What Is DMARC?<\/h2>\n\n\n\n
Domain-based Message Authentication, Reporting and Conformance is a protocol that was first proposed<\/a> in January 2012 and widely adopted in 2018 by the U.S. government as part of the Department of Homeland Security (DHS) 18-01 binding operational directive. DMARC builds upon the Sender Policy Framework<\/a> (SPF) and the DomainKeys Identified Message<\/a> (DKIM) technologies to add security and instructions for a specific domain.<\/p>\n\n\n\n A DMARC policy is included in a DNS record for a given domain, enabling the sender to specify if messages are protected by SPF or DKIM. Additionally, the DMARC authentication enables DMARC Alignment that checks between the \u201cFrom\u201d fields displayed in the email and the from field in the header. This counters a common spoofing technique where the attacker changes the \u201cFrom\u201d field displayed in the header to impersonate a trustworthy sender.<\/p>\n\n\n\n DMARC also provides instructions regarding how messages should be handled if the message fails one or more authentication checks. For messages that fail DMARC, DMARC records also include email addresses to receive compliance and forensic reports for DMARC-failing emails.<\/p>\n\n\n\n The DMARC record publishes to an organization\u2019s DNS record so it is publicly available for email servers to check. As an example, Microsoft\u2019s DMARC.TXT file reads<\/a> as:<\/p>\n\n\n\n For a complete list of variables and options for the DMARC record, see the DMARC Setup Guide: How to Implement a Basic DMARC Setup<\/a>. <\/p>\n\n\n\n A key element of the DMARC check is Alignment, in which the domain in the message’s \u201cFrom:\u201d field is compared against other authenticated domain names from the SPF and DKIM checks. If either SPF or DKIM alignment checks pass, then the DMARC alignment test passes.<\/p>\n\n\n\n DMARC provides for either strict or relaxed alignment checks. With strict alignment the domain names must be identical. Using relaxed alignment allows the top-level “Organizational Domain” to fulfill the match requirement.<\/p>\n\n\n\n Upon receiving an email, the receiving email server can perform a DNS lookup to check for DMARC, DKIM, and SPF records. The receiving email server can then examine the DMARC file for instructions for how to handle the email if the email fails DKIM or SPF checks. Failing emails may be flagged to be rejected (p=reject), quarantined to a spam folder (p=quarantine), or to be allowed to be delivered to a recipient anyway (p=none). Note that some email services, such as Microsoft 365, may treat both reject and quarantine the same and forward the emails to the spam folder.<\/p>\n\n\n\n Messages that pass DMARC will be delivered to the recipient. Messages that fail DMARC can be discarded, quarantined as SPAM, or allowed to be delivered anyway depending upon the DMARC record instructions. The server will then generate DMARC reports regarding emails that fail the DMARC check and send them to the emails in the DMARC record instructions.<\/p>\n\n\n\n The DMARC standard provides for two types of reports: aggregate reports and forensic reports. Both types of reports provide machine-readable formats that can be difficult to read and analyze without the aid of additional third-party DMARC reporting tools. Additionally, these reports may be sent as .zip attachments, so organizations must ensure their email address in the DMARC record can accept .zip attachments.<\/p>\n\n\n\n Aggregate reports provide statistical data to an organization about email messages that claim to be from their email domain. These XML format reports include authentication results (pass\/no pass) and how the message was handled. Organizations use these reports to check delivery rates, identify internal senders that may not be properly configured, and identify potential spoofing campaigns attempting to impersonate the organization.<\/p>\n\n\n\n Forensic reports provide copies of email messages that fail DMARC authentication. An organization can analyze these emails to troubleshoot an organization\u2019s domain authentication issues or to identify malicious websites and domains.<\/p>\n\n\n\n DMARC can be activated by the addition of an appropriately formatted text file with the DNS record of an organization. However, effective implementation requires the prior establishment of SPF and DKIM email authentication, careful attention to detail, and patience in troubleshooting.<\/p>\n\n\n\n DMARC assumes the prior establishment of the DKIM and SPF email authentication standards. DMARC will check against these standards for alignment and authentication.<\/p>\n\n\n\n DKIM:<\/strong> DomainKeys Identified Mail<\/a> (DKIM) enables an organization to digitally sign emails from their domain using public key cryptography.<\/p>\n\n\n\n SPF:<\/strong> The Sender Policy Framework<\/a> (SPF) authentication method designates the authorized mail servers that send email from an organization\u2019s domain.<\/p>\n\n\n\n The basic steps of DMARC setup include:<\/p>\n\n\n\n However, each step can become quite involved and require attention to detail. For more detailed information on each step, please read the DMARC Setup Guide: How to Implement a Basic DMARC Setup<\/a>.<\/p>\n\n\n\n Although DMARC can fail for many reasons, organizations of all sizes can resolve DMARC issues with reasonable effort and attention to detail.<\/p>\n\n\n\n \u201cDMARC requires many intricate steps,\u201d explains Seth Blank, CTO of Valimail and co-chair of the DMARC Working Group. \u201cEven small mistakes could result in a number of issues such as accidentally filtering legitimate emails. The risks associated with reaching enforcement may be one reason why just 43.4% of enterprise DMARC policies are at enforcement.