Domain-based Message Authentication, Reporting and Conformance (abbreviated to DMARC for obvious reasons) is a protocol for authenticating emails. It was created by PayPal in 2007, with Yahoo! Mail and Gmail coming on board shortly afterwards. DMARC is a way of checking that an email is from who it is purportedly from, thereby reducing the prevalence of malicious, spoofed mail. Rather than directly protecting your own network, DMARC is a way of protecting other, external, users from people impersonating your brand.
DMARC works by using “identifier alignment” to corroborate an email’s authenticity. In order to do this, it will use SPF and/or DKIM to decide if an email should be accepted or rejected. DMARC does not require both SPF and DKIM to return a verified identification – one approved verification is enough. By combining the two protocols, DMARC can reduce the number of false negatives – this is where a valid email is identified as being fraudulent. Simply put, DMARC gives two opportunities for an email to prove that it is genuinely from whom it appears to be.
But how exactly does DMARC work, and what are some of the benefits of implementing a DMARC solution?
To answer that question, you first need to understand how SPF and DKIM work.
What Are SPF And DKIM?
Sender Policy Feedback (SPF)
SPF is a means of verifying that emails are valid and authentic by setting up a publicly available TXT record – i.e., an “SPF record” – in your Domain Name System (DNS) server. In this record, your organization can explain key identifiers of your authentic emails. This information will include valid IP addresses and any domains that are authorized to send mail on behalf of your organization.
When receiving an email, the recipient’s mail server can check the SPF record at the DNS server and decide if the email is genuine, or fraudulent. The results of this decision will influence how the user’s mailbox responds. The email could be rejected, quarantined, flagged, or sent to the mailbox with no remediation. SPF is, however, unable to report the pass/fail rates to the original sender – this is something that DMARC can do.
DomainKeys Identified Mail (DKIM)
DKIM is way of verifying an email’s authenticity through the addition of a specific, recognizable element in the message header. As with SPF, a public record will be created – in this case, a public key is used to identify the email signature. A recipient mailbox can search for this signature and ensure that it is valid. DKIM is like adding a watermark to an email.
Specifically, the DKIM header will explain which elements of the email will be present in authentic communications from the organization. This might include the body of the message and default headers – once decided, these features cannot be changed, otherwise the validation will fail. This header will be sent as an encrypted hash key which can be decrypted and interpreted by a mailbox receiver. DKIM can also be used to identify if the email has been altered whilst in transit.
How DMARC Works
DMARC uses DKIM and SPF procedures to check if an email is as authentic as it appears. This allows recipient mailboxes to check if an email carries the hallmarks of valid communication. If an email can be corroborated by SPF or DKIM, it will be allowed to enter the end-user’s inbox. If it fails, however, DMARC explains how the fraudulent email should be treated: either rejected, quarantined (spam folder), or accepted regardless.
Part of the appeal of DMARC is that the SPF or DKIM must be aligned with the “from” header address. This ensures that the stated email address matches with the SPF or DKIM records. If an SPF, for example, does not align with the “from” header address the email will fail the DMARC check.
Initially, you will want to set up DMARC in “monitor mode” (p=none). We’ll go through this in more detail further on. This type of policy will produce compliance reports, giving you data on the rates that emails are accepted, rejected, and quarantined by the DMARC checks. These reports can be analyzed to ensure that rejection/acceptance rates are accurate. If they are not accurate, you will need to alter the information provided in the SPF public records. This ensures that DMARC has enough information to identify authentic mail.
Once you (the domain owner) are satisfied that your emails are authenticated consistently enough, the DMARC response policy can be changed. Rather than p=none (which provides no remediation), p=reject or p=quarantine can be used. These policies tell receiving servers how to respond to a failed login attempt. Rather than finding their way into user inboxes, fraudulent emails can be rejected or sent to the spam folder. By taking these emails out of general circulation, you protect end-users and ensure that your brand doesn’t become associated with nuisance emails.
Domain owners will aim to employ the reject policy as this prevents unauthorized accounts from using the domain – though their emails will need to be authenticated at an acceptable rate for this to happen. This will greatly reduce the instances where your organization’s domain is used as part of a spam or phishing campaign, thereby ensuring that users are kept safe, and your domain retains its brand authority.
