What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine the authenticity of an email message. DMARC requires both SPF and DKIM to fail for it to act on a message. DMARC gives email domain owners the ability to protect their domain (and their brand) from unauthorized use and email spoofing.

The Advantages of Implementing DMARC

Deploying DMARC helps legitimize email by doing the following:

  • Signals whether SPF and/or DKIM authentication is in place for the email domain.
  • Tells email receivers (like Gmail and Yahoo) how to handle messages that fail to align with those protocols.
  • Gives feedback to the sender about the email itself.
  • Helps the email community establish a consistent policy for dealing with messages that fail to authenticate—helping the ecosystem become more secure and trustworthy.

The work required to deploy DMARC is directly related to the size and complexity of an organization’s email infrastructure. An initial assessment should be performed to determine the context in which the deployment project will operate, the complexity of the existing email environment, and the implementation capabilities of the organization. Results of the assessment directly inform project scoping and planning.

When deploying DMARC, it’s best to roll out DMARC across all of an organization’s domains instead of focusing on individual domains. When DMARC is deployed at an organization across the entire domain portfolio, the process of deployment becomes much easier, and the benefits increase to the point where managers get new tools to ensure email is being sent in compliance with the organization’s standards.

The main benefits of implementing DMARC are security, visibility, deliverability, and identity.

  • Security: With DMARC you can monitor your email flow for threats and unknown senders and prevent spoofing and phishing emails from being sent from your domain.
  • Visibility: DMARC will provide you with detailed insight on all emails sent on behalf of your domain.
  • Deliverability: Using DMARC will help ensure your emails are delivered using the same technology that large companies use to deliver their email.
  • Identity: DMARC makes your email easy to identify across the huge and growing footprint of DMARC-capable receivers.

Built upon SPF and DKIM

DMARC, an open source standard, uses a concept called alignment to tie the result of SPF and DKIM to the content of an email message.

  • SPF has been around since 2003. SPF is a way of publishing a list of servers that are authorized to send email on behalf of a domain.
  • DKIM has roots going back to 2005. It is a method of adding a tamper-proof domain seal to a piece of email.
Instead of relying on proprietary technology DMARC is an open-source standard that brings consistency to how the existing technologies of SPF and DKIM are configured.
For an email message to be considered DMARC-compliant, the domain found in the “From:” header must match the domain validated by SPF or the source domain found in a valid DKIM signature. If the domains match and at least one of the two mechanisms is valid, receivers can safely say that the email comes from the specified domain.
While SPF & DKIM can be used independently from DMARC, adding DMARC gives greater functionality to the information than what they each separately provide.

DMARC policy

A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM and tells the recipient what to do if none of these are verified on a particular email (marking it as junk or denying the delivery of the message).

DMARC removes the responsibility of the management of these messages, limiting the user’s exposure to potentially fraudulent or malicious messages. DMARC also provides a way for the email receiver (like Google and/or Microsoft) to report back to the sender about messages that pass and/or fail DMARC evaluation.
Senders can set their DMARC policy (referred to as “p=”) to determine what is done to non-compliant email:
  • Monitoring (p=none) no impact on mail flows
  • Quarantine (p=quarantine) messages that fail DMARC (e.g., move to the spam folder)
  • Reject (p=reject) messages that fail DMARC (e.g., don’t deliver the mail at all)
DMARC policies typically start at a state of p=none which is a monitoring phase that gives insight into how your domain is being used and SPF and DKIM are functioning and moves towards a policy of p=reject. Reject instructs email receivers to refuse to accept email that fails DMARC. By default, email that fails under a reject policy is not accepted. This behavior is a great control against the sending of unauthorized email making use of your domain.
Only 30% of organizations that start deploying DMARC complete the process.
The challenge with deploying DMARC isn’t the specification itself but with the email ecosystem and the interpretation of the feedback that is provided. The process of adopting DMARC into an organization can be daunting, but with a partner like dmarcian, it can be easily managed.

About dmarcian

dmarcian is dedicated to upgrading the entire world’s email by making DMARC accessible to all. dmarcian brings together thousands of senders, vendors, and operators in a common effort to build DMARC into the email ecosystem.

Additional resources

You can visit https://dmarcian.com/dmarc-inspector/ to view the DMARC record for any published domain. The DMARC Inspector is a diagnostic tool that parses and presents a view of DMARC records for any domain.