Chapter 2: What is DMARC?
DMARC is an email authentication policy and reporting protocol. It helps organizations protect their email domains from being spoofed. Through this chapter, you will learn how DMARC works and why it is essential for email security.
Introduction to DMARC
DMARC (Domain-based Message Authentication, Reporting, and Conformance) serves as a technical specification for email authentication created in 2012 by a group of email administrators, security professionals, and industry leaders. It is a security protocol used to identify and authenticate email senders. DMARC allows email senders to create a policy that specifies how receiving email servers should handle their emails. It helps the recipients know that your emails are genuine.
How DMARC Works
DMARC allows organizations to specify what action they want to be taken if a fraudulent email is detected in their name, such as rejecting the email or quarantining it. DMARC also allows organizations to collect data on all emails sent to their domain to help them determine if any of them are fraudulent.
DMARC is another authentication protocol like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) employed by businesses for email security. DMARC enables organizations to set up rules concerning recipients’ actions on sent emails. The most basic rule is called the SPF Box Rule. This rule, when enabled, will identify senders of emails that are not associated with the domain name. You can set up other controls to help classify the type of email being sent to help people avoid accidentally sending emails to the wrong address or filtering spam.
How DMARC Act as an Email Security Tool
Malicious actors and adversaries continue to find new ways to send fraudulent emails from trusted domains, creating a bad brand reputation. In this situation, email authentication techniques like SPF, DKIM, and DMARC can help you protect your domain from being used by spammers to send fraudulent emails.
Apart from protecting your domain from getting misused by spammers, these email authentication methods like DMARC help prevent C-level frauds like BEC (Business Email Compromise) and whaling attacks.
One helpful functionality that DMARC provides apart from spam email protection is that it adds a reporting feature. With reporting, businesses can get detailed insights into who uses their domain to send emails.
Are There Any Downsides to Using DMARC?
DMARC is a valuable tool that can help protect your email from being spoofed, but it does have some limitations. One such factor is that DMARC only applies to email messages sent from your domain. If someone else sends an email message on your behalf, DMARC will not protect it. Besides, DMARC does not work with email messages sent through third-party services, such as Gmail or Yahoo! Mail.
How to Create a DMARC Record?
A DMARC record is a TXT record added to your domain name to instruct the receiving email server about what happens if email authentication fails. It urges the recipient email server to reject/quarantine or allow the email and send a report back to the email address provided in the DMARC record.
A sample DMARC record looks like this:
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org
The DMARC record is made of 3 tags, namely v, p, and rua, where:
- v – version of DMARC
- p – action to be taken (1: None, 2: Quarantine, 3: Reject)
- rua – return email address
According to the DMARC guidelines, there are 11 tags you can add, but these three tags are essential. The other tags include pct, ruf, fo, aspf, adkim, rf, ri, and sp.
There are several online tools available that can help you create and validate the DMARC records for your domain.
Adding DMARC Records for Your Domain
To add DMARC records for your domain, follow the below steps:
- Visit the control panel of your DNS hosting provider.
- Choose the ‘Add New DNS Record’ option.
- Add “_dmarc” to the Name section.
- You can set TTL to “Auto”.
- In the Content section, add the DMARC record that you created earlier.
- Click ‘Save‘.
- Validate the record.
Thus, your DMARC record is created.
Authentication protocols like SPF, DKIM, and DMARC will undoubtedly add an extra layer of authentication and protection for your emails. Though none of the existing authentication protocols provides businesses with a 100% guarantee to ensure that the emails reach their customer’s inboxes, email authentication helps organizations maintain their trust and reliability to a significant extent. Hence, anyone serious about email security must have DMARC set up for email authentication, as it can help protect your domain from being spoofed.