What is DMARC?Setup, Diagnosis & Fixes

DMARC is an email authentication protocol used to prevent spoofing. To secure your email, we've created a guide on implementing, reviewing, and fixing DMARC.

What Does DMARC do?

DMARC helps identify and quarantine malicious emails, like those from phishing or domain spoofing attacks, so they don’t end up in your inbox. By using SPF and DKIM, DMARC can tell if emails are truly authentic.

A Brief History of DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) was first brought to life in the Spring of 2011 when Agari and other DMARC founders met to determine how they could create a policy that would prevent email fraud on a massive scale.

The goal was to create a way for senders to publicly specify their policies for unauthenticated emails, and allow recipients to provide authentication reports to senders that can help them improve their authentication policies.

DMARC was first published on January 30, 2012, and circulated publicly on March 31, 2013.

Adoption of DMARC was slow but steady in the beginning, reaching just over 80,000 confirmed valid DMARC records by 2016. That number would rise steadily until seeing a nearly 300% increase from 630,000 records to 1.89 million from 2018 to 2019. At the end of 2020, the number of validated records had reached 2.7 million.

Now a vast majority of Internet Service Providers (ISPs) offer DMARC support. This means that ISPs will automatically check to see if a DMARC policy is in place for a domain and enforce that policy. If the policy check fails, the message will not be delivered.

Benefits of DMARC

DMARC is a free way for anyone to implement email security at the protocol level. Unlike security plugins, DMARC works on the DNS level to protect inboxes. Implementing DMARC on your mail server has numerous benefits that can:

  • Authenticate legitimate emails and look up the authorized sending domains.
  • Define policies that determine how to deliver or dispose of emails that are deemed inauthentic.
  • Gain insight through DMARC reporting to measure how successful the policies are.
  • Identify threats and attempted spoofing attacks against a particular domain.
  • Send alerts when changes to email infrastructure may impact the delivery of legitimate messages.
  • Improve your overall email reputation score and deliverability.

DMARC stops attackers from sending fraudulent messages from your domain. A DMARC record provides anti-spoofing protection by using DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) record checks to validate messages. Domain owners can then set policies to dictate what happens to messages that fail these checks.

According to Verizon’s Data Breach Investigations Report, 36% of all company data breaches involved email phishing, which is an 11% increase from last year. In 2020, phishing was the most common cybercrime according to an FBI cybercrime report. With email-based threats showing no sign of slowing down, it’s never been a better time to implement a DMARC domain protection.

How Does DMARC Work

We know DMARC is a technical standard that helps prevent spam and email spoofing, but how exactly does it work?

DMARC allows domain owners to publish their email authentication policies, and dictate what happens to inbound messages that fail those series of authentication checks. DMARC utilizes the authentication standards of SPF and DKIM to provide better security through the SMTP protocol.

Let’s break down how an email message would be validated through DMARC.

01

Publish the DMARC policy.

The owner of the domain publishes a DMARC record that outlines its email authentication policy. This record is stored on the domains DNS server.

02

Mail servers check inbound mail using DNS.

The recipient mail server checks for a DMARC policy using the “From” header in the sender's message. This checks the message for a valid DKIM signature, a matching IP address in the senders SPF record, and tests for domain alignment.

03

Apply the DMARC policy.

The server uses the results of these checks to apply the domain's DMARC policy. This can either accept, reject, or quarantine the email.

04

Generate a DMARC report.

The receiving mail server sends a report detailing the outcome of the email, and any other messages sent from the same domain. DMARC aggregate reports are sent to the email address specified in the DMARC record.

Types of DMARC Policies

There are three main policies that can be specified in your DMARC record. These determine what happens when that message fails the DMARC check. Those policies are:

01

p=reject

p=reject refuses to accept email that fails the DMARC check. The email is dropped, and the sender receives a bounceback message for the failure.

02

p=quarantine

p=quarantine accepts emails that violate the DKIM check but marks them as spam. This is usually done by moving the email in a spam folder or tagging the subject line with a DMARC failure warning.

