DMARC

Search knowledge

Browse topics written especially to help answer common question.

Table of Contents

What is DMARC?

DMARC, or “Domain-based Message Authentication, Reporting & Conformance”, is another type of email authentication. It adds linkage to the author From: domain name, publishes policies for recipient handling of authentication failures, and reports from receivers to senders, to improve and monitor the protection of the domain from fraudulent email.
Rather than thinking of DMARC as a service on the cloud, think of it more like a standard or policy that your domain is upholding. DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like an email from that domain to be handled if it fails an authorization test.
Your DMARC record is published alongside your DNS records including:

  • SPF
  • A-record
  • CNAME
  • DKIM

Unlike SPF and DKIM, a properly configured DMARC policy can tell a receiving server whether or not to accept an email from a sender.

Note: Not all mail servers check DMARC before receiving a message, but all ISPs do.

How does DMARC work?

Our friends at SendLane have laid it out perfectly for you:

  1. You craft your email and hit send to your loyal contacts.
  2. Your mail server adds a DKIM header, which looks for forged sender addresses.
  3. DKIM confirms that you are legit.
  4. Your email heads on over to your recipients’ mail server.
  5. The recipients’ email server checks for authentication.
  6. Once given the okay, DMARC jumps in to decide if your email should be passed, quarantined, or rejected.
  7. If passed, your message arrives in your recipients’ inbox, to catch one final spam filter.
  8. You made it to the inbox!

Why is DMARC important?

Nearly 70% of all global emails are malicious. From 2013 to 2016 companies saw losses approaching $1.6 billion related to phishing attacks.

  1. Publishing a DMARC record protects your brand by preventing unauthorized parties from sending mail from your domain. In some cases, simply publishing a DMARC record can result in a positive reputation bump.
  2. Using DMARC reports increases visibility into your email campaigns by letting you know who is sending mail from your domain.
  3. DMARC helps the email community establish a consistent policy for dealing with messages that fail to authenticate. This helps the email community to be more secure and trustworthy as a whole.
  4. DMARC helps you stay out of your recipients’ spam folder.
  5. DMARC increases customers’ confidence in your brand. When they see that you take email security seriously, they know you care about the privacy of their information as well.

DMARC is an important aspect of modern IT security hygiene in 2018, and U.S. government adoption will likely help spur wider adoption by enterprises around the world as well.

 

How does DMARC affect email deliverability?

You can improve your email’s deliverability with DMARC by:

  1. Publishing a DMARC record
    By placing a DMARC record, a domain owner requests ISP’s (who support DMARC) to send feedback on the emails which they receive for that domain. This indicates receivers that this domain is serious about improving their email authentication.
  2. Using the DMARC results to improve the authentication results
    The DMARC reports show which sources and IPs send out email on behalf of a domain and provides insight into the results of the SPF and DKIM verification. With these results, a domain owner can start to improve the SPF and DKIM verification. By improving their email authentication, a domain becomes more trustworthy and may lead to ISPs being more willing to place emails in the primary inbox of the receiver.
  3. Enforcing the DMARC policy
    The DMARC policy can be enforced in small steps to quarantine and eventually to a 100% reject policy. Enforcing the DMARC policy will reduce the impact of malicious emails that are sent on behalf of the domain. It also shows ISPs that the domain owner put a lot of effort in securing the email channel so receivers can rely on emails originating from their domain. This can lead to ISPs being more willing to place emails in the primary inbox and can help to improve domain reputation.

What does a DMARC record look like?

You can also go to https://dmarcian.com/dmarc-inspector/ to view the DMARC record for any domain if they have one published.

Here is an example of DMARC record–this is SendGrid’s DMARC record:

v=DMARC1\;p=none\;rua=mailto:[email protected]\;ruf=mailto:[email protected]\;rf=afrf\;pct=100

What does the MailGenius email test tool cover with regards to DMARC?

  • dmarc_dkim_alignment – DMARC DKIM From/Domain Alignment
  • dmarc_spf_alignment – DMARC SPF From/Domain Alignment
  • no_dmarc_record – DMARC DNS Record Existence
  • invalid_dmarc_version – Valid DMARC DNS Record version
  • invalid_dmarc_policy – Valid DMARC DNS Record policy
  • multiple_dmarc_records – Multiple DMARC DNS Record detection
  • dmarc_none_policy – DMARC DNS Record using the ‘none’ policy

Caveats, things to watch out for:

  • DMARC is not a quick deliverability fix. Just deploying a DMARC policy is not just a quick email deliverability fix. By deploying and enforcing a DMARC policy your deliverability can improve, however this is not a guarantee.
  • Immediately enforcing a reject policy is not a good idea. We strongly discourage enforcing a reject policy when starting out. When companies encounter a phishing attack, they immediately lock down their email channel by placing a DMARC record and enforcing a 100% p=reject policy. This is effective in blocking phishing attacks, however it will also lead to legitimate emails being lost. DMARC Analyzer advises to start with a p=none policy and monitor the results. This process can take 1-12 months.
  • DMARC does not protect inbound email streams. DMARC is not designed to protect inbound emails..
  • DMARC requires both SPF and DKIM to fail in order for it to act on a message.
  • As DMARC implementation becomes more mainstream, so will DMARC failures. Some applications or websites have features that allow a user to send an email to themselves or to a friend. Oftentimes, the website or application sends these emails from the user’s own email address ([email protected]). Because of Yahoo’s DMARC policy, these messages will be rejected by any receiving server that does a DMARC check. This will also occur if an unauthorized user attempts to send mail for any domain that publishes a DMARC record with a p=”reject.”

Additional Resources

  1. What is DMARC?- SendGrid
  2. DMARC’s Role in Email Marketing & Deliverability- Sendlane
  3. How to explain DMARC in Plain English- Return Path
  4. What is DMARC?- DMARC Analyzer
  5. How DMARC can improve email deliverability and domain reputation- DMARC Analyzer
  6. Get Your Questions Answered by Real Email Experts – LearnEmail.com