What is DMARC?
In an earlier article, we covered what DKIM and SPF can do for a domain. DMARC is the extension that brings it all together. DMARC stands for "Domain-based Message Authentication, Reporting & Conformance".
DMARC allows senders to indicate that their domain is protected by SPF and/or DKIM. They're then given the opportunity to indicate what happens when the policy fails, such as quarantine the message (normally place it into SPAM) or reject the message.
Essentially this means that if an email doesn't pass the SPF/DKIM checks, perhaps because it was sent by a spammer, we can instruct the sender what to do.
When the policy is enforced the domain can owner protect against Phishing emails, attempts to spoof a well-known domain, brand abuse and other forms of impersonation.
You can also ensure that a message passes alignment, ensuring that the messages FROM field is aligned with the SPF and DKIM checks. This is essentially the final step needed to protect a domain's reputation and ensure that only verified senders can use the domain.
Another great benefit of DMARC is the [reporting], in addition to adding policy the DMARC standard allows you to specify an aggregate and forensic report email address. When the policy fails you can see which senders are passing/failing and add make any changes to allow legitimate senders to pass. You can also see where malicious emails may be coming from.
Creating a DMARC Record
Like our other protection mechanisms creating a DMARC record means adding the DNS entry for our domain. For example _dmarc.example.com will work for our SPF records at example.com and DKIM on selector._domainkey.example.com.
Our record will then look something like this:
host -t TXT _dmarc.example.com
"v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc_agg@example.net; sp=none; aspf=r;"
We'll map out the available parameters below:
| Field | Description |
|---|---|
v |
The DMARC Version. Should currently always be DMARC1 |
p |
The policy to apply when the check fails quarantine, reject or none. None can be use to simply collect reports. Setting quarantine will normally place an email into the Junk folder and reject will normally bounce the message entirely. |
sp |
The subdomain policy, this allows us to set a rule for every subdomain rather than having to create records for every subdomain. |
pct |
The percentage of mails to apply this policy for. |
rua |
The list of URIs to send the aggregate feedback reports to. Must be in the form mailto:user@example.com. |
aspf |
The SPF alignment mode. r for relaxed or s for strict. |
adkim |
The DKIM alignment mode. r for relaxed or s for strict. |
fo |
The forensic report mode. 0 if both SPF and DKIM fail, 1 if either fail, d is DKIM fails, s if SPF fails. |
ruf |
The list of URIs to send forensic reports to. Should also be in the "mailto" form. |
ri |
The reporting interval, this is rarely used and most providers will send a report once per day. |
Once you have a DMARC DNS record in place you'll start receiving reports at the email addresses you specified.
Reports from outside your domain
It's important to note that in our example we specified an email on a different domain to the domain the record was created for.
In order for example.net to receive reports for example.com we'll have to create a TXT record on the example.net domain like this:
host -t TXT example.com._report._dmarc.example.net
“v=DMARC1”
This states that emails at example.net should receive reports for example.com.
What is DMARC identifier alignment?
In the table above we mentioned the alignment mode Strict (s) or Relaxed (r) for both SPF and DKIM.
Strict means that the SPF/DKIM check must exactly match the header-from field (the from: in the email's header).
For example, if the header states from: support@paypal.com then the SPF/DKIM record must match for paypal.com.
Relaxed mode means that a subdomain of the domain may be used for the match. Relaxed is frequently used by ESPs that use a subdomain for sending. For example, if emails are sent, and SPF is correctly setup for mailserver.paypal.com then we could use relaxed to make sure we pass.
CloudMailin's outbound system sends messages from mta.yourdomain.com. Using relaxed mode we can ensure that messages pass DMARC as we are an authorised sender, while still protecting the domain.
Reporting Format
DMARC reports are sent as an email attachment (usually zipped) in the following format:
receiver!sendingdomain!reporting_start_epoch!reporting_end_epoch.extension
for example a report from google.com may look like:
google.com!example.com!1589932800!1590019199.zip
More details about the full format of the report can be found at dmarc.org. Normally though it's advisable to use a user-friendly DMARC analysing software.
Which email receivers support DMARC?
MxToolbox created a great summary of the providers that support DMARC reporting at present. Many of the top email providers support sending DMARC reports. Some of the top providers that are believed to support DMARC include:
- GMail and Google Apps
- Yahoo Mail
- FastMail
- Mail.ru
Interestingly although Microsoft advocates for using DMARC pretty heavily they don't send aggregate reports. If you'd like to get reports from Office 365 receivers the only option, for now, is to vote for office365 to support it. It's apparently in the works.
Summary
In summary you can see how not only does DMARC help enforce thee security and therefore reputation of your domain, but it also helps you monitor the state of the emails you're sending. We suggest you get started today!