03

p=none

p=none does not impact the flow of email and is used to monitor which emails are passing or failing the DKIM check. This can help gauge how effective your current policies are, and shape how you implement future email security rules. The email is sent to its destination.

Both “reject” and “quarantine” offer protection against spoofed messages. Larger organizations often set their policy to “none” and then monitor their DMARC report. The report will help administrators get a better understanding of how mail flows from their domain, and help them choose the best policy that won’t impact legitimate traffic.

Individual recipients can choose whether or not they want to ignore DMARC policies set by the sending domain. Many email security applications offer features that allow organizations to customize their spam filter settings.

These filters can be set to ignore DMARC/DKIM misalignments or failures. Emails can also be tagged in the subject line and sent to its destination, rather than being completely rejected.

Identifier Alignment

DMARC ties the results from the SPF and DKIM check to the domain in the “From” header of the email. This is called Identifier Alignment, or sometimes referred to as DMARC alignment. Ensuring that the authenticated messages have a relationship to the “From” header prevents DMARC from being abused by criminals.

Identifier Alignment comes in two different types, Strict Alignment, and Relaxed Alignment. Under Strict Alignment the domains must be an exact match. In Relaxed Alignment mode, the domains can have different subdomains from the same top-level domain. Strict Alignment mode can be used by larger organizations that own multiple subdomains to compartmentalize email security.

Can I Use DMARC without DKIM?

The short answer is yes, you can use DMARC without DKIM. By using SPF authentication you can set up DMARC without having a DKIM record. When using SPF you create a rule that states DMARC authentication passes as long as the SPF check is valid and the SPF identifier is aligned.

But what if SPF authentication fails? Legitimate messages can fail SPF validation when they are forwarded, and the intermediary IP address is not listed on the SPF record.

If DMARC is using only SPF for validation, that legitimate message being forwarded will be rejected by the DMARC policy. Having DKIM as a part of your DMARC setup helps eliminate that problem by having an extra set of authentication checks present.

A full DMARC implementation with SPF and DKIM working together is your best bet. Having both SPF and DKIM configured improves your chances of legitimate email passing DMARC authentication.

Monitoring your DMARC reports using a “none” policy helps give administrators a look into who is forwarding emails on the domain’s behalf. If you’re thinking about implementing DMARC without DKIM, consider monitoring your DMARC reports closely before switching to “quarantine” or “reject” policy.

Can BIMI be used with DMARC?

Yes, BIMI can only be implemented once DMARC authentication is active on a domain. BIMI is often viewed as an extension of DMARC that helps brands build trust and awareness with their audience via email.

What exactly is BIMI?

Brand Indicators for Message Identification (BIMI) is a newer standard that attaches your brand logo to authenticated emails sent from your organization. This helps build both trust with your subscribers, as well as brand awareness.

Implementing BIMI can help recipients visually verify that the message is legitimate since the branded logo is only applied to the email if it has passed DMARC authentication.

How to Setup DMARC

While you don’t need DMARC to send emails, it’s one of the best forms of protection against domain impersonation attacks. When you set up DMARC, you’re protecting all emails sent from that domain. This makes creating a DMARC record a fast and scalable way to protect an entire organization in a single afternoon.

Generate Your DMARC Record

Examples of a DMARC Record

Below is an example of a DMARC record. It is made up of several tags that shape exactly what happens to email messages that fail the DMARC check. Let’s break down what each part does.

“v=DMARC1;p=none;pct=100;rua=mailto:dmarc.rua@agari.com”

v=DMARC1

This specifies the protocol version. This will be at the beginning of your record, and will always stay the same.

p=none

This represents the policy for the domain, and specifies what will happen to a message that fails a DMARC check. In this case, “none” will not impact mail flow, and allow the message to through.

pct=100

This denotes the percentage of messages that are subject to filtering. With pct=100, 100% of messages that fail the check are filtered.

rua=mailto:dmarc.rua@agari.com

This address will receive DMARC reports, and is designated for monitoring.

