What is DMARC?
In an earlier article, we covered what DKIM and SPF can do for a domain. DMARC is the extension that brings it all together. DMARC stands for "Domain-based Message Authentication, Reporting & Conformance".
DMARC allows senders to indicate that their domain is protected by SPF and/or DKIM. They're then given the opportunity to indicate what happens when the policy fails, such as quarantine the message (normally place it into SPAM) or reject the message.
Essentially this means that if an email doesn't pass the SPF/DKIM checks, perhaps because it was sent by a spammer, we can instruct the sender what to do.
When the policy is enforced the domain can owner protect against Phishing emails, attempts to spoof a well-known domain, brand abuse and other forms of impersonation.
You can also ensure that a message passes alignment, ensuring that the messages
FROM field is aligned with the SPF and DKIM checks. This is essentially the final step needed to protect a domain's reputation and ensure that only verified senders can use the domain.
Another great benefit of DMARC is the [reporting], in addition to adding policy the DMARC standard allows you to specify an aggregate and forensic report email address. When the policy fails you can see which senders are passing/failing and add make any changes to allow legitimate senders to pass. You can also see where malicious emails may be coming from.
Creating a DMARC Record
Like our other protection mechanisms creating a DMARC record means adding the DNS entry for our domain. For example
_dmarc.example.com will work for our SPF records at
example.com and DKIM on
Our record will then look something like this:
host -t TXT _dmarc.example.com "v=DMARC1; p=quarantine; pct=100; rua=mailto:email@example.com; sp=none; aspf=r;"
We'll map out the available parameters below:
||The DMARC Version. Should currently always be
||The policy to apply when the check fails
||The subdomain policy, this allows us to set a rule for every subdomain rather than having to create records for every subdomain.|
||The percentage of mails to apply this policy for.|
||The list of URIs to send the aggregate feedback reports to. Must be in the form
||The SPF alignment mode.
||The DKIM alignment mode.
||The forensic report mode.
||The list of URIs to send forensic reports to. Should also be in the "mailto" form.|
||The reporting interval, this is rarely used and most providers will send a report once per day.|
Once you have a DMARC DNS record in place you'll start receiving reports at the email addresses you specified.
Reports from outside your domain
It's important to note that in our example we specified an email on a different domain to the domain the record was created for.
In order for
example.net to receive reports for
example.com we'll have to create a TXT record on the example.net domain like this:
host -t TXT example.com._report._dmarc.example.net “v=DMARC1”
This states that emails at example.net should receive reports for example.com.
What is DMARC identifier alignment?
In the table above we mentioned the alignment mode Strict (s) or Relaxed (r) for both SPF and DKIM.
Strict means that the SPF/DKIM check must exactly match the
header-from field (the from: in the email's header).
For example, if the header states
from: firstname.lastname@example.org then the SPF/DKIM record must match for paypal.com.
Relaxed mode means that a subdomain of the domain may be used for the match. Relaxed is frequently used by ESPs that use a subdomain for sending. For example, if emails are sent, and SPF is correctly setup for
mailserver.paypal.com then we could use relaxed to make sure we pass.
CloudMailin's outbound system sends messages from mta.yourdomain.com. Using relaxed mode we can ensure that messages pass DMARC as we are an authorised sender, while still protecting the domain.
DMARC reports are sent as an email attachment (usually zipped) in the following format:
for example a report from google.com may look like:
More details about the full format of the report can be found at dmarc.org. Normally though it's advisable to use a user-friendly DMARC analysing software.
Which email receivers support DMARC?
MxToolbox created a great summary of the providers that support DMARC reporting at present. Many of the top email providers support sending DMARC reports. Some of the top providers that are believed to support DMARC include:
- GMail and Google Apps
- Yahoo Mail
Interestingly although Microsoft advocates for using DMARC pretty heavily they don't send aggregate reports. If you'd like to get reports from Office 365 receivers the only option, for now, is to vote for office365 to support it. It's apparently in the works.
In summary you can see how not only does DMARC help enforce thee security and therefore reputation of your domain, but it also helps you monitor the state of the emails you're sending. We suggest you get started today!