Is DMARC Necessary – Why It’s Crucial for Email Security

Cybercrime is a common concern for organizations, one that threatens them with the possibility of financial loss, reputational damage, legal fines, and disruption to operations. Any of these can seriously impact the business. In today’s cyber climate it is not only the largest organizations in high profile sectors that must protect themselves – any organization might find themselves on the receiving end of an attack and must be prepared.

DMARC is all about preventing cybercrime by ensuring that correspondence that appears to be from you actually is from you. It is as much about creating a secure and safe cyber environment; one where your brand is not misused to trick users into sharing information.

DMARC can help to prevent email spoofing, phishing, and domain impersonation attacks. Without DMARC, cybercriminals can forge a company’s email domain to send fraudulent messages, tricking recipients into sharing sensitive information or downloading malware. Enforcing DMARC allows organizations to block unauthorized senders from using their domain, significantly reducing the risk of email-based threats.

What Is DMARC, And What Does It Do? 

DMARC stands for Domain-based Message Authentication, Reporting and Conformance, and is an email authentication mechanism that works alongside SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). DMARC is an email protocol that, when published for a domain, defines the correct response for what happens if a message fails authentication tests. This may happen a recipient server can’t verify that a message’s sender is who they say they are.

Through the SPF and DKIM checks, messages which appear to be from the sender’s domain can be verified by the recipients mailbox. Setting a DMARC policy tells recipient mail servers what they should do if they receive mail that claims to be coming from you but shows indicators of spoofing. Responses include email quarantine and outright rejection.

Unsecured messages are unfortunately very easy to spoof, and cyber criminals are constantly finding increasingly sophisticated and lucrative ways to utilize email scams. DMARC helps senders and recipients to work together to better safeguard email and reduce the number of spoofing, phishing, and spam attacks.

Anatomy Of A DMARC Policy 

A DMARC policy consists of specific rules that define how email servers should handle messages that fail authentication checks. It is set up using a DNS TXT record and includes several key components:

1. DMARC policies are published in the domain’s DNS zone as a specially formatted TXT record. This record is made up of several tags separated by semicolons.
2. DMARC policies always start with the v tag set as v=DMARC1. This is currently the only version of DMARC that exists, but that could always change in the future. 
   • The v tag is required to go first, and the p tag has to go second.
   • The string DMARC1 has to be in all capital letters, but the rest of the record is not case-sensitive.
3. The p tag is for what policy you want to have applied to unauthenticated emails from your domain. There are three possible actions: 
   • None: does nothing with the affected email (p=none)
   • Quarantine: sends the unauthenticated message to junk / spam (p=quarantine)
   • Reject: bounces the unauthenticated message (p=reject)
4. The RUA tag tells mail servers which email address to send DMARC aggregate reports. (optional)
5. The RUF tag tells mail servers which email address to send DMARC forensic/failure reports. (optional)
   • The aggregate and failure reports are XML files generated by recipient mail servers. These reports contain forensic information about emails received from your domain.
   • The parameter for the rua and ruf tags is formatted as mailto:[email protected]
   • If these tags are missing, then no reports will be sent
6. The pct tag specifies what percentage of mail from your domain will have DMARC enforced by recipient mail servers. (optional)
   • Leaving this tag out of a DMARC policy defaults to 100% enforcement. However, setting this to a smaller percentage of mail and increasing it over time can be useful for rolling out DMARC slowly.
7. There are also other optional tags, which allow organizations to fine-tune their DMARC enforcement or reporting preferences.
   • For example, the sp tag (short for “subdomain policy”) works like the p tag to set an enforcement action for any subdomains of your primary domain.

As a basic example, this is what google.com’s DMARC record looks like: 

v=DMARC1; p=reject; rua=mailto:[email protected] 

This record tells recipient mail servers to:

1. Reject any mail that claims to be from google.com, but fails authentication checks
2. Send aggregate reports to the address [email protected]

How Does Authentication With DMARC Work? 

Whenever a mail server receives an email that claims to be from a domain, the server will check if that domain has a DMARC record published. If the domain owner has a valid DMARC record, then the recipient mail server will check SPF and DKIM for the received mail. The DMARC result is determined by both authentication and alignment on SPF and DKIM.

Passing SPF means that the sending IP address is listed as an allowed sending source on the domain’s SPF record, and passing DKIM means that the email has a valid digital signature. SPF alignment means that the MailFrom/return path domain matches the From domain, and DKIM alignment means that the domain in the d= DKIM header matches the From domain.

If an email fails DMARC authentication checking, the recipient’s mail server will apply the action outlined in the sending domain’s DMARC policy (None, Quarantine, or Reject).

Is DMARC Really Necessary?

In short: Yes.

Google and Yahoo started requiring DMARC authentication for bulk senders in February 2024. This means that failing to use DMARC properly can impact deliverability to recipients that use Yahoo Mail, Gmail, or Google Workspace. DMARC is increasingly becoming a requirement as part of compliance frameworks, especially for organizations working with sensitive data.

DMARC improves email security by ensuring that only legitimate senders can use a domain, which helps to reduce the chances of fraudulent emails managing to reach recipients. It also provides detailed reports that allow organizations to monitor and improve their email authentication policies, resulting in better protection for their brand and users against email-based threats.

Use Cases For DMARC 

Some common use cases for DMARC include the following:

1. Anti-spoofing protection: If a malicious actor does attempt to spoof your domain for malicious purposes, having a DMARC policy set to “quarantine” or “reject” prevents recipient mail servers from delivering those spoofed messages.
2. Improved email deliverability: When sent emails are authenticated properly, it in turn becomes less likely that legitimate mail will be flagged as spam, bounced, or sent to the junk folder.
3. Maintain domain and brand reputation: In a world where multiple factors are considered when deciding if an email is malicious or not, DMARC can be an invaluable tool for identifying legitimate mail. Many cyber insurance policies also require organizations to have DMARC in place as a precaution. Poorly implemented authentication checking can increase the risk of attacks.

For information on specific DMARC solutions that might suit your organization, read these articles from Expert Insights:

• The Top DMARC Solutions for Business 
• The Top DMARC Solutions for MSPs