DMARC has been quite topical in IT circles in recent months due to major internet services providers like Google and Yahoo making it a requirement for bulk senders. Without it, these providers might reject your mail.
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. In short, it is an email authentication protocol that ensures that the sender you see in an email is correct. It takes some setup and management, but it is the most powerful tool to prevent email spoofing. If there’s one thing to take away after reading this, it should be that everyone should have a properly maintained DMARC policy.
How DMARC works
For DMARC to work, you need Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) DNS records in place (preferably both). It’s worth briefly touching on these before going deeper into DMARC.
Sender Policy Framework (SPF) records help prevent domain spoofing. They allow the receiving mail server to check that an email claiming to come from a specific domain is submitted by an IP address authorised by that domain’s administrators. Basically, it checks where an email has come from and that the domain that has sent it is allowed to.
DomainKeys Identified Mail (DKIM) records provide a method for validating the integrity of an email by allowing the recipient to check that it was sent by the domain owner and that its contents have not been tampered with. This is achieved by adding a digital signature to the email message, which can be validated at the receiving end using a public key published by the sender. DKIM gives you peace of mind that the email you receive is the one that was sent.
While both are powerful, they don’t completely solve the phishing problem. This is where DMARC steps in. DMARC checks whether the displayed sender of an email matches the domains specified in the SPF and/or DKIM records, and it also specifies how receivers should handle mail that fails the DMARC check.
A good analogy is to think of sending a paper letter and how that differs from email. With a letter, the sender and recipient written on the envelope and used for delivery are also written on the letter within. Assuming the envelope hasn’t been steamed open (unfortunately, there isn’t a DKIM equivalent for physical letters), you can trust that the letter and envelope came from the same place.
With an email client like Outlook or Apple Mail (unless you know where to look), you only see the sender written on the email ‘letter’ but not the ‘envelope’ it came in. The email could have been spoofed and come from somewhere completely different – precisely what spammers and bad actors trying to trick you into installing ransomware do. DMARC addresses this by comparing the sender on the email (From: address) to the sender on the envelope (SMTP envelope) and rejects the email if they don’t match.
Did You Know
The UK real estate services market is estimated to register a CAGR of approximately 3% by 2028.
Mordor Intelligence
The journey from p=none to p=reject
So, if we all agree that DMARC is good, why doesn’t everyone have it? The answer is that it takes some understanding and proper tools to manage. When DMARC is properly configured, emails that fail the check are simply rejected. This is what we want—the spam disappears. If your SPF and/or DKIM records are not correct, however, legitimate emails you send could also be rejected. Nobody wants this.
While it sounds cheesy, setting up DMARC is a bit of a journey. The best practice is to configure the policy to report but do nothing (p=none) for a while while monitoring to ensure everything is working as intended. This is where the tools and understanding come in as 1000s of logs must be analysed. Once you are happy that legitimate emails are delivered as intended and everything is set correctly, the policy can be changed to reject failing emails (p=reject). You can be confident that your emails are not spoofed.
How to check your email address
For a simple glance at how well your email/domain is protected, head to our Email Spoofing page and enter your email address into the field provided. The result will return a score between 0 and 5, followed by instructions on how well-protected your address is.
The widget is quick and simple to use and will display your score within seconds. To further understand your score, check the ‘Contact me regarding my score’ button to arrange a short meeting with our expert IT team.