What Is DMARC?
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email protocol that, when published for a domain, controls what happens if a message fails authentication tests (i.e., the recipient server can't verify that the message's sender is who they say they are). Via those authentication checks (SPF and DKIM), messages purporting to be from the sender's domain are analyzed by receiving organizations and determine whether the message was actually sent by the domain in the message. DMARC essentially handles the questions: What should happen to messages that fail authentication tests (SPF and DKIM)? Should they be Quarantined? Rejected? Or, should we let the message through even if it failed to prove its identity? Long story short, DMARC acts as a gatekeeper to inboxes and, if set up properly, can prevent phishing and malware attacks from landing in the inbox.
What Is a DMARC Record?
DMARC uses DNS to publish information on how an email from a domain should be handled (e.g., do nothing, quarantine the message, or reject the message). Because it uses DNS, nearly all email systems can decipher how email supposedly sent from your domain should be processed. This factor also makes it simple to deploy because it only requires one (1) DNS change to set it up (via a DMARC (TXT) record).
How Does DMARC Work?
DMARC is used in conjunction with SPF and DKIM (the authentication tests we mentioned earlier), and these three components work wonders together to authenticate a message and determine what to do with it. Essentially, a sender's DMARC record instructs a recipient of next steps (e.g., do nothing, quarantine the message, or reject it) if suspicious email claiming to come from a specific sender is received. Here is how it works:
1. The owner of the domain publishes a DMARC DNS Record at their DNS hosting company.
2. When an email is sent by the domain (or someone spoofing the domain), the recipient mail server checks to see if the domain has a DMARC record.
3. The mail server then performs DKIM and SPF authentication and alignment tests to verify if the sender is truly the domain it says it is.
- Does the message have a proper DKIM signature that validates?
- Does the sender's IP address match authorized senders in the SPF record?
- Do the message headers pass domain alignment tests?
4. With the DKIM and SPF results, the mail server is then ready to apply the sending domain's DMARC policy. This policy basically says:
- Should I quarantine, reject, or do nothing to the message if the message has failed DKIM/SPF tests?
5. Lastly, after determining what to do with the message, the receiving mail server (think Gmail) will send a report on the outcome of this message and all other messages they see from the same domain. These reports are called DMARC Aggregate Reports and are sent to the email address or addresses specified in the domain's DMARC record.
Why Do I Need DMARC?
DMARC helps combat malicious email practices that put your business at risk. Implementing this protocol is strongly advised. Whether performing e-commerce or offline sales, your business uses email as a primary means of communication with employees, customers, and suppliers. Unsecured messages are easy to spoof, and increasingly sophisticated criminals are finding lucrative ways to utilize a variety of email scams. DMARC helps senders and receivers work together to better safeguard email and reduce the number of spoofing, phishing, and spam practices.
MxToolbox DMARC Tools
MxToolbox provides free tools needed to test your DMARC setup and compare it to best practices. For instance, our DMARC Record Lookup checks your DNS DMARC record for availability and compatibility with RFCs, which is especially useful when you set up your initial DMARC record.
After your record is established, we advise you to monitor your DMARC record to confirm it is publicly accessible. MxToolbox Monitoring provides the first line of defense against missing or lost DNS records, such as your all-important DMARC record.