The Domain-based Message Authentication, Reporting and Conformance (DMARC) standard for email authentication is adopted by all U.S. email domain providers and many corporate and government entities. DMARC addresses weaknesses in other email authentication standards to check for misleading “From” fields in emails and to improve tracking of potential spoofing campaigns. The standard enables email security solutions and internet service providers (ISPs) to filter in “good” emails and improve their ability to filter out “bad” emails.
To understand the DMARC standard in more detail this article will cover:
- What Is DMARC
- How Does DMARC Work
- DMARC Implementation
- DMARC Advantages
- DMARC Disadvantages
- DMARC FAQ
- Bottom Line: Mature Organizations Should Pursue DMARC Email Authentication
What Is DMARC?
Domain-based Message Authentication, Reporting and Conformance is a protocol that was first proposed in January 2012 and widely adopted in 2018 by the U.S. government as part of the Department of Homeland Security (DHS) 18-01 binding operational directive. DMARC builds upon the Sender Policy Framework (SPF) and the DomainKeys Identified Message (DKIM) technologies to add security and instructions for a specific domain.
How Does DMARC Work?
A DMARC policy is included in a DNS record for a given domain, enabling the sender to specify if messages are protected by SPF or DKIM. Additionally, the DMARC authentication enables DMARC Alignment that checks between the “From” fields displayed in the email and the from field in the header. This counters a common spoofing technique where the attacker changes the “From” field displayed in the header to impersonate a trustworthy sender.
DMARC also provides instructions regarding how messages should be handled if the message fails one or more authentication checks. For messages that fail DMARC, DMARC records also include email addresses to receive compliance and forensic reports for DMARC-failing emails.
The DMARC record publishes to an organization’s DNS record so it is publicly available for email servers to check. As an example, Microsoft’s DMARC.TXT file reads as:
_dmarc.microsoft.com. 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; fo=1"
For a complete list of variables and options for the DMARC record, see the DMARC Setup Guide: How to Implement a Basic DMARC Setup.
A key element of the DMARC check is Alignment, in which the domain in the message’s “From:” field is compared against other authenticated domain names from the SPF and DKIM checks. If either SPF or DKIM alignment checks pass, then the DMARC alignment test passes.
DMARC provides for either strict or relaxed alignment checks. With strict alignment the domain names must be identical. Using relaxed alignment allows the top-level “Organizational Domain” to fulfill the match requirement.
DMARC Check Process
Upon receiving an email, the receiving email server can perform a DNS lookup to check for DMARC, DKIM, and SPF records. The receiving email server can then examine the DMARC file for instructions for how to handle the email if the email fails DKIM or SPF checks. Failing emails may be flagged to be rejected (p=reject), quarantined to a spam folder (p=quarantine), or to be allowed to be delivered to a recipient anyway (p=none). Note that some email services, such as Microsoft 365, may treat both reject and quarantine the same and forward the emails to the spam folder.
Messages that pass DMARC will be delivered to the recipient. Messages that fail DMARC can be discarded, quarantined as SPAM, or allowed to be delivered anyway depending upon the DMARC record instructions. The server will then generate DMARC reports regarding emails that fail the DMARC check and send them to the emails in the DMARC record instructions.
The DMARC standard provides for two types of reports: aggregate reports and forensic reports. Both types of reports provide machine-readable formats that can be difficult to read and analyze without the aid of additional third-party DMARC reporting tools. Additionally, these reports may be sent as .zip attachments, so organizations must ensure their email address in the DMARC record can accept .zip attachments.
Aggregate DMARC Reports
Aggregate reports provide statistical data to an organization about email messages that claim to be from their email domain. These XML format reports include authentication results (pass/no pass) and how the message was handled. Organizations use these reports to check delivery rates, identify internal senders that may not be properly configured, and identify potential spoofing campaigns attempting to impersonate the organization.
Forensic DMARC Reports
Forensic reports provide copies of email messages that fail DMARC authentication. An organization can analyze these emails to troubleshoot an organization’s domain authentication issues or to identify malicious websites and domains.
DMARC can be activated by the addition of an appropriately formatted text file with the DNS record of an organization. However, effective implementation requires the prior establishment of SPF and DKIM email authentication, careful attention to detail, and patience in troubleshooting.
Dependencies: SPF, DKIM
DMARC assumes the prior establishment of the DKIM and SPF email authentication standards. DMARC will check against these standards for alignment and authentication.