\u201d<\/p>\n\n\n\n For more detailed information on troubleshooting, see our article Why DMARC is Failing: 3 Critical Issues With DMARC Deployment<\/a>.<\/p>\n\n\n\n Many organizations do not want to take the time to dive into the details of SPF, DKIM, and DMARC to resolve issues. Fortunately, a quick Google search will reveal that many different service providers provide services to establish, maintain, and monitor SPF, DKIM, and DMARC.<\/p>\n\n\n\n Many organizations see value in tightening email security by implementing DMARC. DMARC policies increased by 43%<\/a> in 2020 and grew a further 84%<\/a> in 2021 to reach nearly 5 million valid DMARC records confirmed by DNS.<\/p>\n\n\n\n Organizations choose to implement DMARC because of the many advantages it can provide, such as enabling brand indicators, email troubleshooting, the flagging of malicious content, the reduction of impersonation by attackers, improved email reporting, and improved domain reputation.<\/p>\n\n\n\n Organizations that deploy DMARC can implement Brand Indicators for Message Identification<\/a> (BIMI) that enable a brand\u2019s logo to be displayed for authenticated emails. Large email providers such as Yahoo! or Gmail support this standard that can improve brand recognition, trust, and engagement for email recipients.<\/p>\n\n\n\n An organization often receives no feedback to know that an email campaign has been flagged as spam. Implementing DMARC allows an organization to understand when emails have not been delivered and why. Examining DMARC reports provides insight into how to improve email delivery and avoid becoming flagged as spam.<\/p>\n\n\n\n Malicious emails may try to impersonate a brand, but DMARC will flag emails that do not match the \u201cfrom\u201d field with authenticated email sources. BEC phishing emails and other malicious emails will fail DMARC and prevent unauthorized senders from sending or spoofing emails that attempt to impersonate another organization. The increase in flagged emails inherently makes the entire email ecosystem more trustworthy and reduces the effectiveness of potential attacks.<\/p>\n\n\n\n Barracuda notes that attackers use brand impersonation in more than 80%<\/a> of spear-phishing attacks. These spoofing attacks use the credibility of the impersonated brand to improve the credibility of the message in the phishing email.<\/p>\n\n\n\n DMARC can protect against spoofers by flagging emails sent from unauthorized domains. This will enable email servers to reject most spoofed phishing emails and lower the risk of having one\u2019s brand associated with malware<\/a> or hackers. For some organizations, impersonation can be even more damaging than hackers, and DMARC can prevent unauthorized and damaging emails such as those pretending to be from a political party<\/a> or other prominent organization.<\/p>\n\n\n\n Organizations often send emails and never know if it is delivered. Other times, marketing teams notice email rejections but struggle to determine why the emails are flagged as spam.<\/p>\n\n\n\n DMARC implementation generates reports that can be used to investigate rejected email in detail. These reports help to determine how to improve deliverability for direct emails and emails sent on behalf of the organization by third parties. Additionally, the reports can also provide information on attackers threatening the organization\u2019s brand reputation by attempting to spoof the organization in phishing and spam campaigns.<\/p>\n\n\n\n Implementation of DMARC signals to the large ISPs that an organization has control over their email environment which improves the reputation of the organization\u2019s domain. Improved domain reputation can help to improve the deliverability of marketing emails and some organizations cite 5% to 10% improvements in campaign delivery rates<\/a> after enforcing DMARC policies.<\/p>\n\n\n\n Disadvantages to the DMARC standard include the possibility of email disruption, the fact that DMARC is an incomplete solution, poor return on investment (ROI) measurements, and that DMARC remains potentially spoofable. DMARC also requires active enforcement, email servers to support DMARC, and the DMARC reports themselves are unintuitive.<\/p>\n\n\n\n Seth Blank, CTO of Valimail and co-chair of the DMARC Working Group, notes that \u201cDespite [DMARC\u2019s] growing popularity, fraudulent email remains the leading source of all cybercrime. Why does email provide such easy pickings for criminals? Because not enough businesses are at DMARC enforcement.\u201d<\/p>\n\n\n\nHow Does DMARC Work?<\/h2>\n\n\n\n
![\"eSP:](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2023\/06\/eSP-DMARC-1024x794.png\")
DMARC Record<\/h3>\n\n\n\n
_dmarc.microsoft.com. 3600 IN TXT \"v=DMARC1; p=none; pct=100; rua=mailto:d@rua.contoso.com;\nruf=mailto:d@ruf.contoso.com; fo=1\" <\/code><\/pre>\n\n\n\nDMARC Alignment<\/h3>\n\n\n\n
DMARC Check Process<\/h3>\n\n\n\n
DMARC Reports<\/h3>\n\n\n\n
Aggregate DMARC Reports<\/h4>\n\n\n\n
Forensic DMARC Reports<\/h4>\n\n\n\n
DMARC Implementation<\/h2>\n\n\n\n
Dependencies: SPF, DKIM<\/h3>\n\n\n\n
Basic DMARC Setup<\/h3>\n\n\n\n
\n
How to Troubleshoot DMARC<\/h3>\n\n\n\n
DMARC Service Providers<\/h3>\n\n\n\n
DMARC Advantages<\/h2>\n\n\n\n
Brand Indicators for Message Identification (BIMI)<\/h3>\n\n\n\n
Email Troubleshooting<\/h3>\n\n\n\n
Malicious Content Flagging<\/h3>\n\n\n\n
Impersonation Mitigation<\/h3>\n\n\n\n
Improved Email Reporting and Visibility<\/h3>\n\n\n\n
Improved Domain Reputation and Email Deliverability<\/h3>\n\n\n\n
DMARC Disadvantages<\/h2>\n\n\n\n