domain users to determine which addresses or domains can send mail from the domain.
DKIM uses an encryption key and signatures to determine an altered or fake email. DMARC uses both protocols and structures them into a similar method by allowing domain owners to determine how they want receivers to handle any situations where an email does not pass an authorization test.
Why You Should Use DMARC?
DMARC is the best way to ensure that your domain and organization are safe against phishing and other fraudulent activity. Most companies already use DKIM or SPF. However, adding DMARC adds an extra unit of protection that makes email authentication complete and is not very complicated to set up.
How does DMARC work? For example, domain HMRC.gov.uk is one of the most hacked domains in the area. The HMRC estimated that after adding DMARC to its authentication process, the number of phishing emails decreased by 500 million within just 1.5 years. Additionally, adding DMARC increased the delivery rate of important emails.
Benefits of using DMARC
There are two primary benefits of using DMARC. First, cybercriminals are more likely to give up on trying to hack a domain if they see that it has a properly set up DMARC authentication process. This is because they know that their chances of getting through are minimal.
Therefore, they don’t even try it and look for easier targets. People don’t use DMARC widely yet, which makes it easier for criminals to find an unprotected domain which will be easy prey.
Additionally, servers that receive emails from domains that have DMARC are more likely to be legit than those without a secure authorization protocol, especially those that do not have any security.
If an email passes a DMARC test, then it will be more likely to get delivered than another email without DMARC. Businesses need to implement DMARC into their commercial email because it verifies that any email you send is from you.
Properly configured DMARC also helps receiving domains determine how to test any message that says it’s from your name. This is one of the most important steps you can take to prove your deliverability to clients.
Keep in mind that DMARC only goes so far. It’s only one of many steps that you’ll need to take against cybercriminals to protect your domain. The bigger your company is, the more you’ll lose if someone hacks your organization and reaches your clients. You can customize your DMARC policies, allowing you to stay in total control of your domain security.
How does DMARC work? DMARC allows you to put your emails through checks without affecting your deliverability. You’ll also receive data about emails that fail to make it through to your account. This allows you to quickly detect someone who is trying to compromise your information. You can also use this information to determine if there are problems with your domain.
More details about DMARC you can find in RFC7489