What is DMARC?

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

confused with email deliveryAbove is the official explanation of what DMARC is but if you are not familiar with DNS, it probably makes no sense at all.

So I will try my best to explain, unfortunately it’s quite hard not to be technical as this is a very technical subject.

So what is DMARC?

DMARC is an email-validation system designed to detect and prevent email spoofing, it’s quite straightforward to set-up and can help you stop anyone sending spoofed emails from your domain, it can also help you detect problem areas with your own email delivery for both transactional messages and marketing emails.

Before I explain how DMARC works I need to explain about DKIM and SPF records first.

(DKIM ) – DomainKeys Identified Mail

dkimDKIM allows an organization to take responsibility for transmitting a message in a way that can be verified by mailbox providers. This verification is made possible through cryptographic authentication.

Basics of how DKIM works

  1. Before sending the email, that email is encrypted using a private key.
  2.  After the encryption process is complete, the email is sent.
  3. The email provider receiving the email sees that it has a DKIM signature, which reveals which “domain/selector” combination signed the encryption process. To validate the signature, the mailbox provider will run a DNS query to find the public key for that domain/selector combination.
  4. If the public key and private key pair then the message passes the DKIM check

Why it matters: Email providers who validate DKIM signatures can use information about the signer as part of a program to limit spam, spoofing, and phishing, although DKIM does not tell receivers to take any specific actions. Depending on the implementation, DKIM can also ensure that the message has not been modified or tampered with in transit.

How do I set this up?

Most email service providers will more than likely DKIM sign your outbound emails with their own key or give you guidance on how to setup DKIM on your DNS and activate it before sending.  More details on DKIM can be found on the offical DKIM website.

(SPF) – Sender Policy Framework

spfAn SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. You use SPF records help identify spammers sending messages with forged envelope senders (the address used during the SMTP MAIL FROM command) on behalf of your domain.

It is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain’s administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged “from” addresses, so publishing and checking SPF records can be considered anti-spam techniques.

A typical SPF record would look like:

v=spf1 include:_spf.google.com ~all

The above example is telling the world two things

_spf.google.com

This part is authorising Google to send emails on your behalf, a very popular record for those who use Google Apps for Work.

The 2nd part

~all

is what should happen to the email should it fail the SPF check.

 ~all

=  SOFTFAIL – a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged

-all

= FAIL, the mail should be rejected

There are other variants, more information can be found on the SPF website

How do I set this up?

Speak to your email service provider who will give you guidence.

Now Back to DMARC

DMARC is built on top of two existing mechanisms listed above, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the sender of an email to publish a policy on which mechanism (DKIM, SPF or both) is employed when sending email and how the receiver should deal with failures. Additionally, it provides a reporting mechanism of actions performed under those policies. It thus coordinates the results of DKIM and SPF and specifies under which circumstances the From: header field, which is often visible to end users, should be considered legitimate.

how does dmarc work

Example DMARC Record

"v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com"

Don’t panic, it’s not as complicated as it looks …check out the link below which will guide you through the creation of your own DMARC record .. it’s free and easy to use.

Create your DMARC record using this great free wizard

unlock the inbox

Use this DMARC creation wizard from unlock the inbox

 

Looking for more help?

(DKIM ) – DomainKeys Identified Mail

Official website – http://www.dkim.org

Wikipedia – https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

(SPF) – Sender Policy Framework

Official website – http://www.openspf.org

Wikipedia – https://en.wikipedia.org/wiki/Sender_Policy_Framework

(DMARC) – Domain-based Message Authentication, Reporting & Conformance

Official website – https://dmarc.org

Wikipedia – https://en.wikipedia.org/wiki/DMARC

Questions

If you have a quick question then please feel free to add a comment to this post and I will try and reply as best I can.

 

Written by Paul O'Brien

Based in West London, Paul O’Brien has worked within the email, SMS and Virtual Call Management industry for close to 20 years. PWOB Ltd is the company Paul runs and owns, with it’s name being his initials.

One comment

Leave a Reply