What is DMARC?
DMARC determines what to do with an email that cannot be authenticated properly. It helps greatly in preventing email impersonation fraud, phishing and/or spoofing.
DMARC stands for: Domain-based Message Authentication Reporting and Conformance (DMARC) and it is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms.
- SPF verifies if an email was sent using approved servers
- DKIM adds a digital signature to the email, allowing the receiving server to verify the contents of the email
- DMARC sets a policy on what to do with emails that fail either SPF and DKIM checks
The Benefits of DMARC - how does it help?
DMARC helps to protect your domain against being used for sending for example phishing and spoofed emails, effectively blocking bad actors from impersonating you and/or your company. It helps companies by guarding them from reputational damage to their brands. Having a DMARC DNS record, shows email providers that you are trustworthy and that improves the overall deliverability of your mails. This is important if you are sending for example newsletters to your customers.
When you create a DMARC record you need to choose a policy. The policy determines the actions for emails that fail the DMARC check:
- p=none - is for monitoring and gathering results without taking action; emails are delivered as usual without any change.
- p=quarantine - messages are moved to the spam folder (or other quarantine implementations) automatically
- p=reject - messages are not delivered at all, they are rejected at the mailserver if the DMARC check fails
The normal process for implementing a DMARC record is to start with "none" and then move on to "quarantine" and finally "reject". This allows you to first monitor which mails are sent from your domain, then quarantine to test the effect and finally reject mails that cannot be authenticated properly. Several external solutions exist to help you with analysing the reports.
There are two types of DMARC reports:
- RUA reports are sent daily and contain a comprehensive overview of all emails sent from your domain, including IP addresses. The A stands for aggregate reports.
- RUF reports are only sent if an email fails the DMARC check. They contain a redacted copy of the original message and message header of the email that failed DMARC compliance. The F stands for forensic reports.
RUF data can be useful to gain an understanding into why some legitimate traffic is failing DMARC and to potentially see more detail on how messages abusing your domain are constructed.
Please consider creating a dedicated email address for receiving the reports
How to create a DMARC record on your domain
To deploy DMARC you must publish a DMARC record in DNS for your domain.
Please check your providers documentation/help guides, if your DNS resides with them.
An example DNS TXT DMARC record could fx. look like:
DMARC handling in OX Cloud
This is a description of what the implementation looks like in our OX Cloud environment
Here is an example of what the headers will look like:
X-OX-DMARC: pass (policy=quarantine)
Authentication-Results: oxsus-vadesecure.net; iprev=pass ip=18.104.22.168;
spf=Pass client-ip=22.214.171.124 firstname.lastname@example.org;
The matrix describes our MTAs logic actions in the different scenarios:
|PASS||Set Header with value|
X-OX-DMARC "pass (policy=none)"
|Set Header with value|
X-OX-DMARC "pass (policy=quarantine)"
|Set Header with value |
X-OX-DMARC "pass (policy=reject)"
|FAIL||Set Header with value |
X-OX-DMARC "fail (policy=none)"
|Set Header with value|
X-OX-DMARC "fail (policy=quarantine)"
Filter to Spam
Our global filter rules will match on the header "X-OX-DMARC "fail (policy=quarantine)” and make sure mails in this category are filtered into the Junk/Spam-folder.
This happens when the alignment fails for both SPF and DKIM - which causes DMARC to FAIL and the policy for the sending domain is set to quarantine.
In case there is no DMARC record there will be no X-OX-DMARC header and the Authentication-Results will show dmarc=none
In case there is a general problem with the DMARC record, so it is considered invalid the Authentication-Results will show dmarc=error and there will be no X-OX-DMARC header.
That means there are 3 specific cases where there will be no X-OX-DMARC header:
- If there is no DMARC record for the domain present in DNS (dmarc=none)
- If the DMARC record is found faulty (dmarc=error)
- If DMARC alignment fails due to both SPF and DKIM failing and the policy is set to p=reject (dmarc=fail action=reject)
In our AppSuite - you have the possibility to click on the three dots (more actions) to get more information about a particular mail - you can then choose "View Source".
Below the full Mail Source including headers you find the "Authentication Details" box - which sums up the results of SPF, DKIM and DMARC for an easier overview.
DMARC reporting is sent out per default every 24h.
So if you added rua or ruf details to your DMARC record to gain an overview of your domain statuses and sources and see where the abuse was originating, you can potentially receive reports from us.