Email is one of the most commonly used mediums of communication. But it’s highly prone to get attacked by hackers and spammers. Thus, implementing SPF, DKIM, and DMARC shield your email conversations and avert threat actors from hijacking them. This blog aims to discuss the top DMARC parameters that will help you get started with the process.
What is DMARC?
To understand what parameters should be associated with DMARC, you need to first know what is DMARC and how it works.
DMARC is short for Domain-based Message Authentication Reporting and Conformance. It’s an email authentication protocol that lets you create and publish a specific security policy around your email authentication process. It instructs the receiver’s mailbox on how to treat unauthentic emails sent from your official domain.
How does DMARC work?
DMARC is implemented in conjunction with SPF and DKIM. The domain owner creates and publishes a DMARC DNS record to their DNS provider. When an email is sent from that domain (either by you and your employees or cybercriminals), the recipient’s mail server validates its authenticity by checking if the domain has a DMARC record published on DNS.
Apart from this, the recipient’s server performs DKIM and SPF checks to know if the sender is actually who they say they are. Following checks are performed:
- If the message has a valid DKIM Signature?
- If the sender’s IP address matches the authorized senders in the SPF record?
- Do the message headers pass domain alignment tests?
Once the SPF and DKIM results are out, the mail server applies the policy. In the end, a report called DMARC Aggregate Report is sent to the email address specified for receiving reports.
DMARC Policies
One of the primary DMARC parameters is the three DMARC policies. You can monitor for some time and then decide how you want recipient mailboxes to treat unauthenticated emails sent from your domain. Here are the three policies:
Monitor Policy: p=none
This DMARC policy tells email servers to deliver reports to the address mentioned in the rua or ruf tag of your DMARC record. It’s referred to as a monitoring-only policy this is implemented in the initial stage of DMARC compliance to analyze the activity of your email channel.
It offers insights into the email channel but doesn’t tell receiving servers how to treat emails failing DMARC checks.
Quarantine Policy: p=quarantine
This DMARC record parameter instructs receiving servers to put emails failing DMARC authentication into the spam folder. Emails passing the authentication test will land in the inbox. This will minimize the chances of you accidentally addressing a phishing email, but such malicious emails will still be there to the spam folder.
Reject Policy: p=reject
The p=reject DMARC parameter instructs email servers to completely reject the entry of emails failing DMARC authentication checks. All passed emails are delivered to the inbox. However, there are chances of false fails, which means meaningful and authentic emails can also fail to reach the intended recipients at times.
DMARC Tag Types and What They Do
DMARC tags specify aspects of DMARC parameters and not all of them are as important and as used as the others. They’re divided into three categories.
- Required: These are mandatory tags. Every DMARC TXT record has to start with the mandatory ‘v’ or version tag and add its value as ‘DMARC1’.
- Optional but recommended: It isn’t necessary to add these tags, however, they help generate reports.
- Optional: You can skip these tags completely.
Functions of DMARC Tags
There are total of 11 tags important for DMARC record parameters and the “v” and “p” tags are mandatory. Let’s know what’s the function of each tag.
| DMARC Tag Name | Type | Function |
| v (version) | Required | This DMARC tag specifies the version. There’s only one version as of now, so it’s value is fixed as v=DMARC1. |
| p (policy) | Required | The DMARC parameter shows the DMARC policy mode. It directs the receiver to report, quarantine, or reject emails that fail authentication checks. |
| adkim | Optional | It is short for DKIM alignment mode. Its value can be either Strict (s) or Relaxed (r).
In relaxed mode, the validation shows pass result if the verified DKIM record addresses to a domain d=sample.com, and the sender’s email address is of the category- email@news.sample.com. In the strict mode, validation shows pass result when the email comes from an address on the sample.com domain. Subdomains fail validation. |
| aspf | Optional | This DMARC parameter stands for SPF alignment mode. Its value can be either Strict (s) or Relaxed (r). The default is Relaxed “r”. |
| sp (subdomain policy) | Optional | The DMARC sp tag specifies subdomain policy. The policy mode is configured for your main domain (p). |
| fo (failure reporting) | Optional | DMARC fo tag’s default value is 0. It caters to the failure reporting options the domain owners can select from.
The available options are: fo=0: a DMARC failure/forensic report is sent to you if your email fails both SPF and DKIM alignment fo=1: a DMARC failure/forensic report is sent to you when your email fails either SPF or DKIM alignment fo=d: a DKIM failure report is sent if the email’s DKIM signature fails validation, regardless of the alignment fo=s: an SPF failure report is sent if the email fails SPF evaluation, irrespective of the alignment. |
| ruf (failure report RUI) | Optional but recommended | It specifies where DMARC forensic ruf report has to be sent. Currently, only a few DMARC-compliant companies sent it. |
| rua (aggregate report RUI) | Optional but recommended | While DMARC parameters are explained, the rua tag displays the email address or web server to which reporting companies have to deliver it. |
| rf (report format) | Optional | This DMARC tag’s default value is ‘afrf’. It registers forensic report formats. |
| pct (percentage) | Optional | Its default value is ‘100’. This tag tells the percentage of emails to which the policy mode is tried
For example, “pct = 40” will filter 40% of emails. |
| ri (report interval) | Optional | The ri tag’s default value is ‘86400’. It specifies the time interval in seconds between two consecutive aggregate reports. |
Summary
DMARC parameters work together to help you prevent phishing and spoofing attacks attempted in your brand’s name. It works in conjunction with SPF and DKIM where DMARC policies are applied to tell the receiving server how to handle emails failing validation checks. The three tags are p= none (no action is taken on the failed emails), p=quarantine (failed emails land in the spam folder instead of inbox), and p=reject (failed emails are completely barred from entering intended recipients’ mailboxes).
