Domain owners that wish to become DMARC-compliant need to perform 3 activities:
1. Publish a DMARC record. To begin collecting feedback from receivers, publish a DMARC record as a TXT record with a domain name of “_dmarc.”:
Doing so will cause DMARC-compliant receivers to generate and send aggregate feedback to “dmarc-feedback@”. The “p=none” tag lets receivers know that the domain owner is only interested in collecting feedback. Use the DMARC record creator on the Agari website to easily generate the required text: https://www.agari.com/resources/tools/dmarc/
2. Deploy email authentication – SPF and DKIM:
3. Ensure that Identifier Alignment is met. DMARC-supplied aggregate feedback can be used to identify where underlying authentication technologies are generating authenticated domain identifiers that do not align with the email domain. Correction can be rapidly made once misalignment is identified.
Email Before DMARC
Without DMARC, agencies that send email have limited visibility into how domains are being used to send email.
Email After DMARC
DMARC provides visibility into all email traffic and then instructs receivers how to handle unauthenticated emails, all outside of the mail flow.
Before and After DMARC Enforcement
The following chart, showing anonymized views of a customer dashboard, highlights the dramatic impact of implementing DMARC. DMARC is so effective at preventing these malicious email campaigns that the bad guys literally give up trying.
The Best Practice: Gradually Moving to Enforcement
This next chart depicts another campaign targeting new domains. Here, the customer employed a gradual adoption of tighter DMARC policies, just as DMARC was designed to be deployed. Initially, unauthenticated mail volume surpassed 100,000 to 150,000 messages per day. After a Quarantine policy, this was cut to 50,000 or less. The policy was tightened further to a Reject policy, which practically eliminated the volume of unauthenticated email.