What is DMARC?
If you are here, means you know about DMARC or want to learn more about what is DMARC email protection.
So, let’s travel to DMARC email protected world.
What Is DMARC?
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols. It adds linkage to the author (“From ”), domain name, by the help of published policies which helps the recipient handle the authentication failures, and reporting from receivers to senders to improve and monitor the protection of the domain from fraudulent email.
Email authentication technologies (SPF and DKIM) were developed over a decade ago in order to provide advanced privacy on the identity of the sender of a message. The use of these technologies is going to increase day by day, but the problem of fraudulent and fake emails still exists. I can say, that if a sender uses these technologies, it will be easy for email receivers to easily differentiate the fraudulent messages from the real and legal emails. Unfortunately, it has not worked that way for a number of reasons:
Why is email protection important?
- Many senders have a complex email environment with many systems of sending an email, often including 3rd party service providers. It`s a complex task to make sure that every message passes the SPF or DKIM authentication.
- Some of the messages can be authenticated and others not, then email receivers will differentiate between real and fake messages. By nature, spam algorithms are error-prone and need to constantly evolve to respond to the changing tactics of spammers.
- Senders get very poor feedback of their mail authentication deployments. Unless messages return back to the sender, there is no way to determine how many legitimate messages there are. The scope of the fraudulent emails that are spoofing the sender’s domain is also unknown. This makes troubleshooting of mail authentication issues very hard, particularly in complex mail environments.
- Even if you are sending legitim messages, moreover, You have authenticated mail infrastructure, again email receivers will be aware to reject unauthenticated messages because they are not sure whether there is some stream of legitimate messages which are going to be unsigned.
Have you ever think about how much personal data you have shared online?
The only way these problems can be addressed is when senders and receivers share information with each other. Receivers inform senders about their mail authentication infrastructure when senders tell receivers what to do if a message is not legitim.
In 2007, PayPal pioneered this approach and worked out a system with Yahoo! Mail and later Gmail to collaborate in this fashion. The results were extremely effective, leading to a significant decrease in suspected fraudulent email purported to be from PayPal being accepted by these receivers.
The goal of knowing what is DMARC is to know that DMARC builds senders’ and receivers’ collaboration and improves mail authentication practices of senders and enable receivers to reject unauthenticated messages.
DMARC fits into an organization’s existing inbound email authentication process. The way it works is to help email receivers determine the purported message “aligns” with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle the “non-aligned” messages. For example, assuming that a receiver deploys SPF and DKIM, plus its own spam filters, the flow may look something like this:
The example above, testing for alignment with DMARC, is applied at the same point where ADSP would be applied in the flow. All other tests remain unaffected.
At a high level, DMARC satisfies the following requirements:
- Minimize false positives.
- Provide robust authentication reporting.
- Assert sender policy at receivers.
- Reduce successful phishing delivery.
- Work at Internet scale.
- Minimize complexity.
It is important to know that DMARC builds upon the two protocols. One of which is DomainKeys Identified Mail (DKIM) and another one is a Sender Policy Framework (SPF). DMARC replaces the ADSP by adding support for:
- wildcarding or subdomain policies,
- non-existent subdomains,
- slow rollout (e.g. percent experiments)
- quarantining mail
Do You know? 85% of consumers will not do businesses with a company if they have concerns about its security practices.
Anatomy of DMARC resource record in the DNS
In the DNS TXT records, there are DMARC policies (RR) and announce what an email receiver should do with non-aligned mail it receives.
Consider an example DMARC TXT RR for the domain “sender.dmarcdomain.com” that reads:
DMARC records follow the extensible “tag-value” syntax for DNS-based key records defined in DKIM. The following chart illustrates some of the available tags:
|pct||Percentage of messages subjected to filtering||pct=20|
|ruf||Reporting URI for forensic reports||ruf=mailto:[email protected]|
|rua||Reporting URI of aggregate reports||rua=mailto:[email protected]|
|p||Policy for organizational domain||p=quarantine|
|sp||Policy for subdomains of the OD||sp=reject|
|adkim||Alignment mode for DKIM||adkim=s|
|aspf||Alignment mode for SPF||aspf=r|
Note: The examples in this chart are illustrative only and aren’t relied upon in lieu of specification. Please refer to the specification page for the most up-to-date and accurate version.
How Senders Deploy DMARC in 5-Easy Steps
DMARC is based on real-world experience by some of the world’s largest email senders and receivers deploying SPF and DKIM. The specification takes into account the fact that it is impossible for an organization to flip a switch to production. There are a number of built-in methods for “throttling” the DMARC processing. After this, all parties can ease into full deployment over time.
- Deploy DKIM & SPF. You have to cover the basics
- Ensure that your mailers are correctly aligning the appropriate identifiers.
- Publish a DMARC record with the “none” flag set for the policies, which requests data reports.
- Analyze the data and modify your mail streams as appropriate.
- Modify your DMARC policy flags from “none” to “quarantine” to “reject” as you gain experience.
If You already know what is DMARC with details it’s easy for You to protect Your email from phishing.
Are you protected?