Email Authentication Methods Part 3: What Is DMARC
Saggi Neumann
Saggi Neumann Founder & CEO @ Crazy Ant Labs
Transactional & Marketing Email Security Tips & Best Practices June 7th, 2023

Email Authentication Methods Part 3: What Is DMARC

Let’s say, hypothetically, that someone attempts to use your brand to commit fraud. Well, the best way for them to do so would be to send emails on your behalf, acting as the domain owner—you! 

While we hope this situation won’t actually transpire, all it takes is for one hacker to spoof a domain and they are free to abuse your customers, leads, and anyone else that possesses an email address. 

Impersonating you as the domain owner could jeopardize your brand’s reputation,  cause your legit emails to be flagged as spam, and may even expose your organization to lawsuits. To ensure that your email recipients can distinguish your email from fraudulent ones, you’ll need to use adequate authentication.

In previous posts, we covered the basics of email message authentication solutions working as a set of security systems to validate an email’s authenticity.

The security systems referred to are the three well-known email authentication protocols: DKIM (Domain-Keys Identified Mail), SPF (Sender Policy Framework), and this post’s main focus: the DMARC email authentication protocol. 

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication standard designed to protect both email senders and recipients from attackers who send spam and phishing email by spoofing a domain and impersonating a domain owner. 

It is an email authentication protocol that verifies sender IP addresses against the alleged owner of the sender domain to determine whether the sender really is who they say they are.

Spoofing means changing the “From” field of an email to appear as though it were sent from an impersonated organization or domain. It works alongside and builds upon the other two email authentication methods: SPF and DKIM

DMARC augments the other authentication methods with a protocol that allows senders to publish policies that remove guess work from the receiving end’s processing of email and also provides the receiver a means to send reports back to the sender regarding messages that pass or fail DMARC evaluation.

Ready to skip to the fun part?💃
Send all kinds of email from inside your apps with Mailer To Go’s streamlined and scalable add-on service.

How does DMARC work?

DMARC is an email authentication standard designed to protect both email senders and recipients from attackers who send spam and phishing emails by impersonating a domain. 

It works in conjunction with two other authentication methods: DKIM and SPF. To learn what DKIM and SPF are, and how to implement them, read our articles on What is DKIM? and  What is an SPF record?

To understand DMARC's functionality and answer the questions, "What is DMARC?" and "How does DMARC work?", it is essential to grasp its integration with DKIM and SPF. 

DMARC requires the prior implementation of DKIM or SPF. 

Like DKIM and SPF, DMARC utilizes a DNS record to specify actions in the event of failed email authentication and how to accurately report such incidents. DMARC introduces the concept of "domain alignment" to enhance email authentication. 

While SPF verifies the envelope-from field, DMARC requires alignment between the domain in the From field (visible to email recipients) and the envelope-from field for SPF. 

For DKIM, alignment is required between the domain in the From field and the domain specified in the DKIM-signature field's d= and s= tags. This alignment ensures a comprehensive verification process, reducing the chances of spoofed emails.

For a quick "dummies" guide to DMARC, watch the PowerDMARC video below.

What is a DMARC record?

A DMARC record serves as a vital component in the implementation of DMARC authentication for email. This TXT record, referred to as a DMARC record, is published in the DNS (Domain Name System) of a domain under the subdomain label "dmarc" (e.g., dmarc.yourdomain.com). 

Comprising a set of crucial instructions and specifications, the DMARC record guides the handling of email authentication failures and facilitates proper reporting procedures.

The DMARC record, with its name=value tags, plays a pivotal role in defining the policies and actions associated with DMARC authentication. These tags, similar to SPF and DKIM records, provide explicit instructions to mail servers on how to process messages that do not pass authentication checks.

dmarc authentication

When setting up a DMARC record, it is essential to consider the following elements, encapsulated within the DMARC record itself:

  • Version (v) The v tag denotes the version of DMARC being utilized, such as "v=DMARC1."

  • Policy (p) The p tag delineates the DMARC policy governing the treatment of failed authentication. It can assume one of three values: "none" (indicating no action but reporting failures), "quarantine" (signifying quarantine of failed messages), or "reject" (denoting rejection of failed messages).

