What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It was developed in 2012 to combat phishing emails and is designed to work on top of SPF and DKIM. A domain’s DMARC policy is part of its DNS record. There are two parts to this protocol: reporting and conformance. The reporting component allows domain owners to monitor the authentication of emails (which is done by the ISPs). The conformance component allows domain owners to dictate how ISPs handle unauthenticated emails. It allows companies to control who can send email from their domains, and therefore prevent phishing on their domains. That’s why every company needs DMARC. The DMARC policy can be set to one of three levels: “none,” which monitors authentication but doesn’t take any actions against unauthenticated messages “quarantine,” which is used as a ‘soft block’ of unauthenticated messages while SPF and DKIM policies are worked out; and “reject,” which completely secures the domain once the SPF and DKIM policies are configured correctly and blocks all unauthenticated messages.These 3 levels allow companies to monitor and configure settings accurately so legitimate emails get delivered to inboxes and spoofed emails get blocked:

  • None - allows monitoring only without interrupting the flow of email. It’s the first step towards securing the domain. Emails can still be spoofed as the company identifies email sending services through DMARC reports. NOTE: this is distinct from having no policy, which means the domain does not use DMARC and cannot see when attackers spoof their domain.
  • Quarantine- allows for a “soft block” on spoofed emails. It’s the intermediate step that allows companies to double-check configurations. Spoofed emails go to the recipient’s spam folder, and DMARC reports inform the company about it.
  • Reject- allows companies to completely lock down their domains against spoofed emails. Spoofed emails are not delivered, and the company knows about the attempt through DMARC reports.

Here’s an example of how it works: You send email from [email protected]. To use DMARC, you set your DMARC policy to “none,” and the setting is hosted in your DNS record. That’s all you have to do to get started with DMARC. Once you have a policy, you can start monitoring your email authentication through DMARC reports.

As you begin to get a better idea of how your SPF and DKIM policies are working, you can increase your security to “quarantine,” which tells ISPs to send unauthenticated email from your domain to spam. Once you’re confident that your SPF and DKIM policies are working the way you want, you can set your DMARC policy to “reject.” This tells ISPs not to deliver any unauthenticated emails from your domain. A reject policy is the most secure, but if it’s put in place too quickly without first testing your settings, it could result in ISPs blocking your legitimate emails. There are some scenarios, like forwarded messages, in which the above process becomes more complicated However, DMARC reports provide a record of how all emails sent from “you” were authenticated. These reports can be used to determine if SPF and DKIM are correctly implemented and identify when phishing emails are sent using your domain. DMARC reports provide actionable information that will help you properly secure your domain and protect your employees, your customers, and your reputation.