What is DMARC?
Domain-based Message Authentication Reporting and Conformance (DMARC) is an email authentication protocol created to fight against spam, spoofing, and phishing. Basically, this email validation system is created to protect your domain from all kinds of cybercrimes.
The email security protocol, DMARC, was created by PayPal with help from Google, Microsoft, and Yahoo! back in 2012.
DMARC tells the receiving mail servers what they should do when they get mail that seems to come from your organization, but who doesn’t pass authentication requirements from your DMARC policy record.
It’s kind of your own personal security guard to your domain. Pretty awesome isn’t’ it?
It uses and monitors two other email authentication methods:
- Sender Policy Framework (SPF)
- Domain Keys Identified Mail (DKIM) of all the emails sent with this domain.
If the authentication fails (SPF/DKIM), then the security policy implemented in the DKIM will be applied.
What are the benefits of DMARC?
There are a few key reasons that you would implement DMARC if you use email in your company.
-
Reputation and Identification
Publishing a DMARC record protects your company by preventing unauthenticated one from sending mail from your company domain.It is also make your email easily identifiable from any emails boxes.
-
Visibility
Using DMARC can increase visibility into the internet by letting you know who is sending email from your domain.
-
Security
DMARC helps the email ecosystem by disallowing unauthorized use of your email domain and protecting all from fraud, phishing and spam.
How to monitor a domain with DMARC?
Thanks to DMARC, we can monitor all emails sent from a given domain.
For example, if we track our mailsoar.com sending domain, then we will see that our main sending sources come from our corporate emails (Gsuite), but also from Google Calendar invitations.
The easiest and most efficient way to monitor these sources is to use a monitoring tool. At MailSoar, we use two, depending on our clients:
- GlockApps
- SendForensics
With these tools, you can therefore monitor all your sources, and see if they are correctly authenticated.
It is very easy to set up these tools. For example with glockapps, you just have to click on “DMARC analytics”, then on “Add a domain” and write down the domain you want to monitor. It will give you a DMARC record (TXT) to add to the DNS of your domain.
Here is an example of DMARC record
v=DMARC1; p=none; rua=mailto:test@ar.glockapps.com; ruf=mailto:test@fr.glockapps.com; fo=1;
- v=DMARC1: Protocol version
- p=none: Policy
- rua=mailto:test@ar.glockapps.com: Recipients of aggregated failure reports
- ruf=mailto:test@fr.glockapps.com: Recipients of detailed failure reports
- fo=1: Conditions for sending a detailed report
The policies available
The DMARC specification provides 3 choices for domain owners to use to specify their preferred treatment of mail that fails DMARC validation checks. These “p= policies” are:
- p=none. Nothing will happen if a source is not correctly authenticated. It will just allow you to monitor the sending sources.
- p=quarantine. If the SPF / DKIM authentication is not correct, then the receiving server will place your email in the spam folder.
- p=reject. If the SPF / DKIM authentication is not correct, then the receiving server will reject your email.
How to choose a DMARC policy?
-
For the first month
Our best advise is to configuring the DMARC with a p=none policy . This will allow you to look at all the sending sources, monitor their authentication, and make the necessary modifications for the sources that are not correctly authenticated.
-
Over the next 2 monts
You can set the policy to p=quarantine to ensure that there is no problem with deliverability.
-
After 2 weeks
After this time, if all the sending goes well, change the policy to p=reject. With this, all emails that are not properly authenticated will be rejected by the receiving server, and your sending domain will be protected from spam and phishing attacks.
-
Then
When everything is in place: deploy BIMI!
How MailSoar can help you with your DMARC deployment?
DMARC is an important evolution of your email authentication. It is just not another DNS record adding to your company, it is one of the best securitization processes for your email.
Mailsoar can help you make your emails as secure as possible with:
- Audit of your email infrastructure to review the key areas potentially causing you trouble
- Implementation of all monitoring solution especially for DMARC
- Implementation of the immediate recommendations to improve your KPI’s quickly as possible
- BIMI deployment
Contact us now and we will help you set up your DMARC policy to be sure that no one is using your domain without your agreement.