  • Subdomain Policy (sp) The sp tag establishes the policy for subdomains belonging to the domain specified in the DMARC record. It shares the same potential values as the policy tag.

  • Percentage (pct) The pct tag determines the percentage of unauthenticated emails subjected to the defined policy. For instance, "pct=100" implies that the policy applies to all unauthenticated emails.

  • Reporting URI Aggregate (rua) The rua tag specifies the URI (email address) to which aggregate DMARC reports should be sent. These reports provide statistical data on received messages.

  • Reporting URI Forensic (ruf) The ruf tag allows the inclusion of a URI where forensic reports or real-time reports concerning failed email authentication can be forwarded.

Ensuring the correct formatting and accurate representation of desired policies and reporting mechanisms within the DMARC record is of utmost importance.

Regular monitoring of DMARC reports is highly recommended, as it enables the evaluation of email authentication performance and facilitates necessary adjustments to enhance overall security.

To summarize, a DMARC record constitutes a vital component in the implementation of DMARC authentication. Through accurate configuration and maintenance, domain owners can significantly enhance the security and reliability of their email communication with the help of the DMARC record.

The DMARC record acts as a guiding framework, instructing the mail server or mail servers on appropriate actions and reporting protocols.

Implementing DMARC for email authentication

To implement DMARC, the domain owner must publish a TXT record in the DNS with the subdomain label "dmarc" (e.g., dmarc.yourdomain.com). This TXT record consists of semicolon-delimited name=value tags, similar to SPF and DKIM records.

For example:

dmarc record

In this example, the v tag represents the version, p denotes the policy, sp defines the subdomain policy, pct specifies the percentage of unauthenticated emails subject to the policy, and rua indicates the URI to send aggregate DMARC reports to. 

Aggregate reports containing statistical data about received messages will be sent to dmarcreports@yourdomain.com. Forensic reports or real-time reports on failed email authentication can also be included using the ruf tag.

Gradually enhancing DMARC policies

It is recommended that you adopt a gradual approach when implementing and enhancing DMARC policies. Starting with a relaxed DMARC policy and monitoring the DMARC reports allows for a systematic enhancement of email authentication.

DMARC offers three policy values:

  • none This entry-level DMARC policy does not take any specific action if messages fail authentication. However, it specifies in the feedback report that the messages did not pass authentication.

  • quarantine With this policy, messages that fail authentication are quarantined, typically directing them to the recipient's spam folder. This provides a higher level of protection against fraudulent or suspicious emails.

  • reject The reject DMARC policy outright rejects messages that fail authentication, preventing their delivery to the recipient's inbox. This policy offers the strictest level of protection.

Additionally, the pct tag allows the specification of the percentage of emails to which the policy applies. Any remaining messages will be subject to a less strict policy (none if p=quarantine is specified or quarantine if p=reject is specified).

Spend more time reaping the rewards🍾🎉
...and less time battling deliverability issues, with Mailer To Go’s full-featured email service.

DMARC deployment considerations

When deploying DMARC, there are a few important considerations to keep in mind:

  • Gradual policy enforcement It is recommended to start with a "none" policy and carefully monitor DMARC reports before moving to stricter policies like "quarantine" or "reject". This gradual approach allows organizations to identify and address any authentication issues without the risk of legitimate emails being blocked or improperly delivered.

  • Subdomain alignment DMARC introduces the concept of domain alignment, requiring alignment between the From field and the envelope-from field for SPF authentication, as well as the domain in the DKIM-signature field for DKIM. It's important to ensure proper alignment to maximize the effectiveness of DMARC in preventing email spoofing.

  • Policy percentages The "pct" tag in the DMARC record allows organizations to specify the percentage of emails that should adhere to the defined policy. It's crucial to consider this setting carefully to strike a balance between strict enforcement and gradual implementation.

  • Regular monitoring and adjustments Organizations should regularly review DMARC reports, analyze the data, and make necessary adjustments to their email authentication setup. Monitoring DMARC reports helps identify any anomalies, potential security threats, or configuration issues that need attention.

email spoofing

Why is DMARC important? 

