What is DMARC
DMARC Explained:
Domain-based Message Authentication, Reporting and Conformance, also known as DMARC, is a record you can add to your DNS which assists in email authentication and acts as a reporting protocol.
Put simply, DMARC allows the sender to raise their hand and say “ Hey, my messages are protected by SPF and/or DKIM”. It also provides instructions to the receiver on what to do if authentication fails. DMARC takes the guesswork out of handling messages that failed authentication and reports information back to the sender about messages that pass/fail the DMARC policy.
Q: “Can I send emails without DMARC?”
While DKIM and SPF records are always recommended, DMARC is not absolutely necessary for you to send out emails.
If you’re new to DNS records, DMARC may be something to look into further down the line, as it is known to cause issues. For example, if you are sending emails through a platform like the AllClients CRM – you’re actually piggybacking on our domains & sending IP addresses, so setting a strict DMARC policy would cause issues (unless you are using your own IP address through our SendGrid integration).
Why DMARC Exists
DMARC exists because email users suffer from a high volume of spam mail and phishing attempts.With techniques such as email spoofing, where a sender will maliciously change the sender address to make it seem like the email comes from a trusted source, it’s hard to know what emails to trust. For example, if you receive mail from your bank, you’d want to be certain it’s actually them.
Several methods have been introduced over the years to deal with this issue, but they work in isolation from each other and the legitimate domain owners never receive any feedback.
DMARC combats this issue by allowing domain owners to signal that:
- The domain owner is using email authentication (DKIM, SPF).
- There is an email address provided to gather feedback from their DMARC authentication.
- They have permission to put a policy in place for any messages that don’t pass authentication.
Q: “I already have DKIM and SPF, why should I use DMARC?”
Companies and email clients apply numerous methods to analyze incoming messages to provide safety and security for the recipient. This ranges from: SPF and DKIM, to spam filters and in-depth analysis or “quarantining” of incoming mail.
It is important to understand that DMARC does not eliminate the need for other authentication methods. Instead, it acts as a bridge by helping to coordinate efforts and streamline the process of authentication. DMARC can be recognized as the common thread between email authentication methods.
Q: “I have DMARC, does that mean I am safe from all phishing attacks?”
No. DMARC does help prevent this, but it’s mainly focused on preventing domain spoofing. It has no effect on other methods of email phishing, such as look-alike domains or display name abuse.
Look-Alike Domain Abuse
Look-alike domain abuse uses sender domains that are almost identical to the target. An example of this would be domain.com vs domaln.com.
At a glance, an I and an L can be indistinguishable and a recipient that doesn’t look closely can be tricked into thinking it’s from a legitimate sender. A similar method commonly used is to change the TLD, or “Top-Level Domain” (this refers to the “.com” or “.net” at the end of your domain). An example of a TLD look-alike domain would be example.com vs example.co.
Display Name Spoofing
Display name spoofing can cause issues if you’re not careful and it usually involves pretending to be someone known to the recipient, such as a co-worker or manager. This method may not work for you and your team, but the recommended first level of defense against this type of attack should be to instill a “low urgency” policy across your whole team, specifically with email requests.
Teams that adopt this mindset will be more cautious when they receive an email from the CEO stating “Wire $5,000 to this account immediately”. Being cautious of downloads, links, and urgent requests will disarm spoofers as they’re typically pushing the receiver to do something quickly (like before the receiver has a chance to verify the request).
How DMARC Works
DMARC tries to match “From” headers to your other authentication methods (SPF and DKIM). If either one matches, DMARC will authenticate. This means it is not necessary for DMARC to pass both SPF and DKIM.
A DMARC-record is a DNS TXT record that indicates what should happen to emails that do not have DMARC alignment. (DMARC alignment is the technical term for a mail piece that passes either SPF or DKIM.)
In your DMARC record, you can add an email address for where you would like to receive reports. Using these reports, you can gain insight into who’s using your domain in the world of emails.
Types of Policies
By setting up your DMARC policy you can let recipients know what to do with emails that fail the authentication process.
There are 3 different levels of “strictness” for the policies in your DMARC-record.
DMARC Policy Levels by Severity:
Level 1: p=none
Always start with this policy as it allows you to keep an eye on your email traffic. No action is taken against emails that fail authentication. By using this policy, you can determine if your domain is being abused by phishers and then you can gauge the impact of moving to a more aggressive policy.
Using this as a starting point will allow you to see what settings you’ll need to adjust moving forward to avoid disrupting your mail flow.
Level 2: p=quarantine
This is the recommended option once you’ve worked out any kinks in your DNS. This policy will apply rules to send all unauthorized mail to your quarantine or spam folder, but only after you’ve collected data using a p=none policy to determine that you’re not unknowingly affecting legitimate senders using your domain.
Level 3: p=reject
This is the most strict policy, and only recommended after testing mail flow of the previous two policies. If any of your emails fail to pass DMARC with this policy, they are blocked from being delivered.
Conclusion
A DMARC policy lets recipients know what to do when an email fails SPF or DKIM, indicating possible domain spoofing. This assists by differentiating legitimate emails from spoofed emails, and can act as an extra layer of security for your company.
Keep in mind that DMARC is another step for security in email (which can cause inconveniences), so we recommend using DMARC on your primary email domain, and only in certain circumstances with your marketing domain.