Get a basic understanding of what Domain-based Message Authentication Reporting & Conformance is and how it affects your mail.
Domain-based Message Authentication, Reporting and Conformance (DMARC) lets you decide which messages get accepted and lets you see who is using your domain.
What is DMARC?
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol that helps protect email domains from spoofing, phishing, and other types of abuse. DMARC builds on two existing protocols, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to verify the identity of the sender and the integrity of the message. DMARC also provides a way for email receivers to report back to the senders about the status of the messages they receive, such as whether they pass or fail the authentication checks, or whether they are rejected, quarantined, or delivered.
How does DMARC work?
DMARC works by adding a special TXT record to the DNS (Domain Name System) of the email domain, which specifies how the domain owner wants the receivers to handle the messages that claim to come from that domain. The TXT record contains a set of tags and values that define the DMARC policy, such as the alignment mode, the percentage of messages to apply the policy to, the reporting options, and the desired actions for failed messages. When a receiver gets an email from a domain that has a DMARC record, it first checks if the message has a valid SPF and DKIM signature, and then compares the domains used in those signatures with the domain in the From header of the message. If the domains match, or align, according to the DMARC policy, the message passes the authentication. If not, the message fails the authentication and the receiver follows the action specified by the DMARC policy, such as reject, quarantine, or none.
Why is DMARC important?
DMARC is important because it helps email senders and receivers to improve the security and reliability of email communication. By using DMARC, senders can protect their domains from being used by malicious actors to send spam, phishing, or malware emails that can harm their reputation and their recipients. DMARC also gives senders more visibility and control over how their messages are handled by the receivers, and allows them to receive feedback and reports on the delivery and authentication status of their messages. Receivers, on the other hand, can use DMARC to filter out or flag messages that fail the authentication checks, and reduce the risk of exposing their users to fraudulent or harmful emails. DMARC also helps receivers to trust the messages that pass the authentication, and deliver them to the intended recipients without delay or modification.
What are the limitations of DMARC?
DMARC is not a perfect solution for email authentication and security, and it has some limitations that need to be considered. Some of the limitations are:
- DMARC requires both the sender and the receiver to implement and support the protocol, otherwise it will not work. Not all email domains or providers have adopted DMARC, and some may have different or incompatible policies or configurations.
- DMARC relies on SPF and DKIM to verify the sender and the message, but both of these protocols have their own limitations and challenges, such as IP address spoofing, key management, or forwarding issues.
- DMARC does not encrypt or protect the content of the message, only the identity of the sender and the integrity of the message. Therefore, DMARC does not prevent the message from being intercepted, read, or modified by third parties during the transmission.
- DMARC does not prevent the sender from using a different domain than the one they own or have permission to use, as long as they have a valid SPF and DKIM signature for that domain. Therefore, DMARC does not prevent the sender from using a legitimate or trusted domain to send malicious or deceptive emails.
DMARC Syntax
DMARC syntax is the format and structure of the DMARC record that is added to the DNS of the email domain. The DMARC record is a TXT record that starts with the prefix "v=DMARC1;", followed by a series of tags and values separated by semicolons. Each tag represents a different aspect of the DMARC policy, and each value defines the setting or option for that tag. The tags and values are case-insensitive, but the order of the tags does not matter. The following table summarizes the main tags and values that can be used in a DMARC record, along with their meanings and examples.
DMARC Syntax Example
v=dmarc1 p=none sp=none rua=mailto:dmarc@domain.com pct=100
P= Tag
Meaning: Required. The policy for the domain.
Values:
- none: No action, only monitor and report.
- quarantine: Move the message to the spam or junk folder.
- reject: Reject the message and do not deliver.
Example: p=quarantine
SP= Tag
Meaning: Optional. The policy for the subdomains of the domain. If not specified, the same policy as the parent domain is applied.
Values:
- none: No action, only monitor and report.
- quarantine: Move the message to the spam or junk folder.
- reject: Reject the message and do not deliver.
Example: sp=quarantine
PCT= Tag
Meaning: Optional. The percentage of messages that the policy applies to. If not specified, the default is 100%.
Value:
- A number between 0 and 100.
Example: pct=50
RUA= Tag
Meaning: Optional. The email addresses to send aggregate reports to. Multiple addresses can be specified, separated by commas.
