DMARC is an email authentication, reporting, and policy conformance protocol that can safeguard users from spoofing and phishing. It also helps in building a sound domain reputation. So let's dive in to learn more about DMARC.
Table of contents
- What is DMARC?
- Why DMARC?
- How does DMARC safeguard your domain from phishing?
- Who can use DMARC?
- How to set up DMARC?
- Conditions for DMARC to pass
- How to add a DMARC record to your DNS provider?
- What is DMARC policy?
- DMARC for AMP email approval from email clients
- Mailmodo helps you to set up DMARC
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. DMARC is a standard email authentication protocol that helps you take an authoritative action in case DKIM/SPF fails.
DMARC performs the following functions:
Adds linkages to the author's ("From") domain name.
Publishes policies for handling the authentication failures on the part of the recipients.
Reports from receivers to senders.
Monitors and improvises the domain protection from fraudulent emails.
An organization can easily incorporate the DMARC protocol into its existing inbound email authentication process. It ensures the email message aligns with the receiver's knowledge regarding the sender. If it doesn't match, then proper guidelines are there to handle such non-aligned messages.
Why DMARC?
The importance of DMARC is deeply tied to email security and deliverability. The major benefits for which you should set up DMARC are as follows:
DMARC provides robust email authentication reporting.
The protocol reduces the phishing practices that are the delivery of fraudulent emails in the recipient's inbox. It further minimizes the false positives.
With the help of the DMARC protocol, ISPs or internet service providers can identify spammers quickly. Therefore, it prevents any malicious emails from reaching recipients' inboxes.
DMARC tends to replace Author Domain Signing Practices (ADSP) by assisting in various other aspects such as subdomain policies (wildcarding), non-existent subdomains, slow rollout (such as percentage experiments), SPF or, quarantining mail.
Working at the internet-scale DMARC helps avoid unnecessary complexities and makes way for more transparency.
DMARC solves the problem of spammers using your domain name to send emails.
How does DMARC safeguard your domain from phishing?
The DMARC uses both the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) to determine an email's authenticity. It helps in reducing email malpractices to a great extent.
Who can use DMARC?
The public Domain Name System (DNS) consists of the DMARC policies. These policies are available for everyone. There are no licensing or other restrictions with the specification that is issued. Any interested party can implement it freely.
How to set up DMARC?
Implementing DMARC policy on your domain name involves a set of processes. Here, changes are made in the DNS records at the domain registrar. Then, an optimal configuration takes place at the end of email providers to send the signed emails.
Basic steps included in the execution process are as follows:
Set up SPF on the envelope domain.
Set up DKIM on the sender domain.
Add the DMARC record.
Test and verify (preferably set the policy to none at this stage).
Conditions for DMARC to pass
- The sender domain must pass DKIM.
- The envelope domain must pass SPF. The sender domain is a sub-domain of the envelope domain or vice versa.
How to add a DMARC record to your DNS provider?
After setting up SPF and DKIM properly, the DMARC policy will be tested and verified. For this, you must add the DMARC record to your domain's DNS settings.
Here's how you can set up the DMARC DNS:
1. Visit your DNS hosting provider
Firstly, you have to log in to your DNS hosting provider. Different servers have different interfaces. You can also go to the manage/configure DNS settings option. Once logged in, check for the 'Creating a new record' prompt.
2. Create a new DMARC record
Search for the 'TXT' section to create and edit a new record.
3. Enter values
Fill in values for the following fields:
Host/name: Input the value '_DMARC' in this column. If you enter a DMARC record for a subdomain, then put in '_dmarc.subdomain'. The hosting provider will add the domain or subdomain after the value, respectively.
Record type: Here, you have to select the 'TXT' DNS record option from the drop-down list.
Value: Every DMARC record requires two tag-value pairs. The first is "v," and the second is "p." The former "v" has only one tag-value pair provided as v=DMARC1. Three options are usually available for the "p" tag pair: 'none,' 'quarantine,' or 'reject.' The entry of these tag-value pairs will be: 'p=none'; 'p=quarantine' or, 'p=reject'.
4. Tap on create/save
Click on create/save option to generate and submit the DMARC record.
5. Validate record
The step involves direct testing of the new DMARC record. First, check and verify the syntax and values added are working correctly. Then, test all the defined policies to ensure they perform as required. Hence, there's no scope for any legitimate email to get blocked.
Following is an example of a DMARC record:
_dmarc.yourdomain IN TXT “v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com”
The three (3) tags are: v, p, & rua, and the three (3) values are DMARC1, none, and mailto:dmarc@yourdomain.com. The "v" tag is the version of DMARC, the "p" tag is the policy (meaning what action to take if the message fails DMARC), and the "rua" tag is the email address to send DMARC aggregate reports to.
Keep monitoring the overall performance to understand the logistics of the email domains and generate better results.
What is DMARC policy?
The DMARC policy specifies how the SPF and DKIM will be dealt with and handled by the email servers. It gives the domain administrators the reporting mechanism to identify any email failure or spoofing attempt on the domain. A report by IETF Datatracker explains how it's done.
DMARC for AMP email approval from email clients
If you want to send out interactive AMP emails, you will have to register and get whitelisted with Yahoo Mail, Gmail, and Mail.ru. These are the only three email clients which support AMP emails. For a successful whitelisting of your sender address, you will have to set up DMARC for your domain.
Mailmodo helps you to set up DMARC
With Mailmodo, you can easily set up DMARC and start sending out interactive AMP emails. Furthermore, the Mailmodo team assists you in incorporating the DMARC to protect your company's domain name easily and reap the benefits of interactive AMP emails.