DMARC is an open email authentication protocol that provides domain-level protection of the email channel. DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks. Building on existing standards—SPF and DKIM—DMARC is the first and only widely deployed technology that can make the header “from” domain trustworthy. The domain owner can publish a DMARC record in the Domain Name System (DNS) and create a policy to tell receivers what to do with emails that fail authentication.
- Domain spoofing—An attacker spoofs the domain of a company to make an email seem legitimate.
- Email spoofing—A term for spoofing activities involving email.
- Business email compromise (BEC)—An email that appears to come from a senior employee within an organization requesting that money or sensitive information be sent.
- Impostor email—A spoofed email sent by an impostor who claims to be someone they are not.
- Email phishing—An email that tries to get victims to install malware or offer their credentials. A phishing email often looks like a familiar brand to appear legitimate.
- Consumer phishing—Spoofed email sent to a consumer of a company claiming to be from that company with the intention of stealing credentials.
- Partner spoofing—Business-based spoofed email between supply chain partners, which attempts to change payment details in order to siphon money.
- Whaling email scam—Fraudulent email sent to a senior employee within an organization aiming to get a large financial gain.
- Domain-based Message Authentication Reporting and Conformance (DMARC)—An email validation system that detects and prevents email spoofing. It helps combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to come from legitimate organizations.
- Sender Policy Framework (SPF)—An email validation protocol designed to detect and block email. It allows receiving mail exchangers to verify that incoming mail from a domain comes from an IP address authorized by that domain's administrators.
- DomainKeys Identified Mail (DKIM)—An email authentication method that detects email spoofing. It allows the receiver to check that an email that claims to come from a specific domain was authorized by the owner of that domain.
- Binding Operational Directive 18-01—The Department of Homeland Security has issued Binding Operational Directive 18-01 for agencies to upgrade their email and web security. Agencies will need to implement SPF, DMARC, and STARTTLS efficiently.
SPF and DKIM
Sender Policy Framework (SPF) is an email validation protocol that allows an organization to specify who can send email from their domains. Organizations can authorize senders within an SPF record published in the Domain Name System (DNS). This record includes the approved IP addresses of email senders, including the IP addresses of service providers that are authorized to send email on the organization’s behalf. Publishing and checking SPF records is a reliable way to stop phishing and other email-based threats that forge “from” addresses and domains.
Domain Keys Identified Mail (DKIM) is an email authentication protocol that allows the receiver to check that an email from a specific domain was really authorized by the owner of that domain. It allows an organization to take responsibility for transmitting a message by attaching a digital signature to it. Verification is done through cryptographic authentication using the signer’s public key published in the DNS. The signature ensures that parts of the email have not been modified since the time the digital signature was attached.
How DMARC Works
For a message to pass DMARC authentication, it must pass SPF authentication and SPF alignment and/or pass DKIM authentication and DKIM alignment. If a message fails DMARC, senders can instruct receivers on what to do with that message via a DMARC policy. There are three policies the domain owner can enforce: none (the message is delivered to the recipient and the DMARC report is sent to the domain owner), quarantine (the message is moved to a quarantine folder) and reject (the message is not delivered at all).
The DMARC policy of “none” is a good first step. This way, the domain owner can ensure that all legitimate email is authenticating properly. The domain owner receives DMARC reports to help them make sure that all legitimate email is identified and passes authentication. Once the domain owner is confident they have identified all legitimate senders and have fixed authentication issues, they can move to a policy of “reject” and block phishing, business email compromise, and other email fraud attacks. As an email receiver, an organization can ensure that its secure email gateway enforces the DMARC policy implemented to the domain owner. This will protect employees against inbound email threats.
SPF authentication starts by identifying all legitimate IP addresses that should send email from a given domain and then publishes this list in the DNS. Before delivering a message, email providers will verify the SPF record by looking up the domain included in the “envelope from” address within the hidden technical header of the email. If the IP address sending an email on behalf of this domain is not listed in the domain’s SPF record, the message fails SPF authentication.
For DKIM authentication, the sender first identifies what fields they want to include in their DKIM signature. These fields can include the “from” address, the body of the email, the subject and more. These fields must remain unchanged in transit, or the message will fail DKIM authentication. Second, the sender’s email platform will create a hash of the text fields included in the DKIM signature. Once the hash string is generated, it is encrypted with a private key, which only the sender can access. After the email is sent, it’s up to the email gateway or consumer mailbox provider to validate the DKIM signature. This is done by locating a public key that is an exact match of the private key. Then the DKIM signature is decrypted back to its original hash string.
DMARC Best Practices and Tools
- Due to the volume of DMARC reports that an email sender can receive and the lack of clarity provided within DMARC reports, fully implementing DMARC authentication can be difficult.
- DMARC parsing tools can help organizations make sense of the information included within DMARC reports.
- Additional data and insights beyond what’s included within DMARC reports help organizations to identify email senders faster and more accurately. This helps speed up the process of implementing DMARC authentication and reduces the risk of blocking legitimate email.
- Professional services consultants with DMARC expertise can help organizations with DMARC implementation. Consultants can help identify all legitimate senders, fix authentication issues and can even work with email service providers to make sure they are authenticating properly.
- Organizations can create a DMARC record in minutes and start gaining visibility through DMARC reports by enforcing a DMARC policy of “none.”
- By properly identifying all legitimate email senders - including third-party email service providers—and fixing any authentication issues, organizations should reach a high confidence level before enforcing a DMARC policy of “reject.”
How to Create a DMARC Record
- DMARC records are hosted on your DNS servers as TXT entries. Every host provider provides DNS access to customers, so you can add this TXT entry from the registrar where the domain was registered or in a dashboard provided by the website host. The steps to create a DMARC record are different based on the registrar or host, but the creation of the record is the same for every domain. After you authenticate into your host or registrar, create an DNS entry using the following steps:
- Create an TXT record. After you start the creation process, you must enter a name and value for the record.
- Name your record DMARC. In some host configurations, the domain name is automatically appended to the name. If it is not added automatically, name the record _dmarc.yourdomain.com.
Enter the value for your record. The following is an example value for DMARC:
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org
The three values in the entry are important for direction when users send emails to your domain. The first “v” value is necessary and defines the version. This value will be the same for all records. The second “p” value determines what happens when the email passes or fails. In this example, the value is set to “none,” which indicates that nothing will happen. This value is recommended initially to ensure that DMARC works correctly before quarantining messages.
After you verify that DMARC works correctly, the “p” value can be changed to quarantine or reject. It’s recommended to quarantine messages so that you can catch false positives. The message will be set aside until you review it. The reject option will outright drop records that don’t pass DMARC rules. Unless you are sure that messages will pass, only use the reject option when you are positive that no important messages will be dropped by your DMARC settings.