What is a DMARC Record? How Does it Work with SPF and DKIM?

What is a DMARC Record? How Does it Work with SPF and DKIM?

Email has become an indispensable part of communication and business processes today. However, the open structure of the email system has made it vulnerable to phishing, spam, and other malicious email attacks. Such attacks can have serious consequences for both recipients and senders. This is where the DMARC (Domain-based Message Authentication, Reporting & Conformance) record comes into play. DMARC is a protocol that uses email authentication standards (SPF and DKIM) to prevent email spoofing and enhance email security. In this article, we will examine in detail what DMARC is, how it works, and how it integrates with SPF and DKIM.

What is DMARC? Basic Concepts and Objectives

DMARC is an email authentication protocol that allows email sending domains to specify how emails that are not sent on their behalf should be handled. DMARC builds on existing email authentication mechanisms such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) and uses the results of these mechanisms to instruct receiving email servers on what to do with unauthenticated emails. In other words, DMARC helps protect the email sender's domain, preventing phishing attacks and domain spoofing.

The main objectives of DMARC are:

• Prevent email spoofing: DMARC detects emails sent from unauthorized sources that use your domain name, preventing these emails from reaching recipients.
• Protect brand reputation: By preventing your domain name from being associated with fake emails, it protects your brand reputation and customer trust.
• Increase email deliverability: DMARC shows email servers that your emails are authenticated and trustworthy, reducing the likelihood of your emails ending up in the spam folder and increasing their deliverability.
• Provide reporting: DMARC allows you to receive reports from receiving email servers about the authentication results of emails sent from your domain. These reports help you identify problems in your email infrastructure and optimize your DMARC policy.

The Role of SPF and DKIM: The Building Blocks of DMARC

For DMARC to work effectively, SPF and DKIM must be configured correctly. SPF and DKIM form the basis of the email authentication process and feed DMARC's decision-making mechanism.

SPF (Sender Policy Framework)

SPF is a DNS record that specifies which IP addresses are authorized to send emails from a domain. When a receiving email server receives an email, it compares the IP address from which the email was sent with the IP addresses specified in the sending domain's SPF record. If the IP address matches one of the IP addresses specified in the SPF record, the email passes SPF. Otherwise, the email fails SPF.

An example SPF record might look like this:

v=spf1 a mx include:_spf.example.com ~all

This record specifies that the domain (example.com) is authorized to send emails from the IP addresses specified in the A records, MX records, and other SPF records at _spf.example.com. The "~all" expression indicates that emails that fail SPF should be marked as "soft fail".

DKIM (DomainKeys Identified Mail)

DKIM verifies that an email is authorized by the domain from which it was sent by adding a digital signature to the email. When an email is sent, the sending server creates a digital signature using the content and some headers of the email and adds this signature to the email's header. The receiving email server verifies the email's signature using the public key found in the sending domain's DNS record. If the signature is verified, it is confirmed that the content of the email has not been changed after it was sent and that the sender is from the domain they claim to be.

An example DKIM record might look like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3cmORw9jDZmdzlcz2mdR5RE5i9HBB0BB/yakXewDRlZ2+2aVtv20x2t5409c6ygm60jTG1zgkA=="; s=selector

This record shows that the DKIM signature was created using the RSA algorithm and that the public key is specified in the "p" parameter. The "s=selector" expression specifies which selector was used to create the DKIM signature. The selector is used to determine which key is used when multiple DKIM keys are used.

How Does a DMARC Record Work? Policy and Reporting

A DMARC record is added to the DNS records of the domain as a TXT record. This record instructs receiving email servers on what to do with emails sent from your domain that fail SPF and/or DKIM. The DMARC record also contains the information necessary for you to receive reports from receiving email servers about the authentication results of emails sent from your domain.

DMARC Policy Options

There are three basic policy options that can be specified in the DMARC record:

• none: This policy tells receiving email servers not to take any special action regarding emails that fail SPF and DKIM. This policy is usually the starting point for those implementing DMARC for the first time. With this policy, you can receive reports on authentication results and identify problems in your email infrastructure without affecting your email flow.
• quarantine: This policy tells receiving email servers to send emails that fail SPF and DKIM to the spam folder. This policy can be considered as the next step after the "none" policy. With this policy, you can start protecting your brand reputation by preventing fake emails from reaching recipients.
• reject: This policy tells receiving email servers to completely reject emails that fail SPF and DKIM. This policy is DMARC's strictest policy and completely prevents fake emails from reaching recipients. This policy should be implemented after you are sure that your email infrastructure is configured correctly and that all your legitimate emails pass SPF and DKIM.

DMARC Reporting

The DMARC record contains the information necessary for you to receive reports from receiving email servers about the authentication results of emails sent from your domain. These reports can be of two types:

• Aggregate Reports (RUA): These reports are sent regularly (usually daily) by receiving email servers and summarize the overall authentication results of emails sent from your domain. These reports show which emails passed SPF and DKIM, which emails failed, and which policies were applied.
• Forensic Reports (RUF): These reports are detailed reports sent by receiving email servers for emails that fail SPF and DKIM and have a DMARC policy set to "quarantine" or "reject". These reports contain more information about the email's content, headers, and authentication results.

Example DMARC Record

An example DMARC record might look like this:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=s

This record specifies that the DMARC version is 1, the policy is "quarantine", aggregate reports will be sent to [email protected], forensic reports will be sent to [email protected], ADKIM is in "relaxed" mode (adkim=r), and ASPF is in "strict" mode (aspf=s).

Things to Consider When Implementing DMARC

Implementing DMARC is an important step to improve your email security, but it requires careful planning and implementation. Here are some important points to consider when implementing DMARC:

• Configure SPF and DKIM Correctly: For DMARC to work effectively, SPF and DKIM must be configured correctly. Make sure all your legitimate email sources pass SPF and DKIM.
• Start with the "none" Policy: For those implementing DMARC for the first time, it is best to start with the "none" policy. With this policy, you can receive reports on authentication results and identify problems in your email infrastructure without affecting your email flow.
• Monitor Reports Regularly: By monitoring DMARC reports regularly, you can identify problems in your email infrastructure and optimize your DMARC policy. You can use DMARC reporting tools to analyze the reports.
• Increase the Policy Gradually: After you are sure that your email infrastructure is configured correctly and that all your legitimate emails pass SPF and DKIM, you can gradually increase your DMARC policy to "quarantine" and then "reject".
• Consider Third-Party Email Sending Services (ESP): If you are using third-party email sending services (ESP), make sure that the ESPs are DMARC compliant and that your emails pass SPF and DKIM.
• Consider Subdomains: After creating a DMARC record for your main domain, you may want to consider creating a DMARC record for your subdomains as well. Creating a DMARC record for subdomains can further enhance your email security.

Conclusion and Summary

DMARC is a critical tool for improving email security and preventing email spoofing. By using existing email authentication mechanisms such as SPF and DKIM, it instructs receiving email servers on what to do with unauthenticated emails. By configuring and implementing DMARC correctly, you can protect your brand reputation, increase your email deliverability, and become more resistant to phishing attacks. Implementing DMARC requires careful planning and implementation, but the results will provide significant benefits for your email security.