DMARC is an acronym that stands for Domain-based Message Authentication, Reporting and Conformance and is an email authentication protocol.
Domain owners can use DMARC to protect their domains from unauthorized use.
Unauthorized uses of a domain are commonly known as email spoofing. Someone sends an email and uses your domain in the email From part.
With DMARC, you publish information on how a receiving ESP (Email Service Provider) should handle unauthorized emails from your domain. Additionally, you receive aggregated reports as a feedback loop from major providers like Gmail and Yahoo.
To configure or enable DMARC for your domain, you publish a new TXT record via your Nameserver (e.g. Namecheap, GoDaddy, .etc).
Here is an example DMARC record:
| Name | Value |
|---|---|
| Typ | TXT |
| Host / Location | _dmarc |
| Value | v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com; |
The example above instructs the receiver to do the following:
Since the example rule does not perform any actions for "bad" emails, its intention is to monitor the SPF and DKIM settings. It's a good idea to start with this setting for testing and increase the policy to quarantine and/or reject.
You can see DMARC as a way to tell the receiver how to handle message authentication failures (SPF and DKIM failures) and get feedback.
Let's say you send an email to Bob.
When sending your email, your MTA (Mail Transfer Agent) generates a DKIM signature and applies it to your message.
The recipient checks your DKIM and SPF authentication. Therefore it queries information from your domain's DNS. With the SPF settings and the public DKIM key, the recipient performs the checks.
If the recipient supports DMARC, the check results are then forwarded to the DMARC module. The module queries the sender domain's DNS to retrieve a DMARC policy record.
In case the sender domain published a DMARC policy, the DMARC module acts depending on the policy. Otherwise, the process continues without any additional DMARC protection.
The recipient mail service delivers the message to the inbox or performs other actions depending on the DMARC policies (e.g. reject the message).
When requested, the recipient's mail service collects data from the message and sends feedback to the specified email address.
There are three different types of policies you can choose from. A policy tells the receiver about how to handle unauthorized messages.
When implementing DMARC, it's a good idea to start with the none policy and monitor the reports. This allows you to detect and fix (SPF / DKIM) configuration issues before moving to a stricter policy.
When using a rua tag in your DMARC record, an (usually) daily email with the DMARC check results is sent to the specified email address.
The report is attached as an XML file. It is readable by humans and can be parsed by other software tools. The report contains a list of sender addresses and the number of authenticated and unauthenticated emails received in a given time.
Even more insights about failed messages can be retrieved as forensic reports. For active forensic reports, you publish the fo tag in your DMARC record.
Forensic reports are sent almost immediately on authentication failures. The report contains more insights about the message like the from email address the recipient email address and the email subject line.
DMARC is an effective way to protect you and your customers from unauthorized use of your email domain:
DMARC is an effective way to receive feedback regarding email activities from your domain. It also protects you and your customers from receiving unauthorized emails.
If you don't have a DMARC record published yet, it's now time to take care about it.