What is DMARC?

Domain-based Message Authentication, Reporting & Conformance or DMARC is an authentication, policy, and reporting protocol. It functions by building off of already created SPF and DKIM records. The DMARC record is used to establish linkage from the domain name, it will suggest actions, to the receiving server, for authentication failures. DMARC also allows for reporting to be enabled, informing the sending domain that an authentication failure has occurred and what actions were taken. This allows the domain owner to manage and be informed of the health of their domain's email environment (i.e.: spoofing, spamming, fraudulent email, etc). DMARC is available publicly and is free for use with no licensing required.

How does DMARC work?

A DMARC policy will allow the sending domain to notify that their mail is protected by SPF and DKIM, it also will let the recipient server know what to do with authentication failures. This removes the guesswork for the recipient server on how to handle failures. 

DMARC was designed to fulfill the following:

  •   Minimize false positives

  •   Provide detailed authentication reporting

  •   State sender policy at recipient server

  •   Reduce phishing successful deliveries

  •   Minimize the complexity of phishing a spoofing policies

  •   To work at the scale of the Internet

DMARC is meant to replace Author Domain Signing Practices by adding support for:

  •   Subdomain/wildcard policies

  •   Non-existent subdomains

  •   Slow rollouts

  •   SPF

  •   Quarantining mail

  

DMARC is built upon both DKIM and SPF specifications and ideally, would have both to validate DMARC policy.

A very useful tool for parsing aggregate and failure reports is https://dmarcian.com/dmarc-xml/. This will convert the xml file received into human readable format, including charts and calculations based on results. 

DMARC Structure

VERY IMPORTANT: When first setting up the DMARC policy, make sure to set all policies to take no action, but do have reporting enabled so that you can analyze aggregate and failure reports to validate the setup. This is an essential step to ensure no dip in receipt of mail. 

DMARC records are published in DNS as a TXT record and informs receiving server what to do with non-aligned mail.

Below I have listed an example and then broken it down:

"v=DMARC;pct=15;rua=mailto:[email protected];ruf=mailto:[email protected];sp=reject;adkim=s;aspf=r;p=quarantine;ri=86400;fo=0:s"

All information was garnered from the following sites:

https://dmarc.org/resources/specification/

http://www.zytrax.com/books/dns/ch9/dmarc.html

https://en.wikipedia.org/wiki/DMARC

Did this answer your question?