DMARC is one of the top ways that organizations can protect themselves from domain spoofing, phishing scams and other email-based cyber-attacks. But how does DMARC work?
The DMARC standard was developed in 2012 by many industry leading organizations including PayPal, Google, Microsoft and Yahoo! Each of these domains are very commonly spoofed by cybercriminals, leading to them wanting to implement a way for organizations to verify the legitimacy of email senders. DMARC leverages existing email authentication techniques to protect businesses from spoofed domians.
Despite the security benefits, many small businesses are not
familiar with DMARC and the benefits it can offer. Here, we’ll explain
everything you need to know about DMARC in one easy guide. Let’s get into it!
What is DMARC?
Domain-Based Message Authentication Reporting and Conformance is a method of validating that emails are being sent from genuine domains. It’s designed to help organizations stop cyber-criminals from impersonating your company’s domain via email, a technique known as domain spoofing. Email providers like Gmail and Office 365 generate DMARC reports on all of the emails they receive. These reports provide insights into all the IP addresses that are sending emails from your domains. With DMARC tools, these reports can help organizations spot cyber-criminals that use these domains to send out spam and phishing attacks, that appear to be from your domains.
DMARC uses email authentication techniques SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). Here are is a brief rundown of SPF and DKIM for those unfamiliar:
What is SPF?
The Sender Policy Framework is an email-authentication technique which is used to stop cyber-criminals using your domain to send out mass spam emails. Using SPF, an organization is able to publish authorised mail servers, which tells receiving systems how trustworthy the origin of an email is. SPF uses DNS (Domain Name Service) to give users the ability to specify which email servers are permitted to send emails from your domains.
What is DKIM?
DKIM (Domain Keys Identified Mail) is an email authentication technique that allows receivers to ensure that emails were sent and authorized by the owner of the domain the email was sent by. This helps users to avoid phishing scams that impersonate well known email domains. This is done by giving emails a digital DKIM Signature, which is added to genuine email messages and encrypted.
What are the benefits of implementing DMARC?
DMARC protects your brand and your clients from
cyber-criminals sending out malicious emails that spoof your domain. It’s
likely everyone reading this guide will have received a spoofed email at some
point. Cyber-criminals use domains from reputable businesses to try and trick
users into clicking malicious links, or giving up sensitive account
DMARC helps organizations prevent this misuse of their domains, by giving organizations more visibility into their email channels. Based on this enhanced visibility, organizations can implement DMARC policies to help them manage email sent from their domains. These policies allow you to monitor, quarantine or block emails that fail DMARC validation. We’ll cover these policies and how DMARC validation works in more depth later in this guide.
Implementing DMARC improves your email security, by helping email receivers to stop phishing attacks against customers and employees, and stop brand abuse and scams that appear to come from your domains. DMARC also adds important reporting functionality. When DMARC is implemented, you will receive DMARC reports which can be used to get detailed information about emails. We’ll cover these reports in more depth later in this article.
In addition, DMARC helps with your email deliverability. Using DMARC means that emails correctly set-up and authenticated will not be marked as spam or malware by email receivers. This helps to increase the likelihood of your email communications being seen by recipients, rather than ending up in the junk or spam folder.
How does DMARC validation work?
As we mentioned, the DMARC standard is based on SPF and DKIM, existing email standards. These standards were initially used to protect domains from domain spoofing, but they became increasingly easy for cyber-criminals to circumvent.
To better protect domains, DMARC combines the authentication mechanisms for SPF & DKIM. To pass DMARC validation, an email must pass either SPF authentication and alignment or DKIM authentication and alignment. If an email doesn’t fully pass one of these checks, it will fail DMARC validation.
What is a DMARC Record?
The DMARC record is where you decide variables, like your preferred DMARC policy, which decides how your emails that fail DMARC validation will be handled. The DMARC record tells email receivers that you have implemented DMARC, and the desired policy you with you use. Once the DMARC record is implemented, you will be also be able receive reports, which we will cover in more detail in the next section. In the DNS Record, you will choose where you want the reports to be sent.
