What is DMARC?
DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.” It is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF (Sender Policy Framework) and DKIM (Domain Key Identified Mail) protocols. DMARC then, adds linkage to the author’s (“From:”) domain name, the published policies for recipient handling of authentication failures, and reporting from receivers to senders. DMARC improves and monitors protection of the domain from fraudulent email.
How Does DMARC Work?
DMARC works in conjunction with SPF and DKIM to report on the compliance of email sent on behalf of your domain. Inbox providers prioritize email from senders that have SPF compliant and DKIM signed email.
A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes. This could be to quarantine (as junk mail) or to reject the message altogether. It removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
The important thing to understand is that inbox providers look at your entire email volume. They evaluate ALL email that uses your domain in the “From”, including your legitimate email, 3rd party senders, spam and spoofing. In some cases, spam and spoofing email sent on behalf of your domain may overshadow legitimate communications. The only way to know is to request DMARC summary reports from inbox providers, process those reports and take actions based upon key information in the reports.
Why Is DMARC Needed?
End users and companies all suffer from the high volume of spam and phishing on the Internet. Over the past 20+ years several methods have been introduced to try and identify when mail from (for example) IRS.GOV really is, or really isn’t coming from the IRS. However,
- Various methods all work in isolation from each other
- Each email receiver makes unique decisions about how to evaluate the results
- The legitimate domain owner (e.g. IRS) never gets any statistical feedback
In response, DMARC attempts to address this by providing coordinated, tested methods for:
- Domain owners to:
- Signal that they are using email authentication (SPF, DKIM)
- Provide an email address to gather feedback about messages using their domain – legitimate or not
- Set a policy to apply to messages that fail authentication (report, quarantine, reject)
- Email receivers to:
- Be certain a sending domains use email authentication
- Consistently evaluate SPF and DKIM along with what the end user sees in their inbox
- Determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks
- Provide the domain owner with feedback about received messages from senders using their domain
Domain owners who deploy email authentication can begin using DMARC in “monitor mode” to collect data from participating receivers. Once data shows that their legitimate traffic passes authentication checks, they can change their policy to quarantine failing messages. As they grow confident that no legitimate messages are being incorrectly quarantined, they can move to a “reject” policy for failed messages.
What is the State of DMARC Adoption?
DMARC adoption is moving fairly quickly. So far, thousands of large, medium and small companies are using DMARC to screen their incoming email. Large Inbox Providers worldwide make up the largest portion of service providers adopting DMARC technologies. Google and Gmail account for over 70% of the reported email volume according to MxToolbox, a company based in Austin, TX that supports global Internet operations by providing free, fast and accurate network diagnostic and lookup tools. If you are hoping to send email to a Google address, you must adopt DMARC reporting.
On the other hand, global government adoption appears to be lagging. With less than .1% of the message volume sampled by MxToolbox, government adoption appears to need strengthening. So far, the US and UK are leading the way.
What Do You Need To Do to Protect Your Email Deliverability?
- Place an SPF record at your DNS provider to clearly designate your authorized email providers.
- Configure DKIM with all authorized email senders to sign all outbound email cryptographically.
- Set up a DMARC record at DNS to receive reports from inbox providers on the compliance of your emails with SPF, DKIM and DMARC standards.
- Update your email configurations to improve compliance.
- Block spoofers by moving to a more restrictive DMARC policy to quarantine or deny email that fails the policy check.
Since you rely on email for business critical communication, you need to know your email has been delivered to your customers and what technologies affect email delivery. Contact SYZYGY 1 Media for all your IT consulting needs.