DMARC Solutions For Business: Everything You Need To Know (FAQs)
What Is DMARC And How Does It Work?
Domain-Based Message Authentication Reporting and Conformance (DMARC) is a method of verifying the authenticity of email communication by confirming that emails are sent from legitimate domains. Its purpose is to prevent cyber-criminals from impersonating your company’s domain through email, a tactic known as domain spoofing. Email service providers, such Google and Microsoft, generate DMARC reports for all incoming emails, providing valuable information about the IP addresses used to send emails from your domains.
DMARC works by using “identifier alignment” to corroborate an email’s authenticity. In order to do this, it will use SPF and/or DKIM to decide if an email should be accepted or rejected. DMARC does not require both SPF and DKIM to return a verified identification – one approved verification is enough. By combining the two protocols, DMARC can reduce the number of false negatives – this is where a valid email is identified as being fraudulent. Simply put, DMARC gives two opportunities for an email to prove that it is genuinely from whom it appears to be.
DMARC incorporates two email authentication techniques: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).
What Is SPF?
Sender Policy Framework (SPF) is an email-authentication technique employed to prevent cyber-criminals from using your domain to send mass spam emails. By implementing SPF, organizations can designate authorized mail servers, which inform receiving systems about the trustworthiness of the email’s origin. SPF leverages Domain Name Service (DNS) to enable users to specify which email servers are permitted to send emails from their domains.
What Is DKIM?
Domain Keys Identified Mail (DKIM) is an email authentication technique that allows recipients to verify that emails were sent and authorized by the domain owner. This safeguard helps users avoid falling victim to phishing scams that impersonate well-known email domains. DKIM assigns a digital signature to legitimate email messages, which is encrypted and attached to the emails.
DMARC Policy Configurations
Without going into the specific details of how to code for a specific DMARC policy option, it is worth explaining the options that are on offer. The protocol was designed to be easy to be implement by domain owners from a broad range of backgrounds – it is therefore versatile and simple.
This policy option is purely for monitoring email traffic and collecting data on the validation rates. This information is fed into a report for admins and domain owners to decide if their SPF and DKIM identifiers should be more specific. If an email fails the DMARC validation, there will be no remediation action; the email will be allowed to enter the intended inbox without being blocked or sent to spam. This type of policy would be used when first setting up DMARC to understand positive and false positive rates before implementing a remediation policy (this prevents too many valid emails being regarded as fraudulent and rejected).
With this policy enabled, any emails that fails the DMARC check will be automatically placed in the recipient’s spam folder. By quarantining the emails in this way, emails that cannot be verified will not enter the user’s main inbox, thereby reducing the risk of engaging with malicious content. Users are still able to access the emails via their spam folder, yet they will be acutely aware of the risk associated with the content of these emails.
Any email that fails the DMARC checks will be rejected and will not end up in the recipient’s inbox. This is the tightest level of control offered by DMARC and can further reduce the risk of your domain being used to disseminate spoofing emails. The potential downside to this policy is that any email that fails the test will be removed; this does not, however, mean that the test is always 100% accurate. It is through analysis gained from a p=none policy that admin can understand the pass/fail rates and decide if they want to enact a reject policy. If the pass/fail rate is incorrect, valid emails could automatically be rejected without the user’s knowledge. Analysis reports will still be produced whilst a p=reject policy is operational; this allows the admin to make ongoing tweaks and changes.
Percentage Tag (pct=%)
A percentage tag can be added to any of the actionable policies already listed (p=none, p=quarantine, or p=reject). For example, if a pct=25 tag is added to a p=quarantine policy, only 25% of the emails that fail the DMARC check will be quarantined. The other 75% can either be rejected or face no remediation. The benefit of this tag is that you can gradually roll out newer policies (by adjusting the percentage of emails that are affected) whilst monitoring the reject/accept rates. You can continue to monitor rejection rates, whilst shifting to more robust remediation, without the risk of many of your emails being incorrectly identified, and therefore having the wrong remediation enacted.
