How DMARC Works?

DMARC, or Domain-based Message Authentication Reporting and Conformance, is an email authentication protocol created with the objective of securing business domains and brands from spoofing attacks. 

Attackers can impersonate your organization to send phishing emails to your customers, business partners and even your own employees. Email fraud is one of the most common ways that organizations lose sensitive data and money to cybercriminals. 

DMARC is designed to combat domain spoofing by acting as a way for receiving email servers to check if an incoming message is genuine or not. Let’s understand how exactly it works.

Start 15-day trial Book a demo

Table of Contents

  1. Sender Policy Framework (SPF)
  2. DomainKeys Identified Mail (DKIM)
  3. DMARC Authentication Process
  4. Alignment with DMARC
  5. Reporting with DMARC
  6. DMARC for Brand Protection
secure email powerdmarc

How DMARC Works?

DMARC combines two existing technologies to authenticate email coming from your domain. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are the two building blocks of DMARC. Let’s take a look at both.

SPF

When you implement SPF for your domain, you publish an SPF record to your DNS. When a receiver gets an email from your domain, it will compare the sender’s IP address with the list of authorized IPs stored in your SPF record. If the receiving server encounters an email from an IP not in this list, the message will fail SPF.

While SPF can be quite effective, it has certain limitations that make it an incomplete authentication solution.

PowerDMARC MSSP is Different
  • SPF is an IP-based whitelist, which means if someone forwards the email, it will not contain the original sender’s authorized IP address.
  • SPF doesn’t provide feedback. Unlike DMARC, there’s no way to know if an email has failed SPF authentication.
  • SPF authenticates the hidden “mailfrom” domain, not the “from” domain receivers will see when they read the email. Hence attackers can still spoof an email. 
  • SPF failing emails can still make it to the receiver’s inbox, the way SPF failing emails are processed vary depending on the receiving MTA 

DKIM

Meanwhile, DKIM attaches a digital signature to authorized emails. When an unauthorized sender tries to send an email from your domain, or tampers with your emails, the receiving server can detect this and stop the email from being delivered.

In order for a message to be DMARC-approved, it has to pass either SPF or DKIM authentication. If an email fails both, the server checks your DMARC policy to see what to do next. Your policy can be set in your DMARC record to one of 3 options:

  • p=none — Even emails that fail authentication are delivered to the receiver’s inbox.

  • p=quarantine — Unauthenticated emails go to the spam folder.

  • p=reject — Emails that fail DMARC are not delivered to the recipient.

PowerDMARC MSSP is Different

You need to set a policy of either Quarantine or Reject in order to properly enforce DMARC.

DMARC Authentication Process

To describe email without DMARC authentication, let’s first examine email without DMARC:

PowerDMARC MSSP is Different

  • An email is sent from business.com to receiver.com

  • receiver.com’s Mail Transfer Agent (MTA) has no mechanism to authenticate the email sender (business.com)

  • All emails sent from business.com are delivered to the recipients’ inboxes without being validated.

  • If any of the emails from business.com were sent by an attacker impersonating them, these fraudulent emails have also been delivered to receiver.com.

Now let’s take a look at how email with DMARC works:

PowerDMARC MSSP is Different

  • An email is sent from business.com to receiver.com

  • receiver.com’s Mail Transfer Agent (MTA) looks up the SPF, DKIM and DMARC records of business.com (on their DNS) to authenticate the sender

  • If the sender is authenticated, the email is delivered to the recipient. Otherwise, the email is either quarantined (sent to spam) or rejected (not delivered).

  • DMARC reports are generated by the receiving MTA and are sent to PowerDMARC

What Makes DMARC Better?

You might be wondering why anyone would want to implement DMARC instead of just using SPF and DKIM. After all, you need to have both of these set up to use DMARC. But they lack two key features that make DMARC incredibly powerful.

Alignment 

  • SPF and DKIM alone offer only limited protection because they function independently. DMARC, however, leverages both technologies for maximum security.

  • When your email is sent, the ‘From domain’ contains your domain name. Additionally, your domain appears in your DKIM signature as well. 

  • If both of these match, then they’re considered aligned. With DMARC, unless both domain names align, the email will not be authenticated.

Reporting and Visibility

  • When you implement DMARC, you receive daily aggregate reports that tell you which emails going through your domain are passing or failing DMARC. 

  • If someone’s trying to spoof your email, you can take action to blacklist the abusive IP. Even better, if you’re having deliverability issues on your domain, you can pinpoint the exact source of the problem and fix it immediately.

  • DMARC isn’t just about passively defending your domain, it can be used to actively eliminate delivery problems and security threats.

Wondering if your domain is protected against spoofing? Run this test to see the health of your domain.

Benefits of DMARC

Eliminate Threats

Detect and address spoofing attacks early, find and blacklist abusive IPs 

Maximize Delivery

Immediately understand where you’re having deliverability issues and fix them fast

Boost Your Brand

When you protect them from phishing, your customers will put more trust in your brand

Why is DMARC Good For Your Brand?

  • So far, it’s pretty clear how DMARC helps you protect your email channels from domain spoofing and phishing. But does it really provide enough major benefits for your organization to justify implementing it?

  • Imagine a scenario where a hacker impersonates your brand to send phishing emails to all your customers. When hundreds of customers end up disclosing sensitive personal data to a cybercriminal, they start associating your brand with that phishing scam. Now it’s your name all over the news for a crime you had nothing to do with, and legal trouble could follow.

  • You could never stop every single employee or customer from opening a fake email. But that’s exactly what DMARC does.

  • By eliminating fraudulent email before it even enters people’s inboxes, it stops a phishing scam from ever occurring. And consequently, you’re always in control of what emails people see. You’re always in control of your brand.

Read more about RUA Read more about RUF

secure email powerdmarc

Book a demo now!

Start 15-day trial Book a demo