DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication protocol that helps protect against email spoofing and phishing.
DMARC builds on two existing email authentication mechanisms: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
DMARC Components
Here’s a brief overview of each component of DMARC:
| Domain-based | DMARC operates at the domain level, allowing domain owners to specify how their emails should be authenticated and handled. |
| Message Authentication | DMARC leverages existing authentication mechanisms, SPF and DKIM, to validate that an email message actually comes from the purported sender and hasn’t been tampered with during transit. |
| Reporting | DMARC includes a reporting mechanism that enables domain owners to receive reports on email authentication activity. These reports provide insights into how email is being handled for their domain, including information on legitimate and fraudulent email messages. |
| Conformance | DMARC allows domain owners to specify how receivers (mail servers) should handle emails that fail authentication. This helps prevent fraudulent emails from reaching recipients and allows legitimate emails to be delivered. |
DMARC Record Tags
Here’s a brief overview of the DMAR record elements:
| Tag | Description | Example | Requirement |
|---|---|---|---|
| v= | Protocol version | v=DMARC1 | Mandatory |
| p= | Policy specified | p=none; p=quarantine; p=reject | Mandatory |
| pct= | Percentage of emails filtered by the policy | pct=50 (half of the emails will be subject to the policy specified) | Optional |
| sp= | Subdomain policy | Same as p= | Optional |
| adkim= | Alignment mode for DKIM | adkim=s or admkim=r | s means strict r means relaxed | Optional |
| aspf= | Alignment mode for SPF | aspf=s or aspf=r s means strict r means relaxed | Optional |
| rua= | Reporting URI for aggregate data | rua=mailto:user@example.com | Optional |
| ruf= | Reporting URI for forensics data | ruf=mailto:user@example.com | Optional |
| fo= | Failure reporting policy | fo=0,1,d or s 0 is the default, means generate report of all fails 1 generate reports if any check fails d generate report if DKIM fails s generate report if SPF fails | Optional |
| rf= | Format of failure reporting | rf=afrf or rf=iodef default is afrf | Optional |
| ri= | Reporting interval in seconds | ri=86400 (24 hours) | Optional |
Example DMARC Record
Here’s an example of a DMARC record:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensic@example.com; sp=reject; adkim=s; aspf=s"Explanation of the elements in the example:
_dmarc.example.com. | This is the DNS subdomain for which the DMARC record is set. It is typically prefixed with an underscore and is specific to the domain for which DMARC is being configured. |
IN TXT | Indicates that the record is a text record. |
v=DMARC1 | Specifies the DMARC version being used. In this case, it’s version 1. |
p=reject | Indicates the policy for handling email that fails DMARC authentication. In this example, it is set to “reject,” meaning that emails failing DMARC should be rejected. |
rua=mailto:dmarc@example.com | Specifies the URI (email address) where aggregate DMARC reports should be sent. Aggregate reports provide information about the email authentication status for the domain. |
ruf=mailto:dmarc-forensic@example.com | Specifies the URI (email address) where forensic DMARC reports should be sent. Forensic reports provide detailed information about individual failed authentication events. |
sp=reject | Specifies the policy for subdomains. In this example, it is set to “reject,” meaning that the same DMARC policy applies to subdomains. |
adkim=s | Indicates the alignment mode for DKIM (DomainKeys Identified Mail). It is set to “strict” alignment. |
aspf=s | Indicates the alignment mode for SPF (Sender Policy Framework). It is set to “strict” alignment. |
Implementing DMARC gives domain owners greater control over their email authentication policies and reduce the likelihood of phishing attacks that rely on impersonating legitimate senders. It provides a framework for email senders to authenticate their messages and for receivers to properly handle emails based on the sender’s authentication status.
Combining DMARC with DKIM and SPF provides a more comprehensive approach to email authentication, helping to enhance the security of email communications.