What is DMARC? Setup, Diagnosis & Fixes

DMARC Email Authentication

LOOK UP DMARC RECORD SCHEDULE A DEMO

What is DMARC?

DMARC is an email authentication protocol that helps identify and quarantine malicious emails, like those from phishing or domain spoofing attacks, so they don’t end up in your inbox. Learn more >

A Brief History of DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy was created so email senders could publicly specify their policies for unauthenticated emails, and allow recipients to provide authentication reports to senders that can help them improve their authentication policies. Circulated publicly on March 31, 2013, adoption of DMARC was slow but steady in the beginning, reaching just over 80,000 confirmed valid DMARC records by 2016. That number would rise steadily until seeing a nearly 300% increase from 630,000 records to 1.89 million from 2018 to 2019 due to the vast majority of Internet Service Providers (ISPs) automatically checking to see if a DMARC policy is in place for a domain and enforcing that policy. At the end of 2020, the number of validated records had reached 2.7 million.

Agari can demystify DMARC for you!

AGARI DMARC PROTECTION TOUR

Types of DMARC Policies

There are three main policies that can be specified in your DMARC record. These determine what happens when that message fails the DMARC check. Those policies are:

p=reject

p=reject refuses to accept email that fails the DMARC check. The email is dropped, and the sender receives a bounceback message for the failure.

p=quarantine

p=quarantine accepts emails that violate the DKIM check but marks them as spam. This is usually done by moving the email in a spam folder or tagging the subject line with a DMARC failure warning.

p=none

p=none does not impact the flow of email and is used to monitor which emails are passing or failing the DKIM check. This can help gauge how effective your current policies are, and shape how you implement future email security rules. The email is sent to its destination.

Both “reject” and “quarantine” offer protection against spoofed messages. Larger organizations often set their policy to “none” and then monitor their DMARC report. The report will help administrators get a better understanding of how mail flows from their domain, and help them choose the best policy that won’t impact legitimate traffic.

Individual recipients can choose whether or not they want to ignore DMARC policies set by the sending domain. Many email security applications offer features that allow organizations to customize their spam filter settings.

These filters can be set to ignore DMARC/DKIM misalignments or failures. Emails can also be tagged in the subject line and sent to its destination, rather than being completely rejected. 

Learn more about DMARC policies >

How Does DMARC Work?

We know DMARC is a technical standard that helps prevent spam and email spoofing, but how exactly does it work?

DMARC allows domain owners to publish their email authentication policies, and dictate what happens to inbound messages that fail those series of authentication checks. DMARC utilizes the authentication standards of SPF and DKIM to provide better security through the SMTP protocol.

Let’s break down how an email message would be validated through DMARC.

Publish the DMARC policy.

The owner of the domain publishes a DMARC record that outlines its email authentication policy. This record is stored on the domains DNS server.

Mail servers check inbound mail using DNS.

The recipient mail server checks for a DMARC policy using the “From” header in the sender's message. This checks the message for a valid DKIM signature, a matching IP address in the senders SPF record, and tests for domain alignment.

Apply the DMARC policy.

The server uses the results of these checks to apply the domain's DMARC policy. This can either accept, reject, or quarantine the email.

Generate a DMARC report.

The receiving mail server sends a report detailing the outcome of the email, and any other messages sent from the same domain. DMARC aggregate reports are sent to the email address specified in the DMARC record.

fta-ag-how-dmarc-works

DKIM & BIMI Records

graphic

DKIM

DKIM, Domain Keys Identified Mail, is a technique that uses your domain name to sign your emails with a digital “signature” so your customers know it’s really you sending those emails and that they haven’t been altered in transit.

Can I Use DMARC without DKIM?

The short answer is yes, you can use DMARC without DKIM. By using SPF authentication you can set up DMARC without having a DKIM record. When using SPF you create a rule that states DMARC authentication passes as long as the SPF check is valid and the SPF identifier is aligned.

But what if SPF authentication fails? Legitimate messages can fail SPF validation when they are forwarded, and the intermediary IP address is not listed on the SPF record.

If DMARC is using only SPF for validation, that legitimate message being forwarded will be rejected by the DMARC policy. Having DKIM as a part of your DMARC setup helps eliminate that problem by having an extra set of authentication checks present.

A full DMARC implementation with SPF and DKIM working together is your best bet. Having both SPF and DKIM configured improves your chances of legitimate email passing DMARC authentication. Read how to set up DKIM >

Monitoring your DMARC reports using a “none” policy helps give administrators a look into who is forwarding emails on the domain’s behalf. If you’re thinking about implementing DMARC without DKIM, consider monitoring your DMARC reports closely before switching to “quarantine” or “reject” policy.

BIMI

Brand Indicators for Message Identification (BIMI) is a newer standard that attaches your brand logo to authenticated emails sent from your organization. This helps build both trust with your subscribers, as well as brand awareness.