Benefits Of Using DMARC
DMARC benefits both the domain owner and the email recipients by coordinating the methods for verifying email authenticity. Here are some of the main reasons your business might want to consider implementing a DMARC solution:
DMARC allows organizations to play a proactive role in deciding how failed authentications should be treated. Admins have an insight into email acceptance rates and can therefore adjust their policies and identifiers to achieve the balance between security and email acceptance.
Maintain Brand Identity
By reducing a malicious actor’s ability to impersonate your brand, you can ensure that only valid messages are associated with your company. You can be sure that any time a user thinks they are interacting with your brand, they actually are. This ensures that users are engaged and confident in responding to your emails, rather than having to worry about the risk of phishing.
Enhance DKIM And SPF
DKIM and SPF alone offer specific, but not comprehensive email authentication. For example, DKIM does not analyze the “from” domain – this is the address that will appear to the user. Just because this address appears to be from a specific domain, there are no checks, and this address can be spoofed. DMARC resolves this issue by checking that the visible domain address is the same as the domains that have already been verified as part of the DMARC checks (SPF or DKIM). This ensures that an email’s advertized identity is verified and is consistent with its origin.
How does DMARC validation work?
The DMARC standard is based on SPF and DKIM, existing email standards. These standards were initially used to protect domains from domain spoofing, but they became increasingly easy for cyber-criminals to circumvent.
To better protect domains, DMARC combines the authentication mechanisms for SPF & DKIM. To pass DMARC validation, an email must pass either SPF authentication and alignment or DKIM authentication and alignment. If an email doesn’t fully pass one of these checks, it will fail DMARC validation.
What is a DMARC Record?
The DMARC record is where you decide variables, like your preferred DMARC policy, which decides how your emails that fail DMARC validation will be handled. The DMARC record tells email receivers that you have implemented DMARC, and the desired policy you with you use. Once the DMARC record is implemented, you will be also be able receive reports, which we will cover in more detail in the next section. In the DNS Record, you will choose where you want the reports to be sent.
Once your DMARC Record has been set up, your ISP will provide Aggregate (RUA) and Forensic (RUG) DMARC reports daily. Here is a brief rundown of these reports:
Aggregate DMARC Reports
Aggregate DMARC reports provide information about the authentication status of emails sent by your domains. They are sent daily, in an XML file-format. Aggregate DMARC reports don’t contain any information about the emails themselves, but instead give information about who sent email messages. This includes the sender’s IP address, the number of messages sent, DKIM/SPG authentication and more. This helps you to identify if malicious emails are being sent from their domains.
Forensic DMARC Reports
Forensic DMARC reports are generated by ISPs when an email fails DMARC authentication, so it could potentially be malicious. They are more detailed than daily Aggregate DMARC Reports. The DMARC forensic reports include additional information to the aggregate reports, including information like the subject line and header information of sent emails. This also includes who the email was sent from and to, any included links and attachment information. It is also possible to see the entire email message.
How to implement a DMARC record
Once you have set up your SPF and DKIM, you are ready to set up DMARC. To get started with DMARC, you must implement a DMARC Record. Here is a quick guide to implementing a DMARC record.
Step One) Find the business domain/domains that you wish to implement DMARC.
Find the domain with which you want to implement DMARC. If your company email address is [email protected], than your domain is yourcompany.com.
Step Two) Generate a DMARC record.
If you are using Office 365, you can find out more about setting up DMARC here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
Alternatively, there are a number of DMARC tools available that allow organizations to quickly create a DMARC record. In the next section, we’ll outline some of these vendors and the approaches that they take.
Step Three) Publish the DMARC Record
To publish the DMARC record, you must publish it to the Domain Name System (DNS). Take these steps:
Log in to the DNS management console, and select your domain.
Create a TXT entry on your domain with these settings:
TXT Value: (The DMARC record you have already generated)
TTL: 1 hour
There are multiple DMARC vendors that can help organizations to gain greater insights from their DMARC reports, deploy DMARC more easily, and gain more control over DMARC policies. These tools are used by organizations of all sizes to make implementing DMARC easier, and to better manage DMARC policies and reporting. There are a number of different tools and use cases for DMARC. This includes free tools that will generate DMARC reports for your organization, and enterprise solutions that offer email visibility and governance across email channels.