What Is DMARC?

photo of a certified mail envelope

Note: This is the fourth post in a series covering the basics of email authentication. 

Previous posts:

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a widely-accepted open standard that ensures only authorized senders can use your domain in the From: field of their email messages.

You might ask: Isn’t it already the case that people can’t use your domain? Guess again: In fact, the basic email standards have no provision for ensuring that senders have a right to use whatever domain (or email address) appears in the From field of their messages. It’s trivially easy, using just a little bit of computer code, to create messages that appear to come from any address you want.

DMARC builds on two earlier email authentication standards, SPF and DKIM. It’s necessary because both of these earlier standards, while effective, contain important gaps. The biggest issue for both is that they have nothing to say about the address that appears in the From field of an email message.

For instance, SPF only validates the email address shown in a message’s Return-Path field. Recipients of email messages don’t usually see that field, with the result that phishers can easily use a legitimate, SPF-authenticated address in Return-Path (for example, hacker@badguy.com) while putting an impersonated name in the From field displayed in the email (e.g. john.koskinen@irs.gov) — and recipients will be none the wiser.

DKIM has a similar shortcoming: Phishers can sign a message with a valid DKIM signature that has no connection whatsoever to the address shown in the From field.

DMARC fixes that problem, by requiring alignment between the SPF address, the DKIM address, and the address that appears in the From field of a message.

NOTE: DMARC’s main contributions are 1) setting a policy that tells receiving email servers what to do with emails that don’t authenticate (nothing, quarantine or reject) and 2) providing a reporting mechanism so that receivers can tell domain owners about emails sent using their domain and whether they authenticated or not. Having the policy and the feedback mechanism is what makes it all work.

How it Works

For DMARC to work, the sending domain needs a DMARC record and the receiving server needs to check for that record and see if the sender is authorized. DMARC records are stored as text records in the Domain Name System (DNS).

Fortunately, billions of email inboxes worldwide now accept the DMARC standard, including those hosted by major email services providers such as Google, Microsoft, Yahoo, and AOL.

On the sending side, DMARC adoption is growing exponentially. Over 500,000 domains and subdomains now publish a DMARC record, protecting those domains from phishing and email impersonation.

Receiving mail gateways that follow the DMARC standard examine each incoming email message to determine whether the sender is authorized to use the domain listed in the From: field.

Flowchart showing how email gateways check DMARC records in DNS

If there is a DMARC record and the email fails the tests, the receiving mail server follows the instructions shown in that record to determine what to do with the email: Reject it, quarantine it (by putting it in a spam folder), or do nothing and deliver it to the recipient’s inbox. It also sends a log of what was done back to the domain owner.

Note that rejected emails never even get to the recipient’s inbox: They are rejected at the perimeter, by the receiving email server.

If there is no DMARC record, some email service providers have started showing a warning to the end user, such as a question mark indicating the sender’s identity can’t be confirmed.

Benefits of DMARC

Using DMARC completely eliminates same-domain phishing. Once enabled and set to enforcement, a DMARC record ensures that only authorized senders are able to use your domain in their email messages — and it guarantees that there is a match between what appears in the From field and what appears in the Return-Path and DKIM signature fields. That means recipients can tell at a glance who the email really comes from, and they can be certain that it’s not coming from a spoofed domain. In fact, once you set DMARC to enforcement, emails that use your domain but fail authentication won’t even appear in recipients’ inboxes.

DMARC policies.png

In this way, DMARC greatly increases trust in the email you legitimately send, whether that comes from your company’s own mail servers or from cloud services that you authorize to send email for you (such as SendGrid, Mailchimp, G Suite, Salesforce.com, Workday, Zapproved, and so on). It helps protect your brand by ensuring that your domain name is only used in emails you authorize.

DMARC also increases deliverability, because without authentication, spammers can use an organization’s domain to send unwanted email, which will hurt the domain’s reputation among spam filters. With a DMARC record in place, spammer’s can’t “free ride” on a protected domain, so its reputation should increase — improving deliverability. Some of Valimail’s customers have found that the deliverability rates of their marketing messages increase substantially after implementing DMARC.

Finally, DMARC gives you information about — and control over — any services sending email on your behalf. That’s because the DMARC standard includes provisions for receiving mail servers to send regular, daily reports to domain owners about the status of messages they evaluate. If a service is trying to send email using your domain but you haven’t authorized it, you’ll get a report with information that can alert you to that fact. Emails from that service won’t get through unless and until you explicitly authorize it.

While DMARC enforcement can protect you from phishing attacks, it’s also a critical tool for IT departments to identify “shadow IT” services via their emails. That’s because 1000’s of cloud services use email to send notifications, invoices, payroll info, contracts, marketing offers — pretty much everything — to your customers, prospects, and partners using your domain name. Previously, IT managers had difficulty identifying and controlling all the cloud services that people in their organization might have signed up for. But with DMARC enabled, IT gets reports that can be used to identify services — legitimate and otherwise — that are using the company domain for sending email.

By using a DMARC enforcement policy (quarantine or reject) the IT department effectively establishes a whitelist that prevents unauthorized or malicious emails from being delivered globally. Any department that signed up for a service that sends email without prior authorization will need to get approval from IT before email from the service will be delivered to any inboxes.

Automating DMARC

Email authentication is extremely powerful, but it requires careful configuration of DNS, intimate knowledge of the email infrastructure of thousands of sending services (in order to resolve potential configuration issues), constant monitoring, and rapid updating to respond to attacks and to changes in cloud services.

Monitoring tools can help, and consulting services can provide guidance, but a pretty GUI and good advice simply won’t get it done for most companies. Implementing email authentication successfully requires a fully automated approach that eliminates the need for mapping the Internet’s email servers, interpreting DMARC reports, and touching DNS with every update. That’s what Valimail provides.

Our cloud-based, automated email authentication platform replaces manual effort and guesswork with automation and intelligence, bringing the benefits of email authentication to any size organization.For more information on Valimail’s email authentication cloud, contact us at info@valimail.com.

Top photo: Tony Webster/Flickr 

Valimail is an anti-phishing company that has been driving the global trustworthiness of digital communications since 2016, with the only comprehensive platform for stopping fake email, protecting brands, and helping ensure compliance. Valimail has won multiple cybersecurity technology awards and authenticates billions of messages a month for some of the world's biggest companies, including Uber, Fannie Mae, WeWork, and the U.S. Agency for International Development. Valimail is based in San Francisco. For more information visit www.Valimail.com.