<< Navigate Whitepages << Baseline << SPF << DKIM

Enterprise Email Infrastructure: Security Baseline and Best Practices - DMARC

Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on the existing standards of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a robust framework for email security. It aims to combat email spoofing, phishing, and other fraudulent activities by ensuring that incoming messages are properly authenticated against the sender's domain and providing a mechanism for domain owners to publish policies and receive reports.

Key Components of DMARC

  1. Alignment:

    • SPF Alignment: Ensures the domain in the Return-Path header matches the domain in the From header.

    • DKIM Alignment: Ensures the domain in the d= tag of the DKIM signature matches the domain in the From header.

  2. Policies:

    • none: The domain owner requests no specific action to be taken, only reporting.

    • quaratine: The domain owner requests that emails failing DMARC checks be treated as suspicious and moved to the spam/junk folder.

    • reject: The domain owner requests that emails failing DMARC checks be rejected outright.

  3. Reporting:

    • Aggregate Reports: Provide summarized data on email authentication results.

    • Forensic Reports: Provide detailed information about individual emails that failed authentication checks.

How DMARC works

  1. Publish DMARC Record: Domain owners publish a DMARC record in their DNS settings, specifying their policy preferences and email addresses for receiving reports.
    Example DMARC Record
    _dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; fo=1"
  2. Email Sending:

    • When an email is sent from the domain, it should ideally pass both SPF and DKIM checks.

    • The 'From' address in the email header should align with the domains specified in SPF and DKIM.

  3. Email Receiving:

    • The receiving mail server checks for the existence of a DMARC record for the sender's domain.

    • The server then performs SPF and DKIM checks, verifying alignment with the 'From' domain.

    • Based on the DMARC policy (none, quarantine, reject), the server takes the appropriate action on the email.

  4. Reporting:

    • The receiving server generates aggregate and/or forensic reports and sends them to the addresses specified in the DMARC record.

How DMARC Ties SPF and DKIM Together

SPF and DKIM are foundational protocols that DMARC relies on for email authentication. DMARC builds on these by requiring that the authenticated domain in SPF and/or DKIM aligns with the From domain used by the sender.

We shall showcase this with an example. Let's consider a domain orgA.com that wants to implement DMARC to protect its email infrastructure:

These are the entires in OrgA's Public DNS:

  1. SPF Record: This SPF record authorizes Google’s mail servers to send emails on behalf of orgA.com.
    orgA SPF Record
    orgA.com IN TXT "v=spf1 include:_spf.google.com -all"
  2. DKIM Record: This DKIM record provides the public key for verifying DKIM signatures.
    orgA DKIM Record
    default._domainkey.orgA.com IN TXT "v=DKIM1; k=rsa; p=MHwwD..."
  3. DMARC Record:
    orgA DMARC Record
    _dmarc.orgA.com IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@orgA.com; ruf=mailto:dmarc-forensic@orgA.com; fo=1"

    This DMARC Record:

    • Enforces a 'reject' policy for emails that fail both SPF and DKIM checks.

    • Requests aggregate reports to 'dmarc-reports@orgA.com'.

    • Requests forensic reports to 'dmarc-forensic@orgA.com'.

    • Specifies that failure reports (forensic reports) should be sent for any authentication failures (fo=1).

Benefits of DMARC

  1. Enhanced security:

    • Protects against email spoofing and phishing attacks.

    • Ensures that only authorized senders can send emails on behalf of the domain.

  2. Visibility:

    • Provides detailed reports on email authentication, helping domain owners understand their email ecosystem.

  3. Improved deliverability:

    • By establishing trust, DMARC can improve the deliverability of legitimate emails.

Conclusion

DMARC is a crucial component of email security that ties together SPF and DKIM to provide a comprehensive mechanism for verifying the authenticity of emails. By implementing DMARC, organizations can significantly reduce the risk of email fraud, protect their brand reputation, and ensure the integrity of their communications.

Authenticated Receive Chain (ARC) >>