What is DMARC? #
DMARC, or Domain-based Message Authentication, Reporting, and Conformance is an email authentication protocol that helps prevent email spoofing, phishing, and other fraudulent activities. It allows domain owners to specify how email from their domain should be authenticated and what actions should be taken if authentication fails.
DMARC allows Domain Owners and receivers to collaborate by: #
- Providing receivers with assertions about Domain Owners’ policies
- Providing feedback to senders so they can monitor authentication and judge threats
The basic outline of DMARC is as follows: #
- Domain Owners publish policy assertions about domains via the DNS.
- Receivers compare the From address in the mail to the SPF and DKIM results, if present, and the DMARC policy in DNS.
- These receivers can use these results to determine how the mail should be handled.
- The receiver sends reports to the Domain Owner or its designee about mail claiming to be from their domain.
Why is DMARC needed now? #
Google and Yahoo will begin to ramp up their own DMARC policies. If you use an email service that allows you to send “as your @gmail.com or @yahoo.com address,” you will likely experience substantial delivery issues. The best bet is to open a support ticket with your provider to understand more appropriately what is at stake.
How to implement DMARC? #
Implementing DMARC involves several steps to enhance email security and prevent unauthorised use of your domain. Here is a basic guide to help you implement DMARC:
Understand DMARC Policies: #
None (p=none): Monitor mode, where emails failing authentication are not blocked but are reported.
Quarantine (p=quarantine): Emails failing authentication are flagged and may be placed in the recipient’s spam or quarantine folder. RECOMMENDED
Reject (p=reject): Emails failing authentication are rejected and not delivered.
Create a DMARC DNS Record: #
Publish a DMARC policy in your DNS by creating a TXT record.
Specify your preferred DMARC policy (none, quarantine, or reject).
Include information about how to handle failed authentication, such as email reporting options.
Example DMARC DNS record: #
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org;"
Example Minimal DMARC DNS record: #
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=none;"
Gradual Policy Implementation: #
Start with a DMARC policy of “none” to monitor and collect data without impacting email delivery.
Review the DMARC aggregate reports to identify legitimate and unauthorised sources of email.