DMARC Explained:

Domain-based Message Authentication, Reporting, and Conformance, also known as DMARC, is a record you can add to your DNS which assists in email authentication and acts as a reporting protocol.

Put simply, DMARC allows the sender to raise their hand and say “Hey, my messages are protected by SPF and/or DKIM”. It also provides instructions to the receiver on what to do if authentication fails. DMARC takes the guesswork out of handling messages that fail authentication and reports information back to the sender about messages that pass/fail the DMARC policy.

Q: “Can I send emails without DMARC?”

While DKIM and SPF records are always recommended, DMARC is not necessary for you to send out emails.

If you’re new to DNS records, DMARC may be something to look into further down the line, as it is known to cause issues. For example, if you are sending emails through a platform like the AllClients CRM – you’re piggybacking on our domains & sending IP addresses, so setting a strict DMARC policy would cause issues (unless you are using your IP address through our SendGrid integration).

Why DMARC Exists

DMARC exists because email users suffer from a high volume of spam mail and phishing attempts. With techniques such as email spoofing, where a sender will maliciously change the sender’s address to make it seem like the email comes from a trusted source, it’s hard to know what emails to trust. For example, if you receive mail from your bank, you’d want to be certain it’s them.

Several methods have been introduced over the years to deal with this issue, but they work in isolation from each other and the legitimate domain owners never receive any feedback.

DMARC combats this issue by allowing domain owners to signal that:

  • The domain owner is using email authentication (DKIM, SPF).
  • There is an email address provided to gather feedback from their DMARC authentication.
  • They have permission to put a policy in place for any messages that don’t pass authentication.

Q: “I already have DKIM and SPF, why should I use DMARC?”

Companies and email clients apply numerous methods to analyze incoming messages to provide safety and security for the recipient. This ranges from SPF and DKIM to spam filters and in-depth analysis or “quarantining” of incoming mail.

It is important to understand that DMARC does not eliminate the need for other authentication methods. Instead, it acts as a bridge by helping to coordinate efforts and streamline the process of authentication. DMARC can be recognized as the common thread between email authentication methods.

Q: “I have DMARC, does that mean I am safe from all phishing attacks?”

No. DMARC does help prevent this, but it’s mainly focused on preventing domain spoofing. It does not affect other methods of email phishing, such as look-alike domains or display name abuse.

Look-Alike Domain Abuse

Look-alike domain abuse uses sender domains that are almost identical to the target. An example of this would be domain.com vs domaln.com.

At a glance, an I and an L can be indistinguishable and a recipient that doesn’t look closely can be tricked into thinking it’s from a legitimate sender. A similar method commonly used is to change the TLD, or “Top-Level Domain” (this refers to the “.com” or “.net” at the end of your domain). An example of a TLD look-alike domain would be example.com vs example.co.

Display Name Spoofing

Display name spoofing can cause issues if you’re not careful and it usually involves pretending to be someone known to the recipient, such as a co-worker or manager. This method may not work for you and your team, but the recommended first level of defense against this type of attack should be to instill a “low urgency” policy across your whole team, specifically with email requests.

Teams that adopt this mindset will be more cautious when they receive an email from the CEO stating “Wire $5,000 to this account immediately”. Being cautious of downloads, links, and urgent requests will disarm spoofers as they’re typically pushing the receiver to do something quickly (like before the receiver has a chance to verify the request).

How DMARC Works

DMARC tries to match “From” headers to your other authentication methods (SPF and DKIM). If either one matches, DMARC will authenticate. This means DMARC doesn’t need to pass both SPF and DKIM.

A DMARC-record is a DNS TXT record that indicates what should happen to emails that do not have DMARC alignment. (DMARC alignment is the technical term for a mail piece that passes either SPF or DKIM.)

In your DMARC record, you can add an email address for where you would like to receive reports. Using these reports, you can gain insight into who’s using your domain in the world of emails.

Types of Policies

By setting up your DMARC policy you can let recipients know what to do with emails that fail the authentication process.

There are 3 different levels of “strictness” for the policies in your DMARC record.

DMARC Policy Levels by Severity:

Level 1: p=none

Always start with this policy as it allows you to keep an eye on your email traffic. No action is taken against emails that fail authentication. By using this policy, you can determine if your domain is being abused by phishers and then you can gauge the impact of moving to a more aggressive policy.

Using this as a starting point will allow you to see what settings you’ll need to adjust moving forward to avoid disrupting your mail flow.

Level 2: p=quarantine

This is the recommended option once you’ve worked out any kinks in your DNS. This policy will apply rules to send all unauthorized mail to your quarantine or spam folder, but only after you’ve collected data using a p=none policy to determine that you’re not unknowingly affecting legitimate senders using your domain.

Level 3: p=reject

This is the most strict policy and is only recommended after testing the mail flow of the previous two policies. If any of your emails fail to pass DMARC with this policy, they are blocked from being delivered.

Conclusion

A DMARC policy lets recipients know what to do when an email fails SPF or DKIM, indicating possible domain spoofing. This assists by differentiating legitimate emails from spoofed emails and can act as an extra layer of security for your company.

Keep in mind that DMARC is another step for security in email (which can cause inconveniences), so we recommend using DMARC on your primary email domain, and only in certain circumstances with your marketing domain.

Continue Reading These Related Articles

Try AllClients Today