I’m sure you’ve heard about DMARC, but do you know what it is? This DMARC for Dummies guide is for everyone (technical and non-technical), which will take you through the basics of DMARC in simple English.
A lot of people over the internet are curious about the concept of information security and email authentication but find the protocols hard to understand and implement. We are assembled here today to make everyone aware of how easy it is to configure DMARC and debunk some common myths surrounding it.
DMARC explained in plain English
What is DMARC? If we expand the acronym, the term DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It’s an email security policy that allows email senders to specify policies for how their email should be handled if it’s received by a receiving server.
For example, if you’re using a marketing automation platform, you can set up a rule that says: “If the email comes from Gmail, then accept it.” And then you can set up another rule that says: “If the email comes from Hotmail, then reject it.” This way, if someone gets a reply from Hotmail but not Gmail, they’ll know that their message wasn’t delivered correctly—and they’ll be able to take steps toward fixing it.
It’s also a way for organizations to protect themselves against phishing attacks by making sure that the emails they receive are legitimate.
How does it work?
If the email is fake, DMARC will let you know.
Here’s how it works: A sender domain (like company.com ) publishes a DNS record with their domain registrar that says what they want their policy to be: what types of emails they will accept and reject, and where those emails should be sent if they’re rejected. Then when someone sends an email on behalf of your company using DMARC, the receiving server checks if there’s a valid policy in place before accepting it. If there isn’t, then the receiving server can either reject or quarantine the message until it gets verified by someone at your company who knows what’s up—or destroyed altogether!
Why should I care about this?
If you’re a business that uses email marketing, you need to know how to implement DMARC correctly. It helps prevent spoofing and phishing, which means that it can protect your customers from getting scammed. It also upholds and maintains your brand’s reputation by ensuring all emails it sends out are legitimate, so people know that they can trust you.
- It prevents emails from spoofers, who send out emails pretending to be from your domain
- It helps protect your brand from phishing attacks by preventing email impersonation
- It gives you more control over how legitimate emails are delivered to recipients
DMARC Essentials and Preconditions
At a high level, there are three things you need to do to implement DMARC:
- Create a DNS record that points to your email server’s SPF record
- Create a DNS record that points to your email server’s DKIM key record
- Setup SPF and DKIM on your email server
Note: It is not mandatory to implement both SPF and DKIM for DMARC configuring. You can implement either of the two, however, both are recommended for enhanced security. If your domain is hosted by an email provider like Office 365 or Google Apps, they may already have one of the required SPF records in place for you—you can check with them if this is the case. You’ll also need to find out what their DKIM key is so that you can add it to your DNS settings.
When you’re ready to implement DMARC, you’ll need to make sure you have the right tools and infrastructure in place.
To get started, you’ll need:
- A domain name registrar (like GoDaddy)
- A DNS provider (like AWS Route 53)
- A mail server that supports SPF and DKIM (like Amazon SES)
Setup and Policy Modes
To establish email authentication with DMARC at your organization, you need to have a policy record in place on your DNS after you have taken care of the prerequisites mentioned above.
Given below is an example of one such record:
Value: v=DMARC1; pct=100; p=none; rua=mailto:[email protected];
Each of the tags is significant and points to specific instructions for servers. Let’s break down the few mentioned here: the “v” tag points to the protocol version in use, pct refers to the percentage of emails authenticated (100% in this case), p is the DMARC failure mode or policy at play and the rua tag is the email address to which aggregate reports are to be sent by reporting domains.
You can create a record specific to your domain, manually, if you’re familiar with the syntax. Else, you can use a free online DMARC record generator tool to assist you in the process.
While creating your record you MUST mention a policy mode (under the “p=” tag). There are 3 DMARC policies to choose from:
- None: You instruct your receivers to accept every email originating from your domain whether they fail or pass domain alignment. Best for novices who are just starting with email authentication.
- Quarantine: You instruct your receivers to quarantine emails failing domain alignment so that they can be reviewed later.
- Reject: You instruct your receivers to reject every email that fails alignment. If you want protection against spoofing and phishing attacks, this is the policy you should go for.
Monitoring and Reporting on email delivery failures
Reporting in DMARC is a feature that allows you to track your email’s authentication status and delivery failures. It is an excellent feature that enables detailed DMARC analysis by extracting email header information. It can also help you identify where your emails are being forwarded and what kind of responses you’re getting from the recipient.
Shown below is a part of a DMARC report to give you an idea about what it may look like.
As you scroll further down your report, you should be able to see your SPF and DKIM authentication results listed chronologically:
Each report is sent in the form of an XML file, which means you need to have a fair understanding of extensible markup language to read the data. You may choose to avoid this hassle by utilizing a DMARC report analyzer that automatically parses reports for you to make them human-readable.
To enable reporting, you need to add the “rua” tag to your record, specifying an email address you want to receive these reports on. Make sure the email address falls within the scope of your own domain and is specifically created for this purpose to avoid cluttering data.
Industry Support and Spoof Protection
ESPs that support DMARC include industry giants like Google, Microsoft, Amazon, MailChimp, and more! Industry leaders and experts endorse email authentication as a proven method for reducing direct-domain spoofing and email phishing attacks. This however can only be achieved through an enforced policy.
It is also important to note that DMARC is NOT a replacement for your antivirus or firewall solutions. It is merely an added layer of security that can better protect your organization against email fraud attacks. For well-rounded protection, pairing up DMARC with your favorite antivirus software or firewall extension is a must!