The main purpose of DMARC is to give email domain owners a way to protect their domain from unauthorized use, also known as spoofing. By publishing a DMARC policy in their DNS records, domain owners can specify which mechanisms are used to authenticate email messages sent from their domain, and what to do if a message fails authentication. This allows receiving mail servers to check the authenticity of messages and prevent them from being delivered if they fail the authentication check.

DMARC works by allowing a domain owner to publish a policy in their DNS records that specifies which mechanisms, such as SPF and DKIM, are used to authenticate email messages sent from their domain. When a receiving mail server receives an email message, it checks the message’s headers to see if it includes a DMARC policy. If the message includes a DMARC policy, the receiving mail server will check the message against the domain owner’s published policy to see if it passes authentication checks (namely, SPF and DKIM). If the message fails authentication checks, the receiving mail server can take the action specified in the policy, such as quarantining or rejecting the message.

Implementing DMARC can be somewhat complex, as it involves publishing a DMARC policy in your DNS records and regularly monitoring your DMARC reports. If you’re not familiar with DNS and email authentication mechanisms, it’s ideal to work with an organization like Sendmarc to help set up your DMARC policy. The Sendmarc tools also give you the visibility needed to monitor the progress on all your active domains (or customer domains) on an ongoing basis. Additionally, Sendmarc provides tools which make the management of SPF, DKIM and DMARC much easier.

SPF, or Sender Policy Framework, is an email authentication check that validates the origin of an email. A domain owner authorizes a list of the IP addresses that are permitted to send email from that domain. When an email is received by a server, it can be verified as coming from an authorized source if it comes from an IP address allowed by the domain owner.

DMARC relies on SPF for verification that a sender is who they say they are, and it ties SPF and DKIM together with a set of policies that determine what should happen with the email if it does not pass SPF or DKIM authentication.

DKIM is an email authentication check to verify that an email hasn’t been tampered with during transit, that the headers of the email haven’t changed, and that the sender is the legal owner of the domain or authorized by the owner to send on their behalf.

An encryption key and digital signature are attached to every email sent from an authorized list of addresses and these are used to verify that the email message wasn’t altered or faked.

SPF and DKIM are complementary email authentication protocols often used together to provide a stronger defense against impersonation and phishing attacks. SPF helps prevent forged sender addresses, while DKIM helps prevent unauthorized changes to the contents of a message.

By implementing both SPF and DKIM, a domain owner can ensure that their messages are delivered to the intended recipient and that the message’s contents haven’t been tampered with in transit. If an email passes SPF and DKIM authentication, a recipient can be 100% certain that both the sender and the message are authentic.

Yes. SPF and DKIM help protect against email-based attacks that use forged sender addresses or rely on editing the contents of an email. By implementing both these protocols and monitoring their records, domain owners can help protect their domains from being used in these types of attacks. However, it’s important to note that SPF and DKIM alone aren’t a complete solution for protecting against email-based attacks, and should be used in conjunction with DMARC, user awareness training, and the implementation of a secure email gateway.

Sendmarc and your SEG complement each other in multiple ways. By implementing DMARC with Sendmarc, you’ll provide your SEG with additional signals to effectively identify and reject impersonation emails.

Additionally, Sendmarc will protect your domain from impersonation attempts outside the perimeter of your SEG. This means that every company and individual that receives email from your domain will be able to easily distinguish between legitimate email and an attacker’s attempts to impersonate your organization. While your SEG is a crucial component of your security strategy, Sendmarc enhances that protection by ensuring that only real email is delivered, shielding your staff and the rest of the world.

As stated by Google, starting February 2024 all Gmail senders must:

1. Have DKIM or SPF email authentication protocols set up for your domain. Get in touch, we can help.
2. Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records.
3. Use a TLS connection for transmitting email.
4. Avoid ever reaching a spam rate of 0.3% or higher.
5. Format messages according to the Internet Message Format standard (RFC 5322).
6. Never impersonate Gmail From: headers. Sending email from any platform or email-sending service other than a Google platform (E.g. Mailchimp, SendGrid or Zendesk) with a From: address with the gmail.com domain qualifies as impersonating Gmail From: headers. To prevent this Google will start enforcing a DMARC quarantine policy. So, for example, if you’re using joeplumbing@gmail.com to send business emails instead of info@joeplumbing.com, AND sending emails from any platform other than Gmail, those emails are likely to land in Spam or Junk folders.
7. Add ARC headers to outgoing email, especially if you regularly forward email, including using mailing lists or inbound gateways. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.

As stated by Yahoo, starting February 2024 all Yahoo senders must:

1. Authenticate email by implementing SPF or DKIM at a minimum
2. Keep spam rate below 0.3%
3. Have a valid forward and reverse DNS record for sending IPs
4. Comply with RFCs 5321 and 5322

Microsoft may be involved in DMARC, but there are areas where its platform and services fall short when it comes to solving DMARC-related issues. Microsoft’s two primary roles in the DMARC ecosystem include sending reports and enforcing DMARC, which are required, but not enough, for a domain owner to achieve DMARC compliance.

Sendmarc complements Microsoft’s work in two ways:

1. Reporting: Our platform gathers and enriches DMARC data sent to it from thousands of email receivers worldwide. It then summarizes, enriches, and visualizes all the DMARC data generated by your domain and displays it in one place for easy viewing, giving you understandable and actionable insights for protection.
2. Configuration: While Microsoft will honor DMARC, SPF, and DKIM, it’s up to the domain owner (with the help of a platform like Sendmarc) to ensure that these standards are configured correctly. If not, Microsoft will reject legitimate emails, causing delivery issues. So, while Microsoft will reject emails that fail DMARC, it’s up to the domain owner to ensure that your domain has the correct instructions for Microsoft to be able to do that.

While Microsoft’s role in DMARC is critical in securing your organization against inbound threats, the journey to complete DMARC protection requires more. It calls for your business to interpret reports from all providers, configure all platforms for DMARC compliance (not just Microsoft), and maintain complete DMARC, SPF, and DKIM records for ultimate protection against cyberthreats.