Implementing BIMI can help recipients visually verify that the message is legitimate since the branded logo is only applied to the email if it has passed DMARC authentication.

Can BIMI be used with DMARC?

Yes, BIMI can only be implemented once DMARC authentication is active on a domain. BIMI is often viewed as an extension of DMARC that helps brands build trust and awareness with their audience via email. Read how to set up BIMI >

Identifier Alignment

DMARC ties the results from the SPF and DKIM check to the domain in the “From” header of the email. This is called Identifier Alignment, or sometimes referred to as DMARC alignment. Ensuring that the authenticated messages have a relationship to the “From” header prevents DMARC from being abused by criminals.

Identifier Alignment comes in two different types, Strict Alignment, and Relaxed Alignment. Under Strict Alignment the domains must be an exact match. In Relaxed Alignment mode, the domains can have different subdomains from the same top-level domain. Strict Alignment mode can be used by larger organizations that own multiple subdomains to compartmentalize email security.

How to Setup DMARC

While you don’t need DMARC to send emails, it’s one of the best forms of protection against domain impersonation attacks. When you set up DMARC, you’re protecting all emails sent from that domain. This makes creating a DMARC record a fast and scalable way to protect an entire organization in a single afternoon.

Examples of a DMARC Record

Below is an example of a DMARC record. It is made up of several tags that shape exactly what happens to email messages that fail the DMARC check. Let’s break down what each part does.

“v=DMARC1;p=none;pct=100;rua=mailto:[email protected]


In most cases a simple DMARC record can get the job done, however, there are many other types of tags that can be used to create more granular policies for your record. At the minimum, all DMARC records must contain a version (v=) and a policy (p=) to be considered valid.

  • v=DMARC1   This specifies the protocol version. This will be at the beginning of your record, and will always stay the same.
  • p=none   This represents the policy for the domain, and specifies what will happen to a message that fails a DMARC check. In this case, “none” will not impact mail flow, and allow the message to through.
  • pct=100   This denotes the percentage of messages that are subject to filtering. With pct=100, 100% of messages that fail the check are filtered.
  • rua=mailto:[email protected]   This address will receive DMARC reports, and is designated for monitoring.

Below is a table of commonly used tags that can make up a DMARC record:

Tag Name Requirement Use Case Example
v Required Protocol version v=DMARC1
p Required Protocol for domain p=reject
rua Optional Emails report rua=mailto:[email protected]
pct Optional % of messages subjected to filtering pct=25
aspf Optional Alignment mode of spf aspf=r
sp Optional Policy for subdomains sp=r

 

 

Steps to Create Your DMARC Record

Getting Started

Before creating a DMARC record, you’ll need to have both SPF and DKIM authentication active on your server for at least 48 hours before setup.

Use the Agari DMARC Setup Tool and enter the name of your domain into the search field and hit Submit. If your domain does not have a DMARC record already created, you should see the option to “Create DMARC Record.” If your domain already has a DMARC record created, you should see the existing record and an option to "Modify DMARC Record".

If you're ready to get started click to button appropriate for your situation.

Benefits of DMARC

DMARC is a free way for anyone to implement email security at the protocol level. Unlike security plugins, DMARC works on the DNS level to protect inboxes. Implementing DMARC on your mail server has numerous benefits that can:

Authenticate legitimate emails and look up the authorized sending domains.

Define policies that determine how to deliver or dispose of emails that are deemed inauthentic.

Gain insight through DMARC reporting to measure how successful the policies are.

Identify threats and attempted spoofing attacks against a particular domain.

Send alerts when changes to email infrastructure may impact the delivery of legitimate messages.

Improve your overall email reputation score and deliverability.

DMARC stops attackers from sending fraudulent messages from your domain. A DMARC record provides anti-spoofing protection by using DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) record checks to validate messages. Domain owners can then set policies to dictate what happens to messages that fail these checks.

According to Verizon’s Data Breach Investigations Report, 36% of all company data breaches involved email phishing, which is an 11% increase from last year. In 2020, phishing was the most common cybercrime according to an FBI cybercrime report. With email-based threats showing no sign of slowing down, it’s never been a better time to implement a DMARC domain protection.

Why Does DMARC Fail?

DMARC can fail if the record is misconfigured, or if the domain is already being spoofed by attackers. Let’s review some of the most common reasons why DMARC fails, and how to remedy it.

DMARC uses identifier alignment to authenticate your emails. This process checks the message to ensure that the domain used matches the domain found in the “From” section of the email header. You can make sure your DMARC aligns by validating the settings on your SPF and DKIM records. Make sure that your SPF record correctly reflects your sending domain.

You can validate the settings on your DKIM record in a similar way by ensuring that the domain used to create the signature matches the “From” header. This can be found under the d= parameter, where the “d” stands for the domain.

