What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a domain-based email control. Email domains are a shared resource within most organizations with use spanning from employees to entire departments, external parties that send email on behalf of the organization, and the organization’s own Internet-facing applications.
DMARC helps legitimize email by doing two things:
- Provides feedback to the domain owner about the email itself, including if SPF and/or DKIM are properly aligned.
- Tells email receivers (like Gmail and Yahoo) how to handle messages that fail to align with SPF and DKIM.
Deploying DMARC yields benefits across different facets of an organization. Many organizations look at DMARC for the first time from a specific perspective that might not take into consideration DMARC’s total value.
- People in security see benefits in DMARC as an outbound anti-phishing technology.
- People in marketing see benefits in DMARC as a way to make email easier to deliver to their recipients.
- People in management see benefits in DMARC as a compliance tool to ensure an organization’s standards are upheld.
The work required to deploy DMARC is directly related to the size and complexity of an organization’s email infrastructure. An initial assessment should be performed to determine the context in which the deployment project will operate, the complexity of the existing email environment, and the implementation capabilities of the organization. Results of the assessment directly inform project scoping and planning.
When deploying DMARC, it’s best to roll out the technology across all of an organization’s domains instead of focusing on individual domains. When DMARC is deployed across the organization’s entire domain portfolio, the process of deployment becomes much easier, and the benefits increase to the point where managers get new tools to ensure email is being sent in compliance with the organization’s standards.
Built upon SPF and DKIM
DMARC, an open-source standard, uses a concept called alignment to tie the result of SPF and DKIM to the content of an email.
SPF: a published list of servers that are authorized to send email on behalf of a domain. SPF has been around since 2003.
DKIM: a method of adding a tamper-evident domain seal to a piece of email. DKIM has
roots going back to 2005.
If not already deployed, creating a DMARC record for your domain will give you visibility that will
allow you to troubleshoot your SPF and DKIM configurations if needed.
dmarcian’s DMARC Record Wizard simplifies the process of creating the DMARC record itself.
Once you’ve published DMARC records, DMARC data typically begins to generate within a couple of days in the form of reports that give you insight into the way your domains are handling email. There are two types of reports: RUA reports provide a comprehensive view of all of a domain’s traffic (as seen by the organization that generates the report); RUF reports are redacted copies of individual emails that are not 100% compliant with DMARC.
The comprehensive reports are XML-based and include information such as message counts, IP addresses, and the results of processing SPF and DKIM. It can be difficult for humans to read and make sense of XML reports, especially when they number in the thousands. dmarcian specializes in processing these reports and identifying the steps needed so that DMARC can be more easily deployed throughout an organization.
For an email message to be considered DMARC compliant, the domain found in the From: header must match the domain validated by SPF or the source domain found in a valid DKIM signature. If the domains match and at least either DKIM or SPF is verified, receivers can safely say that the email legitimately comes from the specified domain.
A DMARC policy allows a domain owner to indicate that their messages are protected by SPF and/or DKIM and tells the recipient what to do if none of these are verified on a particular email, such as marking it as spam or rejecting delivery.
In the DMARC record, you can set your DMARC policy to determine how non-compliant email is handled:
- Monitoring (p=none) no impact on mail flows
- Quarantine (p=quarantine) messages that fail DMARC are moved to spam folder
- Reject (p=reject) messages that fail DMARC aren’t accepted at all
The Road to p=reject
Once you’re confident you have deployed SPF and DKIM across all of your domains, you can then tell the world to act against email that is not compliant with DMARC. DMARC allows for the publication of a policy that will be applied against email that is not DMARC compliant. The goal is to get all domains and subdomains at a p=reject DMARC policy.
Getting to p=reject is a process to ensure that legitimate email isn’t impacted. DMARC policies typically start at a state of p=none, a monitoring phase that provides insight into how your domain is being used and how SPF and DKIM are functioning. p=reject instructs email receivers to refuse to accept email that fails DMARC. By default, email that fails under a reject policy is not accepted—this is the ultimate control against the sending of unauthorized email making use of your domain.
Only 30% of organizations who start the process of deploying DMARC ever complete the process. The challenge with deploying DMARC isn’t the specification itself but with the email ecosystem and the interpretation of the feedback that is provided. The process of adopting DMARC into an organization can be daunting, but with the proper knowledge and assistance, it can be easily managed.
dmarcian is dedicated to upgrading the world’s email by making DMARC accessible to all. Tim Draegen, CEO and founder is a primary author of the DMARC technical specification and a previous chair of the IETF DMARC working group. dmarcian brings together thousands of senders, vendors and operators in a common effort to build DMARC into the email ecosystem.
dmarcian has developed a successful, efficient project-based approach
for policy enforcement that addresses technical compliance and how it affects different aspects of your organization. To turn thousands of XML records into something useful, dmarcian processes DMARC data using a complex set of identifiers. dmarican categorizes sources of email and present you with DMARC compliance status (based on email source, DKIM and SPF), and alerts if there are any potential threats or abuse on your domains.
Kraft Technology Group was one of the first Managed Service Providers to partner with dmarcian. KTG evaluated several DMARC services and chose dmarcian because of the trust found in their operating model, the integrity of their executives and employees, and the effectiveness of their platform.
In 2019, KTG took the first step (with dmarcian’s help) to get all our domains to p=reject before we started helping clients deploy DMARC. We like to “eat our dog food” as the saying goes and can whole-heartedly stand behind dmarcian’s services. If done effectively, DMARC implementation and management can be a smooth process and a project that can drive a business forward, in addition to increasing the security posture. DMARC can increase deliverability of emails from your email sending domains and thus be a catalyst for revenue and we have seen that be the case for KTG.
If you are exploring DMARC implementation for your business or enterprise, please reach out KTG to discuss how our partnership with dmarcian is the answer you are looking for.