Domain-based Message Authentication, Reporting & Conformance, or DMARC for shorts, is a protocol that uses SPF (Sender Policy Framework) and DKIM (DomainKey Identified Mail) to verify the authenticity of emails.
DMARC records help ISPs (Internet Service Providers) prevent malicious emails reaching recipients and reduces the possibility for domain spoofing or phishing attacks.
DMARC records allows email senders to specify how mail servers should handle incoming emails which were not authenticated using SPF or DKIM. Senders can choose to either have emails send to the recipients junk or to be blocked completely before it reaches a mailbox. This enables ISPs to better identify spammers and prevent malicious email from reaching consumers mailboxes, whilst minimizing false positives and providing better authentication reporting for greater transparency.
It is worth noting that currently not all mail servers will perform a DMARC check when receiving email messages. However all major ISPs do perform this check and DMARC implementation is steadily growing for large and small organisations.
What does a DMARC record look like?
Here is an example of a DMARC record, this is AOITs DMARC record:
v=DMARC1;p=quarantine;rua=mailto:dmarc@aoitnetworks.com;ruf=mailto:dmarc@aoitnetworks.com;rf=afrf;pct=100
Breaking this down section by section:
v=DMARC1
Version – When the receiving server is scanning DNS records for the domain which it has just received an email message from, it will check your txt records for any that begin with v=DMARC1, if this is not found then no DMARC check will be performed.
p=Quarantine
Policy – This dictates what the receiving server should do with any emails which haven’t passed SPF or DKIM but still claim they are from your domain. We set our policy to Quarantine. There are 3 different policies which can be set:
- p=none – The receiving server won’t perform any actions against the email message but will still report it to the domain RUA mailbox specified.
- p=quarantine – The receiving server will deliver but quarantine mail, typically sent directly to the users spam/junk.
- p=reject – The receiving server will reject all mail which cannot be verified as 100% authentic from your domain.
rua=mailto:dmarc@aoitnetworks.com
This tells the receiving server where to send aggregate reports of DMARC failures. Aggregate reports are sent once a day and include high-level information about DMARC failures but don’t provide granular details of each instance.
This can be any email address of your choosing and doesn’t have to be part of the same domain.
ruf=mailto:dmarc@aoitnetworks.com
This tells the receiving server where to send forensic reports of DMARC failures. Forensic reports are sent when an incident occurs and contains specific details of the failure.
This email address must be the same domain of which the DMARC record is published
rf=afrf
Reporting Format – This defines the type of reporting which should be sent to the domain administrator. Currently afrf is the only option and means Aggregate Failure Reporting Format.
pct=100
Percent – This notifies the receiving server how much of mail should be subjected to the DMARC specifications. This is can be any number between 1 and 100.
