What is DMARC?
Domain-based Message Authentication Reporting and Conformance (DMARC) is an email authentication protocol created to fight against spam, spoofing, and phishing. Basically, this email validation system is created to protect your domain from all kinds of cybercrimes.
The email security protocol, DMARC, was created by PayPal with help from Google, Microsoft, and Yahoo! back in 2012.
DMARC tells the receiving mail servers what they should do when they get mail that seems to come from your organization, but who doesn’t pass authentication requirements from your DMARC policy record.
It’s kind of your own personal security guard to your domain. Pretty awesome isn’t’ it?
It uses and monitors two other email authentication methods:
- Sender Policy Framework (SPF)
- Domain Keys Identified Mail (DKIM) of all the emails sent with this domain.
If the authentication fails (SPF/DKIM), then the security policy implemented in the DKIM will be applied.
What are the benefits of DMARC?
There are a few key reasons that you would implement DMARC if you use email in your company.
How to monitor a domain with DMARC?
Thanks to DMARC, we can monitor all emails sent from a given domain.
For example, if we track our mailsoar.com sending domain, then we will see that our main sending sources come from our corporate emails (Gsuite), but also from Google Calendar invitations.
The easiest and most efficient way to monitor these sources is to use a monitoring tool. At MailSoar, we use two, depending on our clients:
With these tools, you can therefore monitor all your sources, and see if they are correctly authenticated.
It is very easy to set up these tools. For example with glockapps, you just have to click on “DMARC analytics”, then on “Add a domain” and write down the domain you want to monitor. It will give you a DMARC record (TXT) to add to the DNS of your domain.
Here is an example of DMARC record
v=DMARC1; p=none; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; fo=1;
- v=DMARC1: Protocol version
- p=none: Policy
- rua=mailto:email@example.com: Recipients of aggregated failure reports
- ruf=mailto:firstname.lastname@example.org: Recipients of detailed failure reports
- fo=1: Conditions for sending a detailed report
The policies available
The DMARC specification provides 3 choices for domain owners to use to specify their preferred treatment of mail that fails DMARC validation checks. These “p= policies” are:
- p=none. Nothing will happen if a source is not correctly authenticated. It will just allow you to monitor the sending sources.
- p=quarantine. If the SPF / DKIM authentication is not correct, then the receiving server will place your email in the spam folder.
- p=reject. If the SPF / DKIM authentication is not correct, then the receiving server will reject your email.
How to choose a DMARC policy?
How MailSoar can help you with your DMARC deployment?
DMARC is an important evolution of your email authentication. It is just not another DNS record adding to your company, it is one of the best securitization processes for your email.
Mailsoar can help you make your emails as secure as possible with:
- Audit of your email infrastructure to review the key areas potentially causing you trouble
- Implementation of all monitoring solution especially for DMARC
- Implementation of the immediate recommendations to improve your KPI’s quickly as possible
- BIMI deployment
Contact us now and we will help you set up your DMARC policy to be sure that no one is using your domain without your agreement.