What is DMARC?
DMARC is an email authentication, policy and reporting protocol. It uses SPF and DKIM to add an additional layer to authentication by helping prevent fraudulent emails, and helping to prevent spoofing and phishing of your domain. It began several years ago when it was first pioneered by PayPal, and both Yahoo and Gmail joined to collaborate and improve the use of email authentication methods with DMARC.
Each year, it has gained in popularity by organizations and business around the world. Dmarc.org reports via Farsight Security that DMARC records increased 300% in 2020 compared to 2019.
What does DMARC do?
DMARC primarily achieves three things:
• Authentication Policy: Instructs email servers to junk or reject email failing the authentication check.
• Reporting: Provides feedback on email sent from your domain that fail the authentication check.
• Better Delivery: Setting up a DMARC policy requires you to utilize and achieve SPF and DKIM alignment, which all signal to receiving servers that you are concerned about the security of your domain, thereby helping increase delivery into the inbox.
Why should you use DMARC?
While this type of policy may not make sense for every business to set up, it’s very useful for businesses and corporations that are concerned about their domain being misused and spoofed. Setting up a DMARC policy allows you to instruct email servers that check for DMARC to accept or reject email that fail SPF and DKIM authorization, or simply notify you when this type of email is received.
How to set up your DMARC Record
Before setting up your DMARC policy, you must first have implemented SPF and DKIM properly.
Once you’ve set up SPF and DKIM and have verified their validity, you are ready to create a DMARC record. The DMARC record is added to your domain’s DNS zone, just as you would add the TXT records for SPF and DKIM.
When you first implement DMARC, your DMARC record will look something like this:
v=DMARC1; p=none; pct=100; rua=mailto:email@example.com
For help creating a DMARC record, you can also use Kitterman’s free DMARC Assistant. There are additional tags and options you can set in your DMARC record. You can visit this blog post from Validity for more information. The four parts of the record shown above are explained below.
This tag instructs the recipient server to run the DMARC authentication check.
2. p=none, quarantine or reject
There can only be one “p:” tag. This instructs the recipient server what to do with email messages that fail this authentication check. Options include: to do nothing (“p=none”), to move the message to spam (“p=quarantine”) or reject the message outright (“p=reject”). If you use “p=none,” you can still receive reports of who is sending the failed email, giving insight into how your domain is being used by others.
This tag tells what percentage of messages are subjected to filtering.
This tag instructs the recipient server to send the aggregate details of DMARC failures to the address specified.
Start with a policy of “p=none” as you monitor emails. It is best to have a good understanding of how many emails and which messages are not being authenticated by receiving servers.
The next step we recommend is quarantining a portion of your emails. You will change the tag in your DMARC’s DNS record from “p=none” to “p=quarantine.” Once you’ve addressed any messages that are failing DMARC due to SPF and/or DKIM, you’re ready to move to the last step. The strictest policy is updating your DMARC record to “p=reject.”
The ultimate goal is a DMARC policy of rejecting all emails that fail authentication for the most security and overall protection of your domain.
It can be a large undertaking to implement DMARC and understand the accompanying reports sent by receiving servers. We recommend the use of third party services that help you implement and monitor DMARC, with companies like Validity and Dmarcian. Additional information can be found on the DMARC.org website.
Contact us today to let us review your email authentication and help you get started with DMARC!