DMARC can also fail based on the configuration of your DMARC alignment mode. For DMARC authentication to occur, either SPF or DKIM needs to be aligned. Both DKIM and SPF have their own alignment modes that can be set to either “relaxed” or “strict”.

DMARC can fail if these modes are set incorrectly. If your modes are set to “strict”, ensure that they match the exact domain found in the “From” headers of your message. Under the “strict” alignment mode, subdomains are treated differently and require explicit permission for authentication.

When emails are forwarded, they are passed through an intermediary server before being delivered. On forwarded messages, the SPF check fails since the IP address of the forwarding server does not match the sending domain’s SPF record.

This problem can be solved by aligning and authenticating all outgoing messages through SPF and DKIM. Monitoring a DMARC report before enforcing these policies can help identify mail forwarding ahead of time, and prevent any deliverability issues caused by a DMARC failure.

When DMARC is active, the recipient’s Mail Transfer Agent (MTA) will perform DNS queries to validate your sending sources. If your DNS server does not list your sending sources, the recipient would not be able to complete this validation.

This can be fixed by creating entries in your DNS server that include all trusted third parties. This will allow them to send on behalf of your domain.

Checking Your DMARC Reports

DMARC reports are valuable, and allow you to see which emails on your domain are passing DKIM, SPF, and DMARC checks. Monitoring your mail flow from your DMARC report allows you to update your DMARC policies with stricter enforcements gradually, further strengthening your protection against spoofing attacks.

There are two types of DMARC reports, DMARC Aggregate reports (RUA) and Forensic DMARC reports (RUF).

DMARC Aggregate Reports (RUA): Contain information regarding the authentication status of messages sent on behalf of your domain. These reports show which messages are passing DKIM and SPF validation, and which ones are not.

These record details such as the domain that used to send the message, the IP address the message was sent from, the date, and the result of the DKIM/SPF policy check. These reports can identify spoofing attempts as well as outline future “reject” policies.

DMARC Forensic Reports (RUF): Contain information when an email sent through your domain fails either DMARC, SPF, or DKIM validation. Similar to RUA reports, these logs contain key details that allow you to identify the source of these messages and fix the issue. RUF reports are valuable for both troubleshooting deliverability issues, as well as identifying sending IP addresses of attackers who are actively attempting to spoof your domain.

It’s common practice for organizations to start off with their DMARC policy set to “none”, and then change it to “quarantine”, and finally “reject”. This strategy gives you time to fully review your DMARC report, and make those changes without the risk of accidentally impeding legitimate mail flow.

It’s best to set up a dedicated mailbox specifically for DMARC reports. This helps keep the reports organized and doesn’t overwhelm a shared inbox with a flood of messages. Reports are generated based on how much email your domain sends. Enterprise organizations may see several hundred DMARC reports per day.

graphic

Limitations of DMARC

While it’s true DMARC is the best defense against email spoofing, there are some limitations as to what DMARC can do in terms of email security. Let’s compare what DMARC can and cannot do.

check

DMARC can help organizations:

  • Reduce the amount of spam they receive
  • Stop their domain from being spoofed
  • Prevent emails from being tampered with in transit (when using DKIM)
  • Understand who is sending messages from a particular domain
  • Prevent phishing attacks from reaching user inboxes
  • Use DMARC reports to understand how attackers are trying to use their domain
cross

DMARC cannot:

  • Scan emails for malicious content
  • Prevent phishing attacks that use look-alike or cousin domain attacks
  • Detect and removing malicious links inside of emails
  • Monitor the content of inbound or outbound messages

Resources

Get Started

Email Protection From The Founders of DMARC

Agari offers a turnkey solution to combat email threats using both DMARC and advanced phishing protection. This combination stops both domain spoofing attacks as well as phishing attacks that use misspelled domain names.

Predictive analytics identifies new threat trends as they emerge by proactively scanning trillions of messages. As new threat patterns are identified, they are automatically applied to your threat database, ensuring even the newest types of attacks are thwarted.

No matter where your email is hosted, Agari offers a wide variety of integrations into platforms like Office 365, Microsoft Exchange, and Gmail. Setup is simple and doesn’t require any downtime, meaning no missed emails during onboarding.

Agari works to ensure DMARC is configured properly and fills the gaps where DMARC falls short. Agari DMARC Protection automatically implements a full DMARC solution for you, even if you’re starting from scratch. The system scans the web and your DMARC reports to proactively identify and shut down spoofing attempts and lookalike domain attacks.

Schedule a live demo of
Agari DMARC Protection

REQUEST A DEMO

 

Read our comprehensive guide:
"Getting Started with DMARC”

READ THE GUIDE

 

Look up or generate your
DMARC record with our free tool.

GENERATE DMARC RECORD