Wondering how DMARC affects email? Here’s a comprehensive guide explaining what DMARC is, how it affects email, and why your company needs it for security.
What does DMARC mean? DMARC, short for Domain-based Message Authentication, Reporting and Conformance, is an email authentication protocol to help email administrators prevent fraudsters from spoofing email domains by specifying whether spoofed emails should be allowed, quarantined, or rejected by recipients.
DMARC is an open email standard created by the industry consortium DMARC.org that prevents malicious emails that impersonate other people and works to protect your email in conjunction with well-known email standards SPF and DKIM. These two separate records ensure the authenticity of the sender, as well as the validity of the email. Configuring emails to pass DMARC is the only way for email senders to tell email receivers that the emails sent from their domain are actually from them.
Simply put, DMARC acts as a gatekeeper to a receiving email server. When an email arrives from your sending domain and it isn’t verified with SPF or DKIM, you can use DMARC to tell the receiver to reject, monitor, or quarantine the message. DMARC isn’t mandatory, but most modern email servers are now using it, which means if your email server isn’t configured correctly, your emails could be getting sent to spam.
Using DMARC as part of your email best practices can:
Now that you know the basics, let’s dive into some of the most common questions around DMARC.
There are some additional benefits to using DMARC on your email server, other than just security. Government organizations and many of the most respected brands in the world have adopted DMARC, which allows them to:
All of this is important, especially for those companies that send millions or even billions of emails each year.
You can check to see if you have a DMARC email policy in place by looking for a TXT record in your DNS server that begins with “v=DMARC”. Alternatively, you can use the Agari DMARC Setup Tool to check your domain for you.
DMARC records are stored on the DNS server that your email server uses. Within your DNS server, you can create and modify DMARC, SPF and DKIM records to secure your mail server. Below is a quick overview of the types of policies you might see in your DNS server, and what they do.
Inside your DNS server, a DMARC email policy will exist as a text record, commonly abbreviated as “TXT”. Below is an example showing what the record would look like. Keep in mind, records can look slightly different depending on how they are configured.
The above policy moves all emails that are not secure into quarantine 100% of the time and provides a report to the postmaster.
When configuring your DMARC email policy, you can customize exactly how you want it to treat email traffic using DMARC tags. See the table below for of some of the most commonly used DMARC configuration tags.
While those are just a few of the most common tags, there are many more tags you can use to get even more specific with your DMARC configuration.
If you’re looking to keep it simple, the only tags you must specify are your version and policy.
There are three main DMARC policies that determine what happens to email traffic that fails the DMARC check.
DMARC may protect against spoofing, but it doesn’t protect against all forms of email threats. Having DMARC in place does not protect against malicious attachments or links in emails, or from emails that are not coming from your domain.
A simple DMARC email policy also doesn’t protect against cousin domain attacks. Simply put, cousin domain attacks register domains that look very similar to real companies in hopes of tricking recipients into clicking malicious emails. Here’s an example.
email@example.com: Here we see this email is coming from the real company, Microsoft.
firstname.lastname@example.org: At first glance, it may look the same, but attackers registered “micosoft” to trick users into trusting malicious emails.
Since these attacks rely on tricking the recipient, rather than spoofing a real company, a DMARC email policy alone will not stop these attacks.
However, Agari Brand Protection works to stop spoofing attacks by rapidly identifying and securing lookalike and cousin domains, while working with name server authorities to take down malicious domain names that already exist.
Implementing proper DMARC isn’t hard once you have a firm understanding of what it does and how it works. We’ve covered the DMARC setup process in depth, but here is an overview on how it’s done.
Want to learn more about DMARC? Check out our blog post on 5 Big Myths about DMARC, Debunked. The facts may surprise you!