In most cases a simple DMARC record can get the job done, however, there are many other types of tags that can be used to create more granular policies for your record. At the minimum, all DMARC records must contain a version (v=) and a policy (p=) to be considered valid.

Below is a table of commonly used tags that can make up a DMARC record:

Tag Name Requirement Use Case Example
v Required Protocol version v=DMARC1
p Required Protocol for domain p=reject
rua Optional Emails report rua=mailto:email@yourdomain.com
pct Optional % of messages subjected to filtering pct=25
aspf Optional Alignment mode of spf aspf=r
sp Optional Policy for subdomains sp=r

Creating Your DMARC Record

Before creating a DMARC record, you’ll need to have both SPF and DKIM authentication active on your server for at least 48 hours before setup.

Use the Agari DMARC Setup Tool and enter the name of your domain into the search field and hit Submit. If your domain does not have a DMARC record already created, you should see the option to “Create DMARC Record.”

Here you’ll be able to specify the policies you want for your DMARC record. If you’re unsure of how strict you want to make your DMARC policy, start with Monitor Only as this will not impact mail flow and can always be changed later. By using Monitor Only you will set your DMARC policy to “none.” This will allow you to review your DMARC report and then change that policy to “quarantine” or “reject”.

Next, specify a valid email address for your Aggregate Reports and Forensic Data to be sent to. This should be a separate inbox dedicated to collecting DMARC reports.

Click Next. On the next page, you should see your DMARC record that includes all the policies and settings you requested. Your record should look something like:

V=DMARC1; p=none; rua=mailto:dmarc-feedback@YourDomain.com

Copy your record and save it.

Creating Your TXT Record

Next, login to the admin panel of your DNS hosting provider. Each provider has a different layout, but all will have the option to add a new DNS record. Create a new DNS TXT record.

For the record type choose TXT.

Under the Host Value section enter “_dmarc” as the Host without quotes.

In the TXT Value box paste the record you copied earlier. Make sure changes are saved and applied.

Validate Your New DMARC Record

After a few minutes, head back to the Agari DMARC Setup Tool and check your domain again. You should now see that your DMARC record was found. DMARC reports may take longer to populate. If reports don’t appear, allow 24-48 hours for your DNS settings to propagate.

Why Does DMARC Fail?

DMARC can fail if the record is misconfigured, or if the domain is already being spoofed by attackers. Let’s review some of the most common reasons why DMARC fails, and how to remedy it.

01

DMARC Alignment Failures

DMARC uses identifier alignment to authenticate your emails. This process checks the message to ensure that the domain used matches the domain found in the “From” section of the email header. You can make sure your DMARC aligns by validating the settings on your SPF and DKIM records. Make sure that your SPF record correctly reflects your sending domain.

You can validate the settings on your DKIM record in a similar way by ensuring that the domain used to create the signature matches the “From” header. This can be found under the d= parameter, where the “d” stands for the domain.

DMARC can also fail based on the configuration of your DMARC alignment mode. For DMARC authentication to occur, either SPF or DKIM needs to be aligned. Both DKIM and SPF have their own alignment modes that can be set to either “relaxed” or “strict”.

DMARC can fail if these modes are set incorrectly. If your modes are set to “strict”, ensure that they match the exact domain found in the “From” headers of your message. Under the “strict” alignment mode, subdomains are treated differently and require explicit permission for authentication.

02

Email Forwarding

When emails are forwarded, they are passed through an intermediary server before being delivered. On forwarded messages, the SPF check fails since the IP address of the forwarding server does not match the sending domain’s SPF record.

This problem can be solved by aligning and authenticating all outgoing messages through SPF and DKIM. Monitoring a DMARC report before enforcing these policies can help identify mail forwarding ahead of time, and prevent any deliverability issues caused by a DMARC failure.