DMARC adds two seemingly small, yet crucial elements to the email authentication process:

  1. Domain alignment

  2. Clear reporting

Note that even DMARC doesn’t protect recipients from fraudulent email sent from other domains that look like your domain (e.g. d0ma1n.com vs domain.com), but if you add DMARC to your domain, it should at least help your legit emails find their way to your recipient’s inbox.

Implementing DMARC brings several benefits to email senders. By utilizing DMARC, organizations can:

  • Protect their brand reputation DMARC helps prevent email spoofing and phishing attacks, which can damage a company's reputation. By authenticating emails, DMARC ensures that recipients can trust the sender's identity and differentiate between legitimate emails and fraudulent ones.

  • Improve email deliverability DMARC helps improve email deliverability rates by reducing the chances of legitimate emails being flagged as spam or phishing attempts. When email receivers see that a domain has implemented DMARC and the email passes authentication, they are more likely to deliver the email to the recipient's inbox.

  • Receive actionable reports DMARC provides feedback in the form of aggregate reports, which offer valuable insights into email authentication failures. These reports can help organizations identify issues with their email authentication setup and take corrective actions to enhance their security measures.

DMARC plays a vital role in email authentication by introducing domain alignment and providing clear reporting mechanisms. It enhances the overall security of your domain and helps protect your brand reputation.

While DMARC cannot prevent fraudulent emails sent from other domains that mimic yours, implementing DMARC increases the chances of legitimate emails reaching your recipients' inboxes. 

By aligning domain fields and gradually strengthening authentication policies, you can minimize the risk of email-based fraud, maintain a positive brand image, and improve the deliverability of your important messages.

By utilizing DMARC in conjunction with DKIM (DomainKeys Identified Mail) and SPF authentication(Sender Policy Framework), you establish a robust email authentication framework that strengthens the security and trustworthiness of your email communication.

That, my friends, is DMARC explained!

Does Mailer To Go support DMARC?

Absolutely, yes! Mailer To Go supports DMARC and DMARC records.

DMARC is not set per email service but rather for your entire domain. We recommend starting by adding a DMARC TXT record to your domain, with a value that tells email servers to only send you aggregated reports so you can learn how well you’ve set the authentication methods for all of your email sending mechanisms. 

The following value instructs servers to just send an aggregate report to dmarc@yourdomain.com:

"v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com;"

About Mailer To Go! 📬
Mailer To Go lets you send emails from inside your applications using your own email addresses and domains.

Read more about email authentication methods

Frequently asked questions

What is DMARC?

DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol that verifies sender IP addresses against the alleged owner of the sender domain. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

What is the purpose of DMARC?

The purpose of DMARC is to prevent spoofed emails. A spoofed message appears to be from the impersonated organization or domain. DMARC also lets you request reports from email servers that get messages from your domain, providing visibility into your email ecosystem.

How does DMARC work?

DMARC enables domain owners to specify how recipients' mail servers should treat emails failing SPF and DKIM verification checks. It also provides a mechanism for reporting back to the domain owner about these actions.

What is the benefit of using DMARC?

DMARC provides email protection and gives you full control of email delivery for your company's domain. It helps prevent email spoofing, phishing, and other email-based attacks. It also improves email deliverability by ensuring legitimate emails are correctly authenticated.

How to set up DMARC?

Setting up DMARC involves creating a DMARC record in your domain's DNS records. This record includes your DMARC policy, which specifies how mail servers should handle mail that fails DMARC checks. A transactional email service provider like Mailer To Go can assist with setting up and managing DMARC for your domain.

What is reporting in DMARC?

Reporting in DMARC is a feature that allows you to track your email's authentication status and delivery failures. It provides valuable insights into who is sending email on behalf of your domain, which can help identify legitimate senders as well as potential fraudulent activity.

Remember, implementing DMARC is a crucial step in securing your email domain and improving email deliverability.

Boost Your Email ROI with Mailer To Go

Ready to boost email deliverability and clickthrough rates?

Start for free