DMARC Policy Configurations
Without going into the specific details of how to code for a specific DMARC policy option, it is worth explaining the options that are on offer. The protocol was designed to be easy to be implement by domain owners from a broad range of backgrounds – it is therefore versatile and simple.
Monitoring (p=none)
This policy option is purely for monitoring email traffic and collecting data on the validation rates. This information is fed into a report for admins and domain owners to decide if their SPF and DKIM identifiers should be more specific. If an email fails the DMARC validation, there will be no remediation action; the email will be allowed to enter the intended inbox without being blocked or sent to spam. This type of policy would be used when first setting up DMARC to understand positive and false positive rates before implementing a remediation policy (this prevents too many valid emails being regarded as fraudulent and rejected).
Quarantine (p=quarantine)
With this policy enabled, any emails that fails the DMARC check will be automatically placed in the recipient’s spam folder. By quarantining the emails in this way, emails that cannot be verified will not enter the user’s main inbox, thereby reducing the risk of engaging with malicious content. Users are still able to access the emails via their spam folder, yet they will be acutely aware of the risk associated with the content of these emails.
Reject (p=reject)
Any email that fails the DMARC checks will be rejected and will not end up in the recipient’s inbox. This is the tightest level of control offered by DMARC and can further reduce the risk of your domain being used to disseminate spoofing emails. The potential downside to this policy is that any email that fails the test will be removed; this does not, however, mean that the test is always 100% accurate. It is through analysis gained from a p=none policy that admin can understand the pass/fail rates and decide if they want to enact a reject policy. If the pass/fail rate is incorrect, valid emails could automatically be rejected without the user’s knowledge. Analysis reports will still be produced whilst a p=reject policy is operational; this allows the admin to make ongoing tweaks and changes.
Percentage Tag (pct=%)
A percentage tag can be added to any of the actionable policies already listed (p=none, p=quarantine, or p=reject). For example, if a pct=25 tag is added to a p=quarantine policy, only 25% of the emails that fail the DMARC check will be quarantined. The other 75% can either be rejected or face no remediation. The benefit of this tag is that you can gradually roll out newer policies (by adjusting the percentage of emails that are affected) whilst monitoring the reject/accept rates. You can continue to monitor rejection rates, whilst shifting to more robust remediation, without the risk of many of your emails being incorrectly identified, and therefore having the wrong remediation enacted.
Benefits Of Using DMARC
DMARC benefits both the domain owner and the email recipients by coordinating the methods for verifying email authenticity. Here are some of the main reasons your business might want to consider implementing a DMARC solution:
Standardized Remediation
DMARC allows organizations to play a proactive role in deciding how failed authentications should be treated. Admins have an insight into email acceptance rates and can therefore adjust their policies and identifiers to achieve the balance between security and email acceptance.
Maintain Brand Identity
By reducing a malicious actor’s ability to impersonate your brand, you can ensure that only valid messages are associated with your company. You can be sure that any time a user thinks they are interacting with your brand, they actually are. This ensures that users are engaged and confident in responding to your emails, rather than having to worry about the risk of phishing.
Enhance DKIM And SPF
DKIM and SPF alone offer specific, but not comprehensive email authentication. For example, DKIM does not analyze the “from” domain – this is the address that will appear to the user. Just because this address appears to be from a specific domain, there are no checks, and this address can be spoofed. DMARC resolves this issue by checking that the visible domain address is the same as the domains that have already been verified as part of the DMARC checks (SPF or DKIM). This ensures that an email’s advertized identity is verified and is consistent with its origin.
Summary
DMARC is an important protocol for cutting the quantity of phishing emails making their way into users’ accounts. If organizations have effective DMARC policies in place, there will be far fewer emails that impersonate these brands. The only way that an impersonation can get past DMARC is by being quite different to the authentic email; this makes the fake much easier to spot by the end-user.
By employing DMARC policies for your own domain, you will be able to collect data on how mailboxes view your emails, and how many of your emails are classed as spam. This helps your organization adapt your policies to reach your customers, whilst ensuring your organization is not mimicked.
To help you find the best solution to prevent impersonation attacks on your brand and ensure your emails are reaching your customers, we’ve put together a guide to the best DMARC solutions on the market, which you can find below:
