Email is an excellent opportunity for businesses to promote their brand and get clients. Besides this, email helps the spreading of spam, malware, phishing, viruses, and other fraud simply because it’s hard to tell if the sender is genuinely the one it pretends to be.Authentic senders have to wade through complicated anti-spam filters to get their email messages delivered to the destination recipient.
To help email senders, you must deliver legitimate emails to the recipients, and block phishing and fraud messages, email senders, and receivers adopted a new email authentication standard.
DMARC Overview
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a mechanism to determine whether an email is coming from the specific sender or not. It is crafted to protect the company’s email domain from being used for sending phishing scams, email spoofing, and other malware.
DMARC builds on the broadly deployed SPF and DKIM protocols and adds domain alignment checking and reporting capabilities. DMARC reports are originated by the firms that process incoming emails and give domain owners visibility on how their domains used on the Internet.
Organizations and senders use DMARC to check that their sending domains are not abused and that they do not convey any fraud emails.
By executing the DMARC authentication, email senders can ensure that they did all the possible things they could, to stop the abuse of their domains, protect their brand, and stop spoofed messages.
Importance of DMARC
To tie all of the above, DMARC gives the following facilities to domain owners:
-
Prevention Of Fraud Emails
When you implement DMARC and make all of your legitimate email sources DMARC aligned, you can tell the email recipients to reject any email that claims to come from your domain but fails the DMARC check. DMARC gives you a robust anti-phishing control and has been used to block vast amounts of email fraud.
-
Simplified Delivery To The Recipient’s Inbox
DMARC makes it simple for email receivers to identify the message. To stopping spam, email receivers invest a lot of money, time, and resources in developing technology that filters out undesirable emails. The DMARC adoption permits email receivers to simplify their filtering guidelines, quickly identify the email, and deliver it. In case an email passes DMARC authentication, it shows it truly comes from the domain displayed in the “From” address.
-
Protection Of The Domain And Brand Reputation
By analyzing DMARC reports, you can detect illegal senders using your domain and tell the recipients to discard an email sent from your domain if it doesn’t pass the DMARC check. In this way, you can decrease the number of unsolicited emails coming from your domain that can damage your sender reputation, brand, and ROI.
-
Email Traffic Control
The deployment of DMARC permits you to have full control over your email sources and ensure that they only send legitimate messages that your subscribers want. You can see whether or not your legal sending sources pass the SPF and DKIM check, and you can set the authentication problems when they happen. Organizations can use DMARC to observe how their partners send email messages on their behalf, and if everything is forward correctly. It permits you to decrease the threat of having your sending IP/domain blacklisted for sending spam emails.
DMARC develops a “must-have” for anyone who has concerns about email deliverability. If your email messages are not DMARC compliant, they are competing with spam and fraud emails for a place in the subscriber’s Inbox.
How DMARC Works?
DMARC builds on the foundation of the two other authentication methods SPF and DKIM.
SPF and DKIM authenticate multiple aspects of an email message: SPF authenticates the domain that appears in the “Envelope From” address, and DKIM verifies the domain found in the d= tag inside a DKIM-signature in the email header.
These domains are usually not visible to the recipient, which makes it feasible to spoof the email “From” address.
The outcomes of SPF and DKIM checks make the Authenticated Identifiers.
In the case of SPF, identifier alignment indicates, a domain of “Envelope From” address must line up with the domain in the header “From” address. If the “Envelope From” address is empty, alignment checked against the EHLO domain.
In the case of DKIM, identifier alignment indicates that the domain found in the d= field of a DKIM-signature in the email header must line up with the domain found in the header “From” address.
So, there are two modes in identifier alignment: relaxed and strict.
The strict mode needs the two domains to be identical for them to be in alignment. For instance, domain.com aligns with domain.com in strict mode, but it doesn’t line up with mail.domain.com.
The relaxed mode doesn’t need the two domains to match precisely. As far as the organizational domains match, they line up with each other. For instance, domain.com aligns with domain.com and also aligns with mail.domain.com.
As anyone can register a domain and set up SPF and DKIM, DMARC hardens the authentication procedure by connecting the outcomes of processing SPF and DKIM — the Authenticated Identifiers — along with the header “From” field. The Authenticated Identifiers must be related to the domain found in the “From” header field. This perception is referred to as “Identifier Alignment.”
When the following conditions are valid for an email message, the email is DMARC aligned:
- SPF authentication passes and has identifier alignment;
- DKIM authentication passes and has identifier alignment.
In case an email is DMARC aligned, it passes DMARC authentication. It explains that the email is indeed sent from the email address displayed to end-users.
There are two aspects of DMARC:
-
DMARC Policy
It allows you to tell the email receiver, that how to handle an email if it fails the DMARC authentication process.
In this regard, there are three policies:
- None, also known as the monitoring mode, (no action is taken, recommended to collect DMARC reports);
- Quarantine (the email is forward to the spam folder);
- Reject (the email is dismissed outright and is never delivered).
You precise the DMARC policy in a DMARC record, where the system appears in the p tag, like p=none.
-
DMARC Reports
DMARC gives reporting capabilities to allow email domain owners to gain visibility into how their email domain is utilizing across the Internet and which email sources are sending from it.
The feedback comes in the type of a report which is sent by the arriving email processor to the email address described in the DMARC record, for instance, rua=mailto:support@domain.com.
You can receive two kinds of reports: aggregate reports (stand for the rua= tag in the DMARC record), and the second is forensic reports (stand for the ruf= tag in the DMARC record).
DMARC aggregate reports give a complete view of all of a domain’s traffic: sending sources, percentages of emails failing/passing SPF and DKIM, percentages of emails DMARC non- compliant and compliant.
Aggregate reports give valuable feedback about the hygiene of your email domain, help you determine authentication problems, identify illegal sending sources and break malicious activity.
How to Deploy DMARC?
The procedure of deploying DMARC for your outgoing emails is
easy:
- Make a DMARC record.
- Issue the DMARC record to the DNS of your domain.
- Scrutinize the data and adjust your sending sources as appropriate.
A DMARC record involves DMARC tags. The following list shows what each tag probably found in a DMARC record explains:
v: DMARC protocol version. The default is “DMARC1”.
p: policy functional to an email sent from the domain that fails the DMARC check. Like: p=quarantine.
sp: policy operational to an email sent from the subdomain that fails the DMARC check. Like: sp=reject.
pct: percentage of email messages subjected to filtering. Such as pct=20 tells email recipients to only apply the ‘p=’ policy 20% of the time in contrast to emails that fail the DMARC check. This works for the “quarantine” and “reject” policies only.
rua: reporting URI of aggregate reports. Such as rua=mailto:agg_reporting@domain.com.
ruf: reporting URI of forensic reports. Such as rua=mailto:for_reporting@domain.com.
fo: forensic options. Allowed values: ‘0’ to send reports if both DKIM and SPF fail, ‘1’ to send reports if either DKIM or SPF is unsuccessful, ‘d’ to send a report if DKIM is unsuccessful and ‘s’ if SPF failed.
rf: reporting set-up for forensic reports.
adkim: Alignment Mode for DKIM. Allowed values: ‘r’ (Relaxed) or ‘s’ (Strict).
aspf: Alignment Mode for SPF. Allowed values: ‘r’ (Relaxed) or ‘s’ (Strict).
ri: reporting interval for aggregate XML reports in some seconds. Such as ri=86400 – 24 hours, ri=3600 – 1 hour. Usually, ISP shares DMARC reports daily, but they can convey them at different intervals.
Strengthen Your Policy Gradually
We strongly suggest that you ramp up your level of protection utilizing DMARC slowly by employing the DMARC policies in this order.
Begin with the “none” policy to gather information about your sending streams and authentication data. Examine the reports and look for anomalies like an abnormally massive number of sending sources and not signed messages which are possibly being spoofed.
When you find and delete all illegal mail streams and ensure that legitimate senders pass SPF, DKIM, and DMARC checks, switch the policy to “quarantine.”
Again, monitor the results. When you are sure that all of your email messages are signed, switch the policy to “reject” to include the highest level of protection. Check the reports daily to ensure everything is going well.
Likewise, you can use the optional “pct” tag to enhance and test your DMARC deployment. This setting works with the “quarantine” and “reject” policies. Initiate with a low percentage and improve it every few days.
Always review your daily reports to observe any abnormal behavior and set the problem.