DMARC Records: A Policy for SPF and DKIM

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps domain owners protect their domains from unauthorized use, such as email spoofing and phishing attempts. DMARC in of itself does nothing that SPF and DKIM don't, its simply a 'policy' that tells servers what to do if SPF and DKIM fail. Naturally, a server should reject email if either SPF or DKIM fail, that's what the protocols demand, but DMARC allows a further level of control, as well as enabling reporting. 

How DMARC Works

DMARC allows domain owners to specify how receiving mail servers should handle emails that fail SPF and DKIM authentication. When an email is received, the receiving mail server performs SPF and DKIM checks. If either of these checks fails, the server then looks for a DMARC record in the sender's DNS to determine the appropriate action to take based on the domain owner's policy. Remember, if SPF fails and you're using ~all then that's a default rejection. DKIM failure on the other hand is less specific. 

The DMARC policy specifies whether the email should be delivered, quarantined, or rejected. It also defines how the receiving mail server should report back to the domain owner about the email's authentication status and any actions taken.

DMARC Record Format

A DMARC record is a TXT record published in the DNS. It contains the DMARC policy and other parameters that instruct receiving mail servers how to handle emails that fail authentication. The record is published at a specific location in the DNS, typically at _dmarc.example.com. Here's an example of a DMARC record:

_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; fo=1"

In this example:

• v=DMARC1 specifies the DMARC version.
• p=reject indicates that emails failing DMARC authentication should be rejected.
• rua and ruf specify the email addresses where aggregate and forensic reports should be sent.
• fo=1 defines the failure reporting options.

Benefits of DMARC

1. Preventing Email Spoofing: DMARC helps prevent attackers from sending fraudulent emails that appear to come from a legitimate domain, reducing the risk of phishing and other email-based attacks.
2. Protecting Domain Reputation: By implementing DMARC, domain owners can protect their domain's reputation by ensuring that only authorized emails are delivered to recipients' inboxes.
3. Visibility and Reporting: DMARC provides domain owners with aggregate and forensic reports that give visibility into how their domain is being used in email communications. These reports help identify and mitigate any unauthorized use of the domain.
4. Increased Email Deliverability: By aligning with DMARC standards, domain owners can improve their email deliverability and reduce the chances of legitimate emails being marked as spam.

Implementing DMARC

To implement DMARC, you need to follow these steps:

1. Ensure that SPF and DKIM are properly configured for your domain.
2. Create a DMARC record with your desired policy and reporting settings.
3. Publish the DMARC record in your domain's DNS.
4. Monitor the DMARC reports to identify and address any authentication failures or unauthorised use of your domain.

It's recommended to start with a "none" policy (p=none) and gradually move to a stricter policy (p=quarantine or p=reject) after monitoring and resolving any issues, but its important to remember that a p=none effectively means allow failed SPF and DKIM which is really bad. 

Conclusion

DMARC is a policy for SPF and DKIM. SPF AND DKIM must be implemented to use DMARC, and they must be configured correctly. DMARC policies like quarantine and reject will ensure that spoof emails will not receive the receipient and this is vital to maintain domain and server reputation.

If you're having DMARC issues and need assistance, roll on over to the HelpDesk and raise a ticket for assistance.