What is DMARC?
DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a global email authentication best practice that safeguards email senders and recipients against email-based attacks like phishing, spoofing and impersonation.
DMARC builds on key authentication protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), with an additional security layer. It provides visibility of who is using a domain and allows a domain owner to specify the action receiving servers must take when an email fails authentication.
Once a domain is DMARC compliant, email receivers are able to report back to senders about the statuses of the emails they receive, such as whether they pass or fail authentication checks, or whether they’re delivered, quarantined or rejected.
How does DMARC work?
DMARC works by adding a special TXT record to the DNS (Domain Name System) of an email domain, which specifies how the domain owner wants the receivers to handle the messages that claim to come from that domain.
The TXT record contains a set of tags and values that define the DMARC policy, such as the alignment mode, the percentage of messages to apply the policy to, the reporting options, and the desired actions for failed messages.
When a receiver gets an email from a domain that has a DMARC record, it first checks if the message has a valid SPF and DKIM signature, and then compares the domains used in those signatures with the domain in the From header of the message.
If the domains match, or align, according to the DMARC policy, the message passes the authentication. If not, the message fails the authentication and the receiver follows the action specified by the DMARC policy, such as reject, quarantine, or none.
How does SPF work with DMARC?
SPF is an email authentication check that validates the origin of an email. A domain owner authorizes a list of the IP addresses that are permitted to send email from that domain. When an email is received by a server, it can be verified as coming from an authorized source if it comes from an IP address allowed by the domain owner.
DMARC relies on SPF for verification that a sender is who they say they are, and it ties SPF and DKIM together with a set of policies that determine what should happen with the email if it does not pass SPF or DKIM authentication.
How does DKIM work with DMARC?
DKIM is an email authentication check to verify that an email hasn’t been tampered with during transit, that the headers of the email haven’t changed, and that the sender is the legal owner of the domain or authorized by the owner to send on their behalf.
An encryption key and digital signature are attached to every email sent from an authorized list of addresses and these are used to verify that the email message wasn’t altered or faked.
If an email passes SPF and DKIM authentication, a recipient can be 100% certain that both the sender and the message are authentic.
DMARC, DKIM & SPF
When configured correctly, SPF, DKIM and DMARC prove that an email sender is legitimate and that the message hasn’t been compromised, ensuring that only emails that have passed these authentication checks reach an inbox.
What is a DMARC policy?
An organization’s DMARC policy is part of the DMARC record that’s published in the DNS. It tells a receiving server what to do with an email that fails SPF and DKIM email authentication checks. There are three DMARC policies a domain owner can choose from:
p=none – Monitoring only
Allows a domain owner to monitor email traffic, receive reports on email sources and understand how emails are being handled, without actively enforcing any measures to be taken on emails that fail authentication. This policy is often used during DMARC implementation to ensure that it’s configured correctly before moving to a stricter policy. This will not affect email deliverability.
p=quarantine – Quarantines suspicious emails
In addition to sending reports, this policy tells a receiving server to quarantine an email that fails DMARC checks by placing it in the Spam or Junk folder instead of delivering it to the inbox. This policy allows an email that fails DMARC checks to be delivered but quarantines it for further investigation before it makes it to an inbox.
p=reject – Rejects emails that fail authentication
P=reject is the strictest DMARC policy. On top of sending reports, it guarantees complete protection for internal and external recipients of a business’s emails because it instructs recipient servers to outright reject emails that fail DMARC checks, ensuring that they don’t reach the inbox. All organizations should seek to have a p=reject policy, as it provides the strongest protection against fraudulent emails.
What is DMARC reporting?
DMARC reporting is a hugely valuable feature of the DMARC email authentication protocol that allows domain owners to gain insights into email sending activities using their domain. This reporting mechanism provides data on which emails are passing or failing DMARC checks, which helps in identifying both legitimate email sources and potentially fraudulent activities.
Benefits of DMARC reporting include:
- Early threat detection
- Enhanced visibility and control
- Increased email deliverability
Read more on this here.
There are two types of DMARC reports:
1. Aggregate reports (RUA): These are usually sent daily or weekly and provide a detailed overview of email authentication data collected from various sources. This includes a view of all email traffic, information on IPs sending emails on behalf of the domain, and each email’s authentication status. RUA reports are useful for monitoring trends and identifying potential issues.
2. Forensic reports (RUF): These are sent in real-time or near-real-time and provide detailed information about individual email failures to assist in incident investigation. RUF reports include email headers, body, and authentication results.
Through DMARC reporting, organizations can monitor and protect their domains from unauthorized use, improving email security by preventing email spoofing and phishing attacks. This helps in maintaining the integrity of the email ecosystem and the organization’s communication channels.
What are the benefits of DMARC?
- Safeguard your reputation
- Boost email visibility
- Improve deliverability
- Email branding with BIMI
- Compliance
What is BIMI email branding?
Brand Indicators for Message Identification (BIMI) is an email authentication protocol that’s additional to DKIM, SPF and DMARC. An organization can’t implement BIMI unless it is DMARC compliant with a p=reject policy.
BIMI is a type of email branding that allows for the display of a company’s logo beside emails in recipient inboxes. It improves email impact, instantly providing brand recognition and credibility, and boosts trust by letting recipients know that an email is from a legitimate sender.
BIMI also lets the receiving servers authorize legitimate emails as it adds a corresponding DNS record. It acts as an extra anti-fraud measure against email spoofing, phishing and impersonation. The BIMI protocol has protection against illegitimate senders spoofing logos, making it an extremely powerful protection tool for companies committed to the security of all internal and external stakeholders.
Once an organization has implemented BIMI, a cybercriminal can’t copy or display its logo in a recipient’s inbox because their fraudulent email will not be approved and will never reach the inbox. This means that recipients can confidently associate emails displayed with a company’s logo as trustworthy, because BIMI adoption is only possible with the strongest authentication protocols in place.
