Understanding DMARC

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect your domain against email spoofing and phishing. It works alongside SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to ensure that only authorized senders can send messages from your domain.

Why DMARC Matters

• Authentication: Adds a verification layer to confirm that emails come from authorized servers.

• Phishing protection: Helps stop attackers from impersonating your domain.

• Brand protection: Reduces risk of malicious actors sending fraudulent emails under your name.

• Industry standards: Gmail and Yahoo now require bulk senders to adopt stricter authentication practices starting in 2024.

DMARC Tags

A DMARC record is stored in your domain’s DNS and is made up of tags that define how unauthenticated messages should be handled.
Key tags include:

• v=DMARC1: DMARC version.

• p=none/quarantine/reject: Policy for failed emails.

• rua: Address to receive aggregate reports.

• ruf: Address to receive failure (forensic) reports.

DMARC Policies for Unauthenticated Messages

DMARC policies are defined in the p tag:

• p=none: Monitor only. Emails that fail DMARC are still delivered.

• p=quarantine: Failed emails go to spam/junk.

• p=reject: Failed emails are blocked entirely.

Start with p=none to monitor. Move to quarantine or reject only after you’re confident your setup is correct.

DMARC Alignment and Its Role

DMARC checks whether the domain in the From: header aligns with the domains validated by SPF or DKIM.

• Aligned: Domains match (or partially match in relaxed mode). Email passes.

• Not aligned: Domains don’t match. Email fails DMARC.

This ensures that even if SPF or DKIM are set up, attackers can’t fake the visible From address.

Alignment Options

You can configure alignment for SPF and DKIM in your DMARC record using aspf (SPF) and adkim (DKIM):

• Relaxed (default): Parent/root domain matches are accepted.

  • Example: From = yourdomain.com, Return Path = bnc3.yourdomain.com → passes.

• Strict: Exact match required.

  • Example: From = yourdomain.com, Return Path = test.yourdomain.com → fails.

Most organizations use relaxed alignment for flexibility, moving to strict alignment only if needed.

Setting Up DMARC

Step 1: Create a DNS Record

• Go to your domain registrar or DNS hosting provider.

• Add a TXT record:

  • Host/Name: _dmarc

  • Value: Example:

    v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; ruf=mailto:forensics@yourdomain.com
    

Step 2: Monitor Reports

• Start with p=none and collect DMARC reports.

• Review which emails are passing or failing authentication.

Step 3: Enforce Policies

• Once confident in alignment, move to stricter policies:

  • p=quarantine to send failures to spam.

  • p=reject to block failures completely.

Best Practices

• Ensure SPF and DKIM are correctly configured for all sending services.

• Start with monitoring (p=none), then phase into stricter policies.

• Regularly review DMARC reports to spot unauthorized activity.

• Keep DNS records updated as your email infrastructure changes.

Conclusion

DMARC is essential for protecting your organization against phishing and spoofing while safeguarding your brand reputation. By starting with monitoring and gradually moving toward stricter enforcement, you build trust with ISPs and residents alike.