Value:
- A list of mailto: URIs.
Example: rua=mailto:admin@example.com,mailto:dmarc@example.com
RUF= Tag
Meaning: Optional. The email addresses to send forensic or failure reports to. Multiple addresses can be specified, separated by commas.
Value:
- A list of mailto: URIs.
Example: ruf=mailto:admin@example.com
ADKIM= Tag
Meaning: Optional. The alignment mode for DKIM. If not specified, the default is r (relaxed).
Value:
-
r: Relaxed. The domains are considered to align if the organizational domains match.
-
s: Strict. The domains are considered to align if they are exactly the same.
Example: adkim=s
ASPF= Tag
Meaning: Optional. The alignment mode for SPF. If not specified, the default is r (relaxed).
Value:
-
r: Relaxed. The domains are considered to align if the organizational domains match.
-
s: Strict. The domains are considered to align if they are exactly the same.
Example: aspf=r
FO= Tag
Meaning: Optional. The conditions for generating failure reports. If not specified, the default is 0 (all).
Value:
-
0: Generate a report if all the authentication methods fail.
-
1: Generate a report if any of the authentication methods fail.
- d: Generate a report if DKIM fails.
- s: Generate a report if SPF fails.
Example: fo=1
RF= Tag
Meaning: Optional. The format of the failure reports. If not specified, the default is afrf (Authentication Failure Reporting Format).
Value:
- afrf or iodef (Incident Object Description Exchange Format).
Example: rf=iodef
RI= Tag
Meaning: Optional. The interval for sending aggregate reports, in seconds. If not specified, the default is 86400 (24 hours).
Value:
- A positive integer
Example: ri=43200
What are DMARC Reports?
DMARC reporting is a feature of DMARC that allows domain owners to monitor and analyze the email authentication status of messages sent from their domains. DMARC reporting consists of two types of reports: aggregate reports and failure reports.
Aggregate Reports
Aggregate reports are periodic summaries of the DMARC results for all messages received by a domain that claims to implement DMARC. They contain information such as the number and percentage of messages that passed or failed DMARC validation, the alignment mode and policy of the sending domain, the identifiers and IP addresses of the senders, etc. Aggregate reports are useful for domain owners to evaluate the effectiveness and coverage of their DMARC policy and to identify potential sources of spoofing or misalignment.
Forensic Reports
Forensic reports are triggered by individual messages that fail DMARC validation. They contain more detailed information about the source and content of the messages, such as the headers, body, attachments, etc. Failure reports are useful for domain owners to investigate and troubleshoot specific incidents of DMARC failures and to take corrective actions if needed.
How to Enable DMARC Reporting
To enable DMARC reporting, domain owners need to specify one or more URIs (usually email addresses) in their DMARC records, using the tags rua and ruf. The tag rua indicates where aggregate reports should be sent, and the tag ruf indicates where failure reports should be sent. Multiple URIs can be specified, separated by commas. For example, the DMARC record below instructs the receiving domain to send aggregate reports to example@example.com and failure reports to example@example.com:
v=DMARC1; p=nonereject; rua=mailto:example@example.com; ruf=mailto:example@example.com; ...
DMARC Report Frequency
The frequency of DMARC reporting depends on the settings of the sending and receiving domains. The sending domain can specify the interval of aggregate reports using the tag ri in their DMARC record. The default value is 86400 seconds, which means one report per day. The receiving domain can decide how often to send failure reports, depending on their resources and preferences. Some domains may send failure reports immediately after each message that fails DMARC validation, while others may send them in batches or at regular intervals.
DMARC Reporting Limitations
DMARC reporting also has some limitations that domain owners should be aware of. Not all domains that receive messages from a domain with DMARC policy will send reports back to the domain owner. Some domains may not support DMARC reporting at all, or may have technical issues or privacy concerns that prevent them from sending reports. Moreover, the reports may not always be sent as frequently as the domain owner would like, especially for failure reports, which depend on the discretion of the receiving domain. Therefore, domain owners should not rely solely on DMARC reporting to monitor their email authentication status, but also use other tools and methods to complement it.
DMARC reporting is a powerful tool for domain owners to improve their email security and reputation, and to protect their users and customers from phishing and spoofing attacks.