DKIM: DomainKeys Identified Mail (DKIM) enables an organization to digitally sign emails from their domain using public key cryptography.
SPF: The Sender Policy Framework (SPF) authentication method designates the authorized mail servers that send email from an organization’s domain.
Basic DMARC Setup
The basic steps of DMARC setup include:
- Publish a DMARC record with the DNS provider
- Monitor DMARC reports to capture legitimate senders that fail DMARC
- Modify SPF, DKIM, and DMARC as necessary to ensure legitimate source pass
- Tighten DMARC restrictions
- Monitor DMARC reports for legitimate sources that fail and for potentially malicious sources attempting to impersonate the organization
However, each step can become quite involved and require attention to detail. For more detailed information on each step, please read the DMARC Setup Guide: How to Implement a Basic DMARC Setup.
How to Troubleshoot DMARC
Although DMARC can fail for many reasons, organizations of all sizes can resolve DMARC issues with reasonable effort and attention to detail.
“DMARC requires many intricate steps,” explains Seth Blank, CTO of Valimail and co-chair of the DMARC Working Group. “Even small mistakes could result in a number of issues such as accidentally filtering legitimate emails. The risks associated with reaching enforcement may be one reason why just 43.4% of enterprise DMARC policies are at enforcement.”
For more detailed information on troubleshooting, see our article Why DMARC is Failing: 3 Critical Issues With DMARC Deployment.
DMARC Service Providers
Many organizations do not want to take the time to dive into the details of SPF, DKIM, and DMARC to resolve issues. Fortunately, a quick Google search will reveal that many different service providers provide services to establish, maintain, and monitor SPF, DKIM, and DMARC.
Many organizations see value in tightening email security by implementing DMARC. DMARC policies increased by 43% in 2020 and grew a further 84% in 2021 to reach nearly 5 million valid DMARC records confirmed by DNS.
Organizations choose to implement DMARC because of the many advantages it can provide, such as enabling brand indicators, email troubleshooting, the flagging of malicious content, the reduction of impersonation by attackers, improved email reporting, and improved domain reputation.
Brand Indicators for Message Identification (BIMI)
Organizations that deploy DMARC can implement Brand Indicators for Message Identification (BIMI) that enable a brand’s logo to be displayed for authenticated emails. Large email providers such as Yahoo! or Gmail support this standard that can improve brand recognition, trust, and engagement for email recipients.
An organization often receives no feedback to know that an email campaign has been flagged as spam. Implementing DMARC allows an organization to understand when emails have not been delivered and why. Examining DMARC reports provides insight into how to improve email delivery and avoid becoming flagged as spam.
Malicious Content Flagging
Malicious emails may try to impersonate a brand, but DMARC will flag emails that do not match the “from” field with authenticated email sources. BEC phishing emails and other malicious emails will fail DMARC and prevent unauthorized senders from sending or spoofing emails that attempt to impersonate another organization. The increase in flagged emails inherently makes the entire email ecosystem more trustworthy and reduces the effectiveness of potential attacks.
Barracuda notes that attackers use brand impersonation in more than 80% of spear-phishing attacks. These spoofing attacks use the credibility of the impersonated brand to improve the credibility of the message in the phishing email.
DMARC can protect against spoofers by flagging emails sent from unauthorized domains. This will enable email servers to reject most spoofed phishing emails and lower the risk of having one’s brand associated with malware or hackers. For some organizations, impersonation can be even more damaging than hackers, and DMARC can prevent unauthorized and damaging emails such as those pretending to be from a political party or other prominent organization.
Improved Email Reporting and Visibility
Organizations often send emails and never know if it is delivered. Other times, marketing teams notice email rejections but struggle to determine why the emails are flagged as spam.
DMARC implementation generates reports that can be used to investigate rejected email in detail. These reports help to determine how to improve deliverability for direct emails and emails sent on behalf of the organization by third parties. Additionally, the reports can also provide information on attackers threatening the organization’s brand reputation by attempting to spoof the organization in phishing and spam campaigns.
Improved Domain Reputation and Email Deliverability
Implementation of DMARC signals to the large ISPs that an organization has control over their email environment which improves the reputation of the organization’s domain. Improved domain reputation can help to improve the deliverability of marketing emails and some organizations cite 5% to 10% improvements in campaign delivery rates after enforcing DMARC policies.
Disadvantages to the DMARC standard include the possibility of email disruption, the fact that DMARC is an incomplete solution, poor return on investment (ROI) measurements, and that DMARC remains potentially spoofable. DMARC also requires active enforcement, email servers to support DMARC, and the DMARC reports themselves are unintuitive.
