Features

How Does DMARC Work?

Our Guide To DMARC: What It Is, How It Works, How You Can Configure It, And How It Can Protect Your Organization

Last updated on Apr 24, 2024
Joel Witts Written by Joel Witts
DMARC

DMARC is one of the top ways that organizations can protect themselves from domain spoofing, phishing scams and other email-based cyber-attacks. But how does DMARC work?

The DMARC standard was developed in 2012 by many industry leading organizations including PayPal, Google, Microsoft and Yahoo! Each of these domains are very commonly spoofed by cybercriminals, leading to them wanting to implement a way for organizations to verify the legitimacy of email senders. DMARC leverages existing email authentication techniques to protect businesses from spoofed domians.

Despite the security benefits, many small businesses are not familiar with DMARC and the benefits it can offer. Here, we’ll explain everything you need to know about DMARC in one easy guide. Let’s get into it!

What is DMARC?

Domain-Based Message Authentication Reporting and Conformance is a method of validating that emails are being sent from genuine domains. It’s designed to help organizations stop cyber-criminals from impersonating your company’s domain via email, a technique known as domain spoofing. Email providers like Gmail and Office 365 generate DMARC reports on all of the emails they receive. These reports provide insights into all the IP addresses that are sending emails from your domains. With DMARC tools, these reports can help organizations spot cyber-criminals that use these domains to send out spam and phishing attacks, that appear to be from your domains.

DMARC uses email authentication techniques SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). Here are is a brief rundown of SPF and DKIM for those unfamiliar:

What is SPF?

The Sender Policy Framework is an email-authentication technique which is used to stop cyber-criminals using your domain to send out mass spam emails. Using SPF, an organization is able to publish authorised mail servers, which tells receiving systems how trustworthy the origin of an email is. SPF uses DNS (Domain Name Service) to give users the ability to specify which email servers are permitted to send emails from your domains.

What is DKIM?

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows receivers to ensure that emails were sent and authorized by the owner of the domain the email was sent by. This helps users to avoid phishing scams that impersonate well known email domains. This is done by giving emails a digital DKIM Signature, which is added to genuine email messages and encrypted.

What are the benefits of implementing DMARC?

DMARC protects your brand and your clients from cyber-criminals sending out malicious emails that spoof your domain. It’s likely everyone reading this guide will have received a spoofed email at some point. Cyber-criminals use domains from reputable businesses to try and trick users into clicking malicious links, or giving up sensitive account information.

DMARC helps organizations prevent this misuse of their domains, by giving organizations more visibility into their email channels. Based on this enhanced visibility, organizations can implement DMARC policies to help them manage email sent from their domains. These policies allow you to monitor, quarantine or block emails that fail DMARC validation. We’ll cover these policies and how DMARC validation works in more depth later in this guide.

Implementing DMARC improves your email security, by helping email receivers to stop phishing attacks against customers and employees, and stop brand abuse and scams that appear to come from your domains. DMARC also adds important reporting functionality. When DMARC is implemented, you will receive DMARC reports which can be used to get detailed information about emails. We’ll cover these reports in more depth later in this article.

In addition, DMARC helps with your email deliverability. Using DMARC means that emails correctly set-up and authenticated will not be marked as spam or malware by email receivers. This helps to increase the likelihood of your email communications being seen by recipients, rather than ending up in the junk or spam folder.

How does DMARC validation work?

As we mentioned, the DMARC standard is based on SPF and DKIM, existing email standards. These standards were initially used to protect domains from domain spoofing, but they became increasingly easy for cyber-criminals to circumvent.

To better protect domains, DMARC combines the authentication mechanisms for SPF & DKIM. To pass DMARC validation, an email must pass either SPF authentication and alignment or DKIM authentication and alignment. If an email doesn’t fully pass one of these checks, it will fail DMARC validation.

What is a DMARC Record?

The DMARC record is where you decide variables, like your preferred DMARC policy, which decides how your emails that fail DMARC validation will be handled.  The DMARC record tells email receivers that you have implemented DMARC, and the desired policy you with you use. Once the DMARC record is implemented, you will be also be able receive reports, which we will cover in more detail in the next section. In the DNS Record, you will choose where you want the reports to be sent.

