What is DMARC, how does it work and why you should use it
3 min read

What is DMARC, how does it work and why you should use it

DMARC is an acronym that stands for Domain-based Message Authentication, Reporting and Conformance and is an email authentication protocol.

Domain owners can use DMARC to protect their domains from unauthorized use.

Unauthorized uses of a domain are commonly known as email spoofing. Someone sends an email and uses your domain in the email From part.

With DMARC, you publish information on how a receiving ESP (Email Service Provider) should handle unauthorized emails from your domain. Additionally, you receive aggregated reports as a feedback loop from major providers like Gmail and Yahoo.

How to configure DMARC for your domain?

To configure or enable DMARC for your domain, you publish a new TXT record via your Nameserver (e.g. Namecheap, GoDaddy, .etc).

Here is an example DMARC record:

Name Value
Typ TXT
Host / Location _dmarc
Value v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:[email protected];

The example above instructs the receiver to do the following:

  • Apply the rules to all "bad" emails (pct=100)
  • No further actions for "bad" emails (p=none)
  • Mark "bad" emails as suspicious for subdomains (sp=quarantine)
  • Send aggregated reports to [email protected] (rua=mailto:[email protected])

Since the example rule does not perform any actions for "bad" emails, its intention is to monitor the SPF and DKIM settings. It's a good idea to start with this setting for testing and increase the policy to quarantine and/or reject.

How does DMARC work?

You can see DMARC as a way to tell the receiver how to handle message authentication failures (SPF and DKIM failures) and get feedback.

Let's say you send an email to Bob.

When sending your email, your MTA (Mail Transfer Agent) generates a DKIM signature and applies it to your message.

The recipient checks your DKIM and SPF authentication. Therefore it queries information from your domain's DNS. With the SPF settings and the public DKIM key, the recipient performs the checks.

If the recipient supports DMARC, the check results are then forwarded to the DMARC module. The module queries the sender domain's DNS to retrieve a DMARC policy record.

In case the sender domain published a DMARC policy, the DMARC module acts depending on the policy. Otherwise, the process continues without any additional DMARC protection.

The recipient mail service delivers the message to the inbox or performs other actions depending on the DMARC policies (e.g. reject the message).

When requested, the recipient's mail service collects data from the message and sends feedback to the specified email address.

Policies

There are three different types of policies you can choose from. A policy tells the receiver about how to handle unauthorized messages.

  • p=none is the entry-level and tells the receiver to do nothing special with unauthorized messages. Use this policy to only receive the dmarc reports
  • p=quarantine flag unauthorized messages or put them into the spam folder
  • p=reject is the strictest level and tells the receiver to discard unauthorized messages without delivering them to the recipient

When implementing DMARC, it's a good idea to start with the none policy and monitor the reports. This allows you to detect and fix (SPF / DKIM) configuration issues before moving to a stricter policy.

Aggregate Reports

When using a rua tag in your DMARC record, an (usually) daily email with the DMARC check results is sent to the specified email address.

The report is attached as an XML file. It is readable by humans and can be parsed by other software tools. The report contains a list of sender addresses and the number of authenticated and unauthenticated emails received in a given time.  

Forensic Reports

Even more insights about failed messages can be retrieved as forensic reports. For active forensic reports, you publish the fo tag in your DMARC record.

Forensic reports are sent almost immediately on authentication failures. The report contains more insights about the message like the from email address the recipient email address and the email subject line.    

Why should I use DMARC?

DMARC is an effective way to protect you and your customers from unauthorized use of your email domain:

  • Monitor your email authentication (SPF + DKIM)
  • Receive feedback about the number of processed messages by providers
  • Get noticed about unauthorized messages (email spoofing)
  • Tell ESPs to reject or quarantine unauthorized messages to protect your customers
  • Protect your sender reputation by having a well-configured and secured email domain

Conclusion

DMARC is an effective way to receive feedback regarding email activities from your domain. It also protects you and your customers from receiving unauthorized emails.

If you don't have a DMARC record published yet, it's now time to take care about it.