Seth Blank, CTO of Valimail and co-chair of the DMARC Working Group, notes that “Despite [DMARC’s] growing popularity, fraudulent email remains the leading source of all cybercrime. Why does email provide such easy pickings for criminals? Because not enough businesses are at DMARC enforcement.”
Over 1.28 million domain owners have configured DMARC for their domains, but only 14% actually protect against spoofing through enforcement. Even for large enterprises, DMARC can be difficult to fully implement despite the low cost of implementation.
Successful implementation of DMARC requires iterations to discover overlooked email sources and to properly account for them in SPF, DKIM, and DMARC. An organization in a rush might strengthen their DMARC policy before identifying such sources and accidentally block and disrupt otherwise valid emails.
DMARC by itself cannot perform a useful role. DMARC requires the prior establishment of SPF and DKIM to enable email authentication. Additionally, even a robust DMARC setting only works if the email server receiving the email decides to enforce DMARC as well.
Poor ROI Measurements
Although DMARC can enable an organization to recognize reputation improvements and more reliably deliverable emails, these benefits will be difficult to quantify for return on investment (ROI) measurements. To make matters worse, the primary benefit of flagging malicious email content generally applies only to other organizations.
Email servers and email security tools receiving and reviewing emails use the DMARC record to block spam and phishing email. DMARC will all but eradicate spoofing of internal emails which will be an enormous benefit to any organization. However, internal emails will always be a minority of the emails received by any organization so outside organizations will enjoy the majority of the benefit from verified emails.
DMARC prevents spoofing of an organization’s specific domains. However, DMARC cannot prevent look-alike domain spoofing such as when attackers replace “Amazon” with “Arnazon” or “Amaz0n.” Sophisticated attackers can even create SPF, DKIM, and DMARC files for their malicious domain so that the emails even pass DMARC checks!
Requires Active Enforcement
Only 14% of organizations that have deployed DMARC actually enforce DMARC. The others use the “p=none” setting to allow even phishing emails using their domain to be delivered despite failing DMARC.
These organizations likely struggle to locate all email sources and are concerned about email disruption. However, failure to enforce DMARC gives a green light to imposters and attackers to abuse the organization’s brand.
Requires Proper Email Server Settings
DMARC only works on email servers set up to check for DMARC, DKIM, and SPF or using email security tools to perform the same task. Servers can easily skip DMARC checks and allow spam and spoofing emails to proliferate.
Unfortunately, DMARC aggregate and forensic reports can be difficult for humans to read and interpret because they are formatted for machine ingestion. Most organizations need to obtain third-party DMARC reporting tools or monitoring services that can ingest the information and report in more intuitive fashions.
Fortunately, many of these tools can provide additional data and insights beyond what’s included within DMARC reports to help organizations to identify email senders faster and more accurately. These tools speed up the process of implementing DMARC authentication and reduce the risk of blocking legitimate email.
Do All Email Service Providers Support DMARC?
Unfortunately, no. The email service provider needs to set a custom Return-Path domain to collect email bounces separate from the email address used in the “from” address. This Return-Path domain must be at the same top-level domain as the “from” address, and some vendors do not always support this option.
Can DMARC Fail For Legitimate Sources?
Unfortunately, yes — primarily due to email forwarding or from overlooked email senders.
An email provider may forward email to another address such as a newsletter sent to a customer that they forward from their main mailbox to their Gmail account. While most email providers will properly preserve the from address and Return-Path address, others may rewrite it, causing a SPF check failure. While this may present a problem, it is limited to a small percentage. In addition, ISPs can still consider if a message has DKIM present in this case and allow it to pass. This is why it is important to have both SPF and DKIM passing on a domain.
Other times, some team members may start to use email sources without notifying the team responsible for updating email authentication. For example, marketing may add a HubSpot email marketing service or IT may enable a Zendesk IT ticketing system that sends tickets via email. If these sources are not properly added to SPF and DKIM, the otherwise legitimate emails will fail DMARC authentication.
Bottom Line: Mature Organizations Should Pursue DMARC Email Authentication
DMARC email authentication can be a pain to set up and enforce, but it is worth the trouble. Any organization recognizable enough to be spoofed has a valuable brand that needs to be protected, and enforcing DMARC can radically reduce spoofing emails and improve delivery of legitimate emails. Every organization should strive to enforce DMARC to do their part to reduce spam, but more importantly, to protect themselves.