Domain-based Message Authentication, Reporting, and Conformance (DMARC) is one of the three pillars of modern email security. DMARC works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to protect against spoofing, spam, and phishing attacks.
DMARC adds reporting and policy to email security:
- DMARC reporting notifies administrators when SPF or DKIM configuration errors prevent delivery of legitimate email for the domain.
- DMARC reporting allows administrators to monitor spoofing attempts for the domain.
- DMARC policy fixes shortcomings in SPF and DKIM typically abused by spammers.
How DMARC works
The DMARC record for a domain appears in the DNS as a TXT record. The name of this record must begin with the label “_dmarc”, followed by the domain name. This TXT record contains the DMARC policy for the domain as a set of tags and values.
When a mail server receives an email, it extracts the domain from the From header. It performs a DNS TXT lookup to check if there is a DMARC record for the domain. The mail server then performs three checks on the mail:
- Does the mail’s DKIM signature successfully validate the contents of the mail?
- Did the message come from an IP address permitted to send mail for the domain by the domain’s SPF records?
- Do the domains in the email’s headers pass “domain alignment” checks?
After performing these three checks, the receiving mail server is ready to apply the domain’s DMARC policy. This policy dictates whether the email will be delivered, rejected, or flagged as suspicious.
Note that an email doesn’t need to pass both DKIM and SPF. Just one is enough to validate an email.
At the end of this process, the receiving mail server reports the outcome to the sending domain’s administrator. The final step is a critical part of DMARC. DMARC reports can be used to monitor for SPF and DKIM errors and to debug problems.
If you want assistance with the setup of your DMARC, please call us on 0450 064 577 or via Email