DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is an email authentication protocol to check if an email message really originates from where it claims to have, based on SPF and DKIM, another two email authentication protocols. In addition to email authentication, it also adds reporting capabilities, so that domain owners can examine email delivery statistics on their domains.
What's the purpose of DMARC?
The main purpose of DMARC is to prevent email spoofing and phishing. Email phishing has been a major security issue in recent years. Research shows that over 90 percent of network breaches start with a phishing email and almost 50 percent of cyberattacks targeting small businesses. Once a business falls victim to a security breach, many things are suddenly at risk: blemished brand reputation, intellectual property stolen, direct financial loss, etc.
DMARC is designed to be a strong line of defense against email spoofing and phishing. If properly implemented in the
p=reject mode, DMARC can thwart all unauthenticated emails from the target domain, while allowing all legitimate emails through.
How does DMARC work?
On a high level, there are two aspects in a typical DMARC implementation: DMARC record publication on the domain owner's end, and DMARC policy enforcement and reporting on the receiving email server's end. These two parts need to collaborate for DMARC to take effect.
On the domain owner's end, he publishes a DMARC record on the domain in the domain name system (DNS) with desired settings, mainly the DMARC policy and aggregate report recipient mailboxes. The DMARC policy has 3 options, indicating how the receiving email server should handle unauthenticated emails: none (monitoring), quarantine, and reject.
On the receiving email server's end, whenever an email that claims to have originated from that domain comes in, the server calls the DMARC module to check the email based on the connecting server's IP address, envelope from address, header from address, and the
d= tag inside the DKIM signature if any. The result is called DMARC authentication result, which can be pass or failure. If the result is failure, the server consults the DMARC policy for the disposition of the email message. Here is how DMARC handles unauthenticated email messages:
- none (monitoring): this is the monitoring mode, meaning nothing is done about unauthenticated email messages. This mode is mainly used to request DMARC aggregate reports, so that domain owners have a clear idea what the email streams on their domain look like;
- quarantine: this is the quarantine mode, in which an unauthenticated email is placed in the spam folder; this is a more stringent mode than the monitoring mode, in that the end user does get some protection by moving the email from the inbox;
- reject: this is the reject mode, which is the most stringent mode of all three. In the reject mode, any unauthenticated email is rejected outright in the SMTP session, therefore the email never hits the end user's mailbox, not even the spam folder. The result is that the end user will never see any unauthenticated email.
What does DMARC offer on top of SPF and DKIM?
DMARC works by evaluating SPF and DKIM authentication results. DMARC authentication result is pass when one of the following is true:
- SPF authentication result is pass, and has SPF identifier alignment;
- DKIM authentication result is pass, and has DKIM identifier alignment.
Note that there is the "identifier alignment" concept in both of the options above: DMARC introduces the identifier alignment concept to ensure that what the end user perceives as the email sender in his email agent is indeed authenticated. SPF by itself doesn't authenticate the header from address, neither does DKIM.
What's more, SPF or DKIM doesn't have reporting capabilities built in, therefore, it's hard for implementers to know the percentages of authenticated and unauthenticated emails. This lack of reporting capabilities has hindered SPF and DKIM implementations in the past.
DMARC has reporting capabilities for both aggregate and forensic reports. The aggregate reports contain aggregate statistics on email authentication, and are sent periodically to the designated mailbox specified by the
rua tag in the DMARC record. The forensic (failure) reports are sent almost immediately after an email fails authentication, to the mailbox specified by the
ruf tag in the DMARC record. Please bear in mind though, only a few email service providers support forensic reports, while all mainstream email service providers now support aggregate reports.
How effective is DMARC?
In short, very effective. If properly implemented in the reject mode, DMARC should be 100% effective in rejecting spoofing emails on the target domain, providing that neither SPF nor DKIM is compromised.
Should every business implement DMARC?
Most businesses nowadays haven't caught up on DMARC. They might have SPF or DKIM implemented, but not DMARC. This still leaves huge security loopholes for email spoofing/phishing, as neither SPF nor DKIM has identifier alignment.
If your business hasn't implemented DMARC, I suggest that you do so as soon as possible. Implementing DMARC is not hard. You can simply start by generating a DMARC record in the monitoring mode, and publish it in the DNS. Then you can check the aggregate reports to see how the email statistics on your domain look like.
Once you are getting hang of it, move on to the quarantine mode, and ultimately to the reject mode for full protection.
Lock down your business domain tight. Don't let cyberattackers spoof it!
To get started with DMARC, you can read our complete guide to DMARC here: How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing: The Definitive Guide.
Here are a few DMARC deployment tools you will find useful during your implementation: DMARC/DKIM/SPF deployment tools.
To get the quickest result possible, try this all-in-one, end-to-end SPF/DKIM/DMARC wizard.
Protect Your Business Email
Get a 14 day trial. No credit card required.Create Account