DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance.” It is an email authentication protocol that helps protect organizations and their email recipients from fraudulent emails. DMARC builds on two existing email authentication protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), to provide an extra layer of defense.
Let’s discuss the importance of DMARC, how this protocol works, what DMARC records and DMARC policies are, and the benefits of DMARC.
Why is DMARC Important?
DMARC is important because it protects your domain from phishing and spoofing attacks. It ensures that only authorized senders can use your domain by verifying SPF and DKIM authentication for outgoing messages. This safeguards your organization’s reputation and protects clients and partners from fraudulent emails that look like they come from your email address. Additionally, DMARC reports offer insights into how your domain is being used and help you detect unauthorized activities before they become serious threats.
How Does DMARC Work?
DMARC works by verifying the authenticity of emails using SPF and DKIM. SPF allows a domain owner to specify which email servers are authorized to send mails on behalf of their domain, while DKIM allows the sender to add a digital signature to their messages, providing a means for the recipient to verify the mail’s authenticity.
If the email fails either SPF or DKIM alignment, DMARC applies the policy you’ve set. DMARC allows email domain owners to publish policies in their Domain Name System or DNS records specifying how email receivers should handle messages that claim to be from their domain or email address.
What is a DMARC Policy?
There are three main DMARC policies that a domain owner can specify:
None (p=none)
This policy is used for monitoring purposes. With this policy, email receivers do not take specific action based on the DMARC results. Both legitimate emails and malicious emails land in your inbox. The domain owner receives reports about the authentication status of mails claiming to be from their domain. This allows them to assess the impact of implementing DMARC without impacting the delivery of messages.
Quarantine (p=quarantine)
With this policy, if an incoming mail fails DMARC authentication, the email receiver is instructed to treat it with suspicion and may choose to move it to the recipient’s spam folder or junk folder. The message is not outright rejected, but it is flagged as potentially suspicious.
Reject (p=reject)
This is the strictest DMARC policy. If an incoming message fails DMARC authentication, the email receiver is instructed to reject it outright, preventing the mail from reaching the recipient’s inbox. This policy provides the highest level of protection against email spoofing and phishing.
Organizations are advised to start with a “p=none” policy for monitoring, analyze their mail activity and then gradually move to a more restrictive policy like “p=quarantine” or “p=reject”.
Here’s an illustration showing how DMARC works:
What is a DMARC Record?
The Structure of DMARC Records
The structure of DMARC records includes several key components or tags specifying how to handle messages claiming to be from the organization’s domain.
| Tag Name | Purpose | Sample |
| v | Protocol version | v=DMARC1 |
| p | Policy for organizational domain | p=quarantine |
| pct | Percentage of messages subjected to filtering | pct=20 |
| rua | Reporting URI of aggregate reports | rua=mailto:[email protected] |
| ruf | Reporting URI for forensic reports | ruf=mailto:[email protected] |
| adkim | Alignment mode for DKIM | adkim=s |
| aspf | Alignment mode for SPF | aspf=r |
| sp | Policy for subdomains | sp=reject |
Here’s an example of a simple DMARC TXT record:
“v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=90; adkim=s; aspf=r”
In this example, the organization has implemented DMARC with the most robust policy of “p=reject,” requests aggregate reports to be sent to “[email protected],” forensic reports to “[email protected],” allows for 90% flexibility in applying the policy, and uses strict DKIM and SPF alignment.
(Use our free tool for a DMARC syntax check.)
What Are the Benefits of DMARC in Email?
The benefits of DMARC in email include:
- Phishing and spoofing prevention: DMARC helps prevent phishing attacks by allowing email recipients to verify that the sender is legitimate and hasn’t been spoofed.
- Increased email deliverability: DMARC can positively impact mail deliverability by clearly indicating to email providers that your messages are legitimate.
- Brand protection: DMARC helps safeguard your brand’s reputation by reducing the risk of attackers using your domain to send fraudulent mails.
- Reporting and visibility: DMARC generates reports that provide insights into email traffic, which allows you to monitor and fine-tune your email security policies.
- Regulatory compliance: DMARC adoption aligns with certain regulatory requirements and industry standards related to email security, contributing to overall compliance efforts.
- Improved customer trust: By securing your email communication, you can enhance customer trust and confidence in your online communications.
(Take a look at our DMARC pricing.)
Your DMARC Journey Made Simple
Implementing DMARC requires careful configuration and ongoing monitoring, but the benefits in email security and trustworthiness are substantial. While DMARC implementation requires technical expertise, EasyDMARC has designed various tools to make your DMARC journey a breeze. We provide comprehensive guidance and walk you through every stage of email authentication to ensure you have the knowledge and tools necessary for smooth compliance.
Get in touch with us.
We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.
You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us