DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication standard that secures email senders and receivers from email-based attacks like spamming, email domain spoofing, and phishing.
It is a technical standard that allows an organization to authenticate their emails and set policies by aligning SPF (Sender Policy Framework) and DKIM (Domain Key Identified Mail) standards. Along with SPF and DKIM, it allows an organization to set email authentication rules to reject or quarantine emails from unauthorized resources.
It helps ISPs (Internet Service Providers) like Gmail, Outlook, Yahoo, etc. to protect the email receiver’s personal information from being phished or from domain spoofing. However, DMARC is not an email authentication protocol itself.
Built on key authentication standards, it supplements SMPT (Simple Mail Transfer Protocol), a standard protocol for sending emails, in combination with SPF and DKIM. It helps the domain owner to take defined actions against emails that fail authentication checks.
What is a DMARC Record?
It is the most important element for implementing DMARC and in which the rulesets of a DMARC record are defined. This record informs email recipients whether the domain is set for DMARC or not. If it is then the domain owner uses the policy that is present in the DMARC record.
The DMARC record is included in the DNS (Domain Name Server) database of an organization. It is a version of specifically formatted standard DNS TXT record with particle name i.e. “_dmarc.mydomain.com”.
Here is an example of DMARC record:
v=DMARC1; p=reject; rua=mailto:F4EXVjm@rua.kdmarc.com; ruf=mailto:F4EXVjm@ruf.kdmarc.com; fo=1;
In the above record:
- v=DMARC1 which indicates the DMARC version
- p=reject indicated the applied DMARC policy
- rua=mailto:F4EXVjm@rua.kdmarc.com is the tag that allows mailbox providers to know where the aggregate reports are to be sent
- ruf=mailto:F4EXVjm@ruf.kdmarc.com; tag allows the mailbox providers to know where forensic reports are to be sent
- fo=1 tag helps mailbox provider to know about the samples of emails that have SPF and DKIM checks or any of the two checks
Note: The domain owner can use other available configuration options for setting up the DMARC policy record.
What are p= policies?
An organization can set a specific policy that determines its standard of email authentication. A DMARC policy instructs the receiving mail servers such as Gmail, Outlook, Live, etc. about how to enforce them if an email fails the DMARC check.
There are three types of DMARC policies that you can choose for handling unauthorized emails sent on your behalf by instituting one of the following policies in the DMARC record:
This policy monitors your email traffic and does not take any specific action for emails that fail DMARC check. You can use this policy to gather DMARC reports and analyze data in those reports.
In this policy, unauthorized emails are sent to the spam folder. It allows email receivers to send DMARC failed emails in quarantine i.e. to the junk folder.
The Reject policy is the most recommended policy as it secures all your emails. It ensures that any email that fails the DMARC check is not delivered to the receiver at all.
How does DMARC Work?
DMARC is used in combination with SPF and DKIM to authenticate an email and determine what to do if it is unauthorized. The email sender’s DMARC record instructs the email recipient on how to deal with the unauthorized email (for eg. spoofed email) according to the enforced policy.
This is how it works:
- The email domain owner publishes a DMARC DNS record.
- When an email is sent from the sender’s domain or sender’s spoofed domain, the receiving mail server checks for the domain’s DMARC record.
- The receiving mail server then checks for DKIM and SPF authentication and alignment to verify whether the sender’s domain is legitimate by looking for:
- Validated DKIM signature
- Sender’s IP address matching with the senders in the SPF record
- Sender’s domain alignment test to verify the message headers
When the verification of DKIM and SPF, the receiving mail server applies the sender domain owner’s DMARC policy (none, quarantine or reject), based on the verification results.
Later, the receiving email server sends a report to the sending mail server of the verification analysis of email received on behalf of the sender’s domain.
These reports are called the DMARC Aggregate Reports and are sent to the specified email address or addresses in the domain’s DMARC record.
Why are Email Authentication Standards Important for Your Organization?
Reportedly, 1 in 3 organizations has fallen victim to CEO fraud emails. According to a security research firm, 6,170 malicious accounts have been responsible for over 100,000 BEC attacks this year.
Interestingly, these malicious email accounts have used Gmail, AOL and other email services, impacting nearly 6,600 organizations! Besides, 45% of detected BEC attacks were reported to be due to these malicious accounts since April 1, 2020.
59% of email domains used by cyber criminals are preferred using the Gmail service to create malicious email accounts. Yahoo, on the other hand, holds the second position accounting for nearly 6% of detected malicious email account attacks.
These shocking facts prove how the implementation of DMARC is highly essential in an organization. Instituting email authentication standards in the organization secures your email domain from domain forgery and other email-based attacks.
Organizations must implement tools like KDMARC to rightly set up DMARC, SPF and DKIM. KDMARC is a user-friendly tool that is designed and developed to empower organizations to effortlessly manage the deployment of these email authentications standards.
Here are the benefits of implementing KDMARC:
- Detects and defends email spoofing
- Identifies all the top sources abusing your domain
- Improves email deliverability and engagement rate
- Reduces email-based cyber attacks
- Boosts email engagement rate
- Full insight into the email channel