What is DMARC?

DMARC is a protocol intended to give domain owners the ability to protect their domain from email spoofing attacks. It also allows visibility into emails being sent from your domain, both accepted and rejected. If you're curious, DMARC stands for Domain-based Message Authentication, Reporting and Conformance.

You can (and should!) have SPF, DKIM, and DMARC set up for your domain. It will help you:

  1. Prevent email spoofing attacks
  2. Help improve your email delivery (DMARC is now required by various major email providers)
  3. Keep your sender reputation in good standing

Primary Goals of DMARC

Tell email servers what to do with emails from your domain that fail validations

Email marked as being "from" your domain may fail validations for multiple reasons:

  1. You have misconfigured (or unconfigured) SPF, DKIM, and/or DMARC settings for your domain
  2. Someone is trying to spoof email and make it seem like it came from you

You can tell the receiving email servers (e.g. Gmail, Outlook, etc.) what they should do in this case:

  1. None (do nothing)
  2. Quarantine (send to spam)
  3. Reject (won't even show up in a user's spam folder)

The goal is to use the quarantine policy, at the bare minimum. The none policy is typically used when initially onboarding a domain - to monitor delivery and ensure everything is set up correctly before switching to quarantine or reject.

We tend to prefer the stricter reject policy, however this may not be suitable for everyone. Some organizations or individuals may be unwilling to accept the risk of email not being seen at all (not even in the spam folder) in case a legitimate email message fails DMARC validation for some unintentional reason (perhaps a misconfiguration).

Receive reports telling you if your emails were delivered successfully

You can specify a location that other email servers should send reports to that tell you how they handled email from your domain. These reports tell you how many emails passed and failed, and the reasoning (SPF and/or DKIM validation failure).

These reports aren't exactly user-friendly though, they are XML documents. This is where a solution like DMARC Sentry comes into play - we aggregate all of these non-user-friendly reports from all the email providers, and display it to you in an easy to digest format. You can get a single, easy to read, daily and/or weekly report to your inbox.

Example DMARC Configuration

DMARC is configured in your domain's DNS. Below is an example of what a basic configuration looks like:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Let's break it down..

  • v=DMARC1: This is just specifying the version of the specification to use. There is only DMARC1 right now.
  • p=reject: The policy to use when messages fail validation. In this case, the email message will be completely rejected and won't even make it to the user's spam folder.
  • rua=mailto:[email protected]: Where to send the DMARC aggregate reports
  • ruf=mailto:[email protected]: Where to send the DMARC forensic reports
  • fo=1: This says to send a failure (forensic) report if either DKIM or SPF failed validation

There are more possible DMARC configuration options, but that's beyond the scope of this document. Of course, we are here to help our customers configure their DMARC settings according to their individual needs.