304 North Cardinal St.
Dorchester Center, MA 02124
304 North Cardinal St.
Dorchester Center, MA 02124
Email is the most popular channel of communication between the company and the target market. Therefore, it comes as no surprise that it is the prime target for hackers. According to recent studies, it is involved in more than 90% of all network attacks that cause tremendous financial loss for both organizations and customers.
To deescalate this situation and prevent phishing and spoofing, numerous companies have turned their heads to authentication protocols designed to address vulnerabilities of emails. We have already pondered the two most widespread and trusted standards on the web: SPF and DKIM. The time has come to understand what is DMARC record that enjoys the benefits of both these security technologies and even take them to the next level by providing tools for getting feedback on the email ecosystem.
So, what is DMARC, and why is it important for emails?
Before moving to the DMARC record and DMARC setup essentials, it is crucial to understand what is DMARC.
Domain-based Message Authentication, Reporting & Conformance, aka DMARC, is a free email authentication protocol. Its main goal is to safeguard the domain from being used in hacker attacks, including spoofing, phishing, and email scams.
As we have already noted, it is appeared due to a staggering level of cybercrimes. According to recent stats,
The great thing about DMARC is that it gets the most out of SPF and DKIM protocols and extends its mechanisms to make the authentication process accurate and effective. With DMARC, the owner of the domain formulates a policy using DNS records. He or she can specify such things as
That is not all. The most significant advantage of DMARC is that, unlike SPF and DKIM, it is a reporting specification. With DMARC in place, the receiving mail server can send back a report about messages that fail. It is available in two formats: aggregate report and forensic report.
Simply put, the aggregate reports include information about the “report domain” and XML file with emails that failed verification. Forensic reports are failure reports that include details of messages that fail SPF, DKIM, or both. Together they offer insight into how your email moves through the ecosystem and what units use your email domain.
To sum up.
DMARC does three essential things:
Due to such an extending authentication mechanism, most ISPs find DMARC quite an effective protocol and use it to determine the authenticity of the email sender. Based on DMARC results, ISPs decide whether the email will pass all the barriers and get to the inbox, whether it will be put into a junk folder or rejected and reported as a malicious threat.
Malware Infection Growth Rate by Purplesec
DMARC record is the heart and soul of DMARC security standard. It is a DNS TXT Record that gives instructions to receiving mail server (ISPs, Gmail, Yahoo, etc.) about what should be done with the messages after checking SPF and DKIM records and DMARC test. It has three main policies:
If no DMARC record is in place, the receiving side draws its own conclusion about what to do with that.
It should also be noted that even if the email passes the DMARC check, it can still be rejected because ISPs consider other factors. For example, if the sender’s IP address is blacklisted, all its messages will be rejected, regardless of DMARC.
DMARC record is a modified DNS TXT record. It adheres to a particular format and syntax and is made of tags with name and corresponding value. There are required and optional tags. Let us consider the most popular ones:
The regular DMARC record looks like this:
v=DMARC1; p=reject; rua=mailto:dmarc_reports@your_domain_name.com
The vital thing to note, DMARC can override the policy specified in DKIM. It comes in handy in numerous everyday situations. For example, the sender wants to implement the policy not to all messages but only to a certain percentage; or the letter arrived from a trusted source, so it should go straight to the inbox.
The first thing to understand about DMARC working flow is that at least one authentication protocol (SPF or DKIM) should be enforced. Also, the DMARC record has to be set up.
The working flow behind DMARC is pretty simple and straightforward similar to SPF and DKIM. Let us walk through its key stages:
The alignment requirements come in two versions.
Note that even though DMARC is a highly regarded authentication protocol, it still does not mean that ISPs will follow its instructions without reservation. ISPs consider numerous factors before drawing the final decision. However, DMARC sends a strong signal to the receiving server about the fate of the message.
DMARC has been proven highly effective; however, it still suffers some shortcomings. Let us consider the most obvious ones:
There are not too many limitations to DMARC. The majority of them could be downsided. However, it is important to remember that DMARC also includes some shortcomings of SPF and DKIM since it is based on these protocols. Therefore, to create overall protection, you need to plug in all loopholes.
Despite the shortcomings that the DMARC record has, it still brings benefits to the organizations. Deploying this authentication protocol is increasingly important because of these advantages:
To set up a DMARC record, you need to undertake several necessary steps. Let us walk through them
If SPF and DKIM are in place for some time, then you can move to step 2. If you have just enforced these standards, then you need to wait at least 48 hours. This delay is necessary for changes in DNS to take effect.
Note, it is possible to define a DMARC record without SPF and DKIM; however, it is not recommended because DMARC will not do anything in this case. It will be pointless.
Also, it is vital to check SPF and DKIM to ensure that they work as intended.
There are two required tag-value pairs that every DMARC record should have: “v” (version) and “p” (policy). Everything else is optional.
As we have already noted, the “v” tag should be “DMARC1”. As for “p,” it is for you to decide what to do with emails that fail authentication. Choose from three options: none, quarantine, or reject.
Also, it is highly recommended to add the “rua” tag so that receiving server can send reports back.
At this point, the basic DMARC record may look like this:
v=DMARC1; p=none; rua=”mailto: reports@your_domain_name.com
If you want to extend this record, you are welcome to use other tags.
Every hosting provider offers a unique wizard that helps business owners to add DMARC records to DNS. You do not have to do everything by yourself. These wizards usually come with handy and intuitive interfaces to add DMARC records and even create one simply by choosing the necessary tags and entering corresponding values.
Follow this simple procedure:
Similar to SPF and DKIM, it takes up to 48 hours or even more (depending on your hosting provider) for the DMARC record to come into force.
Prevent Email Fraud with DMARC Infographic
Much like with DKIM, when ISPs consider even the slightest mistake in syntax as a sign of fraud, error in DMARC record can be fatal. Therefore, it should be polished.
On top of that, setting up DMARC is just a beginning of a journey. It is crucial to test configuration for DMARC, SPF, and DKIM regularly to ensure that the defined policies do not block legitimate emails. Let us consider some good tools to check the DMARC record.
Tools to Check DMARC Record
Several popular tools check DMARC record on being valid:
Let us consider some best practices for DMARC protection.
DMARC is one of the most powerful authentication protocols that has proven its validity and effectiveness through the years. It is not only about validating emails and rejecting those that are not authorized. It is about providing a way to coordinate the efforts of senders and receivers and put them in a strong position to fight spoofing and phishing attacks.
Even though DMARC is powerful tool, it is still a team player, not a loner. Being a representative of the layered approach, it should be combined with other security technologies to provide optimal protection and save companies from losing their money because of digital threats that cost businesses worldwide billions of dollars each year.