Best Practices What is DMARC? By MailChannels | 4 minute read If the COVID-19 pandemic taught us anything, it’s that having an online presence is more important than ever for businesses of all sizes. Yet as more businesses have gone online, the threat of cybersecurity issues like ransomware is compelling everyone to take steps to protect and secure their online presence. Most cyberattacks begin with email, and more often than not, email attacks involve some degree of brand impersonation. The attacker sends email from an address that looks familiar to the recipient, who then engages in a trust-based conversation, leading to eventual compromise. Domain-based Message Authentication, Reporting and Conformance (DMARC) is one way that domain owners can help to prevent many such attacks and has become a cornerstone of every organization’s online security policy. What is DMARC? DMARC allows domain owners (i.e. brand owners) to publish a security policy relating to the email that they send. In plain English, a DMARC policy tells email recipients what they should do when they encounter an email message that was not correctly digitally signed by the domain owner, or which was sent out of IP addresses not authorized to send for the domain. DMARC policies are published in the Domain Name System (DNS), a global database of domain name information that is accessible to everyone on the internet. Benefits of DMARC In addition to setting out your domain name’s email security policy, DMARC also allows domain owners to receive reports from email receivers that help the domain owner to track down security problems such as domain name spoofing. For example, if you specify a so-called forensic reporting address in your DMARC record, then receivers like Yahoo will tell you about all of the IP addresses that are sending improperly signed or originated messages using your domain name. These reports help to locate gaps in your email sending infrastructure, such as sending services that have been incorrectly configured to sign messages using your domain’s DKIM key. How to use DMARC Using DMARC is easy, but there are a couple of prerequisites that require a bit more work. First, you need to set up Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) records in the DNS to allow email receivers to authenticate that email messages appearing to be sent from your domain actually originate from your organization, rather than an imposter. Read more about how MailChannels support DKIM and SPF. Once you have set up DKIM and SPF, you need a DMARC record, which looks like this: v=DMARC1; p=100; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; The typical elements of the DMARC record include: The version (v=DMARC1) – this string must be present at the start of your DMARC record to tell email receivers which version of the standard you are using. Today, only DMARC1 is valid, but in future we expect there could be a DMARC2, DMARC3, etc. The rejection percentage indicator (p=100) expresses what fraction of “unaligned” messages should be discarded or blocked by receivers. You can use this field to gradually roll out enforcement of your DMARC policy over time, starting with p=0 and then gradually increasing to p=100 as you plug all of the holes in your DKIM signing and SPF policy adherence. The reporting addresses (rua= and ruf=) set out optional email addresses to which you will be sent email statistics and forensic reports relating to the messages that receivers are seeing from your domain. These reports can be fed into a report analysis tool to provide valuable insights about ongoing spoofing of your domain and to locate places from which your domain’s email is being sent without a proper DKIM signature or from an unauthorized, yet legitimate IP address. Many excellent DMARC implementations exist as hosted services, automating the tricky bits and helping you to clean up your DKIM and SPF compliance incrementally to improve the delivery of your domain’s email. Summary To secure your brand’s reputation online and provide the maximum possible protection for your employees and customers against cyber attacks such as ransomware and phishing, it’s essential to deploy DMARC. Fortunately, many excellent service providers exist to help you roll out SPF and DKIM across the different channels through which your organization sends email, and DMARC itself can be automated as well. Gain insights about your email delivery and security with DMARC: it’s an unbeatable proposition.