03

Missing Sending Sources In DNS

When DMARC is active, the recipient’s Mail Transfer Agent (MTA) will perform DNS queries to validate your sending sources. If your DNS server does not list your sending sources, the recipient would not be able to complete this validation.

This can be fixed by creating entries in your DNS server that include all trusted third parties. This will allow them to send on behalf of your domain.

Checking Your DMARC Reports

DMARC reports are valuable, and allow you to see which emails on your domain are passing DKIM, SPF, and DMARC checks. Monitoring your mail flow from your DMARC report allows you to update your DMARC policies with stricter enforcements gradually, further strengthening your protection against spoofing attacks.

There are two types of DMARC reports, DMARC Aggregate reports (RUA) and Forensic DMARC reports (RUF).

DMARC Aggregate Reports (RUA): Contain information regarding the authentication status of messages sent on behalf of your domain. These reports show which messages are passing DKIM and SPF validation, and which ones are not.

These record details such as the domain that used to send the message, the IP address the message was sent from, the date, and the result of the DKIM/SPF policy check. These reports can identify spoofing attempts as well as outline future “reject” policies.

DMARC Forensic Reports (RUF): Contain information when an email sent through your domain fails either DMARC, SPF, or DKIM validation. Similar to RUA reports, these logs contain key details that allow you to identify the source of these messages and fix the issue. RUF reports are valuable for both troubleshooting deliverability issues, as well as identifying sending IP addresses of attackers who are actively attempting to spoof your domain.

It’s common practice for organizations to start off with their DMARC policy set to “none”, and then change it to “quarantine”, and finally “reject”. This strategy gives you time to fully review your DMARC report, and make those changes without the risk of accidentally impeding legitimate mail flow.

It’s best to set up a dedicated mailbox specifically for DMARC reports. This helps keep the reports organized and doesn’t overwhelm a shared inbox with a flood of messages. Reports are generated based on how much email your domain sends. Enterprise organizations may see several hundred DMARC reports per day.

Understanding DMARC reports is a vital aspect of email security, and can aid in stopping spoofing attacks before they impact deliverability. If you need help reading or analyzing your DMARC reports, Agari can help.

Contact us today for help with your DMARC analysis and report aggregation.

Limitations of DMARC

While it’s true DMARC is the best defense against email spoofing, there are some limitations as to what DMARC can do in terms of email security. Let’s compare what DMARC can and cannot do.

DMARC can help organizations:

  • Reduce the amount of spam they receive
  • Stop their domain from being spoofed
  • Prevent emails from being tampered with in transit (when using DKIM)
  • Understand who is sending messages from a particular domain
  • Prevent phishing attacks from reaching user inboxes
  • Use DMARC reports to understand how attackers are trying to use their domain

DMARC cannot:

  • Scan emails for malicious content
  • Prevent phishing attacks that use look-alike or cousin domain attacks
  • Detect and removing malicious links inside of emails
  • Monitor the content of inbound or outbound messages

Agari works to ensure DMARC is configured properly and fills the gaps where DMARC falls short. Agari Brand Protection automatically implements a full DMARC solution for you, even if you’re starting from scratch. The system scans the web and your DMARC reports to proactively identify and shut down spoofing attempts and lookalike domain attacks.

Email Protection From The Founders of DMARC

Agari offers a turnkey solution to combat email threats using both DMARC and advanced phishing protection. This combination stops both domain spoofing attacks as well as phishing attacks that use misspelled domain names.

Predictive analytics identifies new threat trends as they emerge by proactively scanning trillions of messages. As new threat patterns are identified, they are automatically applied to your threat database, ensuring even the newest types of attacks are thwarted.

No matter where your email is hosted, Agari offers a wide variety of integrations into platforms like Office 365, Microsoft Exchange, and Gmail. Setup is simple and doesn’t require any downtime, meaning no missed emails during onboarding.

If you’re looking for protection beyond DMARC, or help setting up your record, Agari’s Advanced Email Security can help. Sign up for a free trial to see the difference Agari can make in your inbox.

Ready to get started?

Start Your Free Trial