DMARC Reports

Once your DMARC Record has been set up, your ISP will provide Aggregate (RUA) and Forensic (RUG) DMARC reports daily. Here is a brief rundown of these reports:

Aggregate DMARC Reports

Aggregate DMARC reports provide information about the authentication status of emails sent by your domains. They are sent daily, in an XML file-format. Aggregate DMARC reports don’t contain any information about the emails themselves, but instead give information about who sent email messages. This includes the sender’s IP address, the number of messages sent, DKIM/SPG authentication and more. This helps you to identify if malicious emails are being sent from their domains.

Forensic DMARC Reports

Forensic DMARC reports are generated by ISPs when an email fails DMARC authentication, so it could potentially be malicious. They are more detailed than daily Aggregate DMARC Reports. The DMARC forensic reports include additional information to the aggregate reports, including information like the subject line and header information of sent emails. This also includes who the email was sent from and to, any included links and attachment information. It is also possible to see the entire email message.

DMARC policies

By setting up a DMARC record, organizations can implement policies which decide what to do with emails that fail DMARC authentication. These policies tells ISPs what to do with emails that are potentially malicious, because they have failed to align with SPF and SKIM records.

There are 3 DMARC policies organizations can implement: Monitor, Quarantine, Reject. There is also a percentage tag policy, which organizations can apply.

Monitor Policy (p=none)

The first policy simply monitors incoming email to check if they are passing DMARC validation. The policy instructs email receivers to send DMARC reports to email addresses specified when you set up your DMARC record. This policy allows you to monitor your emails, and gain insights into your email channels. It does not do anything with emails that fail the DMARC check, other than notify you about them.

Quarantine Policy (p=quarantine)

The quarantine policy puts any emails that fail DMARC checks into the spam folders of the recipient automatically. This means that if malicious emails are sent from your domains, it goes straight to Spam rather than the main inbox, helping to protect the user. This helps to reduce the threat of domain spoofing, but does not stop the emails being delivered entirely.

Reject Policy (p=reject)

The reject policy instructs email receivers not to accept any emails that fail DMARC checks. This means any emails that are sent from spoofed domains will not be delivered to the intended recipient. Emails that do pass DMARC validation will be delivered as normal to the users inbox. This policy is designed to stop email spoofing entirely. However, it will also mean that any incorrectly setup emails will be deleted by email servers, and will not be delivered to inboxes.

Percentage Tag Policy (p+quarantine; pct=01)

The DMARC Percentage tag policy is used to tell receiving mail service what percentage of emails that fail DMARC validation should be blocked. The value that you choose in the PCT block can be anywhere from 1% to 99%. The value of only blocking a small percentage of email that fails DMARC is that it allows you to gradually test quarantining emails. This ensures that any delivery issues with DMARC can be sorted out early on, without stopping hundreds of emails being delivered.

How to implement a DMARC record

Once you have set up your SPF and DKIM, you are ready to set up DMARC. To get started with DMARC, you must implement a DMARC Record. Here is a quick guide to implementing a DMARC record.

Step One) Find the business domain/domains that you wish to implement DMARC.

Find the domain with which you want to implement DMARC. If your company email address is [email protected], than your domain is yourcompany.com.

Step Two) Generate a DMARC record.

If you are using Office 365, you can find out more about setting up DMARC here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide

Alternatively, there are a number of DMARC tools available that allow organizations to quickly create a DMARC record. In the next section, we’ll outline some of these vendors and the approaches that they take.

Step Three) Publish the DMARC Record

To publish the DMARC record, you must publish it to the Domain Name System (DNS). Take these steps:

Step One:

Log in to the DNS management console, and select your domain.

Step Two:

Create a TXT entry on your domain with these settings:

  • Type: TXT
  • Host: _DMARC
  • TXT Value: (The DMARC record you have already generated)
  • TTL: 1 hour

DMARC Tools

There are multiple DMARC vendors that can help organizations to gain greater insights from their DMARC reports, deploy DMARC more easily, and gain more control over DMARC policies. These tools are used by organizations of all sizes to make implementing DMARC easier, and to better manage DMARC policies and reporting. There are a number of different tools and use cases for DMARC. This includes free tools that will generate DMARC reports for your organization, and enterprise solutions that offer email visibility and governance across email channels.

Joel Witts

Content Director

LinkedIn Email
Joel Witts is the Content Director at Expert Insights, meaning he oversees all articles published and topics covered. He is an experienced journalist and writer, specialising in identity and access management, Zero Trust, cloud business technologies, and cybersecurity. Joel is a co-host of the Expert Insights Podcast and conducts regular interviews with leading B2B tech industry experts, including directors at Microsoft and Google. Joel holds a First Class Honours degree in Journalism from Cardiff University.