Today, businesses thrive on email communication. But when SMTP servers first came about in the 1980s, they didn't check which domain name the emails were coming from. This became a problem as cybercriminals started misusing them. To tackle the rise in email phishing attacks, DMARC (Domain-based Message Authentication, Reporting & Conformance) was introduced in 2012, with many email service providers contributing to its development. Since then, all major email service providers have implemented DMARC as a security measure for incoming emails from any domain. Now, it's the responsibility of the sender's domain to implement DMARC by generating their DMARC records.
SPF and DKIM were created years ago to identify messages through IPs and public-private key combinations. However, these protocols only provided information and didn't have any action policies against emails sent from different IP addresses. With DMARC, the sender's domain tells the recipient server which DMARC policy should be applied to emails that fail SPF and DKIM checks. DMARC works on the domain name in the FROM field and oversees the enforcement of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
DMARC policies start with none(p=none), quarantine(p=quarantine) and finally Reject(p=reject).
Before getting started with the policies, let's understand what the DMARC records look like and the meaning of their various tags.
v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; adkim=r; aspf=r; pct=100; rf=afrf;
Tag | Value | Explanation |
---|---|---|
v | DMARC1 | The v tag is required and represents the protocol version. An example is v=DMARC1 |
p | reject | The required p tag demonstrates the policy for domain (or requested handling policy). It directs the receiver to report, quarantine, or reject emails that fail authentication checks. Policy options are: 1) None 2) Quarantine or 3) Reject. |
rua | [email protected] | This optional tag is designed for reporting URI(s) for aggregate data. Here is rua example rua=mailto:[email protected]. RUA Report Email Address(s) (rua) |
ruf | [email protected] | Like the rua tag, the ruf designation is an optional tag. It directs addresses to which message-specific forensic information is to be reported (i.e., comma-separated plain-text list of URIs).Here is example of ruf=mailto:[email protected]. RUF Report Email Address(s) (ruf) |
fo | 1 | The FO tag pertains to how forensic reports are created and presented to DMARC users. Failure Reporting Options (fo) |
adkim | r | Similar to aspf, the optional adkim tag is the alignment mode for the DKIM protocol. A sample tag is adkim=r. |
aspf | r | The aspf tag represents alignment mode for SPF. An optional tag, aspf=r is a common example of its configuration. |
pct | 100 | This DMARC tag specifies the percentage of email messages subjected to filtering. For example, pct=25 means a quarter of your company's emails will be filtered by the recipient. Percentage (pct) |
rf | afrf | Forensic reporting format(s) is declared by the DMARC rf tag. Report Format (rf) |
P=none: Monitoring Mode
By implementing this policy, the sender's domain tells the recipient server not to take action on any emails that fail SPF and DKIM checks. If the sender's domain has included an RUA tag, the recipient server will begin sending DMARC XML reports to the email address specified in the RUA tag.
P=quarantine: Redirects Emails to Spam Folder
When DMARC policy is set to quarantine, any email failing SPF and DKIM checks will end up in the recipient's spam folder. The sender will also get DMARC reports at this stage. However, phishing or spoofed emails may still reach the recipient's server until this DMARC stage.
DMARC Reject: Final Action Stage
To get the most out of DMARC, you need to set your DMARC policy to p=reject. This means that any email that fails SPF and DKIM checks won't be accepted by the recipient server. This is the final policy of DMARC, where emails failing authentication are rejected.
To apply these policies, you need to use the DMARC dashboard to see if any legitimate SMTP sources fail SPF and DKIM authentications. Otherwise, your genuine emails might be rejected or quarantined (depending on the DMARC policy stage). While most major ESPs check for DMARC records, some older servers haven't adopted this, allowing spoofed emails to be delivered even if the DMARC policy is set to quarantine or reject.
DMARC is a TXT record that you add to your domain's DNS settings. It doesn't need any integration or installation with your current email setup. You don't have to change your MX or SMTP server details.
Simply insert the DMARC record into your domain's DNS settings, as recommended by your DMARC service provider like GoDMARC. Or if you've made your own DMARC records, you can create them here.
DMARC operates at the DNS level, where both the sender and recipient servers follow the policies defined in the DNS records.
While the primary functionality of DMARC is preventing email scamming and domain misuse, GoDMARC offers several organizational benefits
Email Security: With all 3 email protocols in place, your domain name is protected against email phishing attacks, whether it's a BEC(Business Email Compromise) attack or an external attack like B2B (Business-to-Business) or B2C(Business-to-Consumer) using the same domain name. Before getting started with the policies, let's understand what the DMARC records look like and the meaning of their various tags.
Improved Email Delivery: With the GoDMARC dashboard, all your legitimate SMTP sources are aligned and authenticated according to DMARC standards. This enhances email delivery, whether it's for corporate emails or marketing purposes.
Protecting Brand Reputation: When you set your DMARC policy to reject and implement a BIMI VMC certificate, it helps build trust and improves your brand's reputation.
Reporting and Visibility: GoDMARC provides detailed analytics of emails failing or passing SPF, DKIM authentication and alignment. It identifies who is attempting to spoof your domain and from which IP address.
Learn How Specifically Can You Gain Control Over Your Email with Customized DMARC Solutions
Talk to an Expert