Once your DMARC Record has been set up, your ISP will provide Aggregate (RUA) and Forensic (RUG) DMARC reports daily. Here is a brief rundown of these reports:
Aggregate DMARC Reports
Aggregate DMARC reports provide information about the authentication status of emails sent by your domains. They are sent daily, in an XML file-format. Aggregate DMARC reports don’t contain any information about the emails themselves, but instead give information about who sent email messages. This includes the sender’s IP address, the number of messages sent, DKIM/SPG authentication and more. This helps you to identify if malicious emails are being sent from their domains.
Forensic DMARC Reports
Forensic DMARC reports are generated by ISPs when an email fails DMARC authentication, so it could potentially be malicious. They are more detailed than daily Aggregate DMARC Reports. The DMARC forensic reports include additional information to the aggregate reports, including information like the subject line and header information of sent emails. This also includes who the email was sent from and to, any included links and attachment information. It is also possible to see the entire email message.
By setting up a DMARC record, organizations can implement
policies which decide what to do with emails that fail DMARC authentication.
These policies tells ISPs what to do with emails that are potentially
malicious, because they have failed to align with SPF and SKIM records.
There are 3 DMARC policies organizations can implement: Monitor, Quarantine, Reject. There is also a percentage tag policy, which organizations can apply.
Monitor Policy (p=none)
The first policy simply monitors incoming email to check if they are passing DMARC validation. The policy instructs email receivers to send DMARC reports to email addresses specified when you set up your DMARC record. This policy allows you to monitor your emails, and gain insights into your email channels. It does not do anything with emails that fail the DMARC check, other than notify you about them.
Quarantine Policy (p=quarantine)
The quarantine policy puts any emails that fail DMARC checks into the spam folders of the recipient automatically. This means that if malicious emails are sent from your domains, it goes straight to Spam rather than the main inbox, helping to protect the user. This helps to reduce the threat of domain spoofing, but does not stop the emails being delivered entirely.
Reject Policy (p=reject)
The reject policy instructs email receivers not to accept any emails that fail DMARC checks. This means any emails that are sent from spoofed domains will not be delivered to the intended recipient. Emails that do pass DMARC validation will be delivered as normal to the users inbox. This policy is designed to stop email spoofing entirely. However, it will also mean that any incorrectly setup emails will be deleted by email servers, and will not be delivered to inboxes.
Percentage Tag Policy (p+quarantine; pct=01)
The DMARC Percentage tag policy is used to tell receiving mail service what percentage of emails that fail DMARC validation should be blocked. The value that you choose in the PCT block can be anywhere from 1% to 99%. The value of only blocking a small percentage of email that fails DMARC is that it allows you to gradually test quarantining emails. This ensures that any delivery issues with DMARC can be sorted out early on, without stopping hundreds of emails being delivered.
How to implement a DMARC record
Once you have set up your SPF and DKIM, you are ready to set
up DMARC. To get started with DMARC, you must implement a DMARC Record. Here is
a quick guide to implementing a DMARC record.
Step One) Find the business domain/domains that you wish to
Find the domain with which you want to implement DMARC. If
your company email address is [email protected],
than your domain is yourcompany.com.
Step Two) Generate a DMARC record.
If you are using Office 365, you can find out more about
setting up DMARC here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
Alternatively, there are a number of DMARC tools available
that allow organizations to quickly create a DMARC record. In the next section,
we’ll outline some of these vendors and the approaches that they take.
Step Three) Publish the DMARC Record
To publish the DMARC record, you must publish it to the Domain Name System (DNS). Take these steps:
Log in to the DNS management console, and select your domain.
Create a TXT entry on your domain with these settings:
- Type: TXT
- Host: _DMARC
- TXT Value: (The DMARC record you have already generated)
- TTL: 1 hour
There are multiple DMARC vendors that can help organizations to gain greater insights from their DMARC reports, deploy DMARC more easily, and gain more control over DMARC policies. These tools are used by organizations of all sizes to make implementing DMARC easier, and to better manage DMARC policies and reporting. There are a number of different tools and use cases for DMARC. This includes free tools that will generate DMARC reports for your organization, and enterprise solutions that offer email visibility and governance across email channels.