Skip to main content
Skip table of contents

DMARC and how it protects your domain reputation

The goal of this article is to explain what DMARC is and how it helps protect email senders and recipients from spam, spoofing, and phishing.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps domain owners protect their domains from unauthorized use, such as email spoofing. It allows domain owners to publish a policy in their DNS records specifying which mechanisms (e.g., SPF, DKIM) are used to authenticate email messages sent from their domain. DMARC also provides a mechanism for receiving reports on messages that pass or fail DMARC evaluation.

Implementing DMARC

Implementing DMARC involves several steps:

  1. Audit your domain's email infrastructure
    Before implementing DMARC, identify all servers, applications, and third-party services sending emails on behalf of your domain.

  2. Set up SPF and DKIM
    DMARC builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). SPF specifies which servers are authorized to send emails on behalf of your domain, while DKIM cryptographically signs emails to verify their authenticity.

  3. Publish a DMARC policy
    Create a DMARC policy that specifies how email receivers should handle messages failing DMARC evaluation. Publish this policy in your domain's DNS records.

  4. Monitor DMARC reports
    Once your DMARC policy is live, email receivers will send reports detailing which messages pass or fail DMARC evaluation. These reports provide valuable insights into your email authentication.

  5. Take action based on DMARC reports
    Analyze DMARC reports to identify spoofing attempts or issues with email authentication. Adjust your email infrastructure or policies as needed.

  6. Monitor and update your DMARC policy
    Continuously monitor the effectiveness of your DMARC policy and update it as your email infrastructure evolves.

  7. Keep DNS records up-to-date
    Ensure your DNS records reflect any changes to your email infrastructure or DMARC policy.

Note: DMARC implementation is an ongoing process requiring regular monitoring and updates. If you're unfamiliar with email infrastructure and DNS, consider hiring an email security provider or domain registrar offering DMARC implementation services.

By implementing DMARC, domain owners can protect their domains from unauthorized use, reduce the risk of being blacklisted, and safeguard recipients from spam and phishing attempts.

Creating a DMARC record

To add a DMARC record to your DNS, create a TXT record with your DMARC policy. Below is an example:

CODE 
_dmarc.example.com. TXT "v=DMARC1; p=reject; sp=none; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1; adkim=r; aspf=r"

Explanation of the rules in the example record:

  • v=DMARC1: Specifies the DMARC version.

  • p=reject: Instructs email receivers to reject messages failing DMARC evaluation.

  • sp=none: Specifies the action for subdomains when the policy is "none."

  • pct=100: Indicates that 100% of messages are subject to DMARC evaluation.

  • rua=mailto:dmarc@example.com: Specifies the email address for aggregate reports.

  • ruf=mailto:dmarc@example.com: Specifies the email address for forensic reports.

  • fo=1: Requests failure reports for messages failing DMARC but passing SPF or DKIM.

  • adkim=r: Specifies relaxed alignment for DKIM evaluation.

  • aspf=r: Specifies relaxed alignment for SPF evaluation.

Add this record to your domain's DNS records. Consult your DNS provider's documentation for specific instructions. Use tools like dmarcian.com to verify your DMARC record.

DMARC reports

DMARC reports provide insights into how your domain's emails are being authenticated. They typically include:

  • The domain for which the report was generated.

  • The reporting period (start and end dates).

  • The number of messages passing or failing DMARC evaluation.

  • SPF and DKIM authentication results.

  • IP addresses and identifying information for sending servers.

  • Additional details, such as subject lines and recipient addresses.

Parsing DMARC reports:
DMARC reports are sent in XML format. Use XML parsing tools to extract and analyze the data. This helps identify spoofing attempts, monitor policy effectiveness, and make necessary adjustments.

Example DMARC report
Here’s an example of a DMARC report:

CODE 
example.com mailto:dmarc@example.com https://example.com/dmarc
1234567890 2022-01-01 2022-01-31 example.com r r
reject
none 100 192.0.2.1 100 none pass pass example.com example.com pass selector1 example.com pass forwarded
autoreply This message was forwarded from another address.
192.0.2.2 50 reject fail fail example.com example.com fail selector1 example.com fail

Key elements in the report:

  • Organization information: Includes the organization's name, contact details, unique report ID, and reporting period.

  • DMARC policy: Specifies the domain owner's policy (e.g., p=reject) and the percentage of messages subject to evaluation (pct=100).

  • Message details: Includes the IP address of the sending server, SPF/DKIM evaluation results, and the number of messages sent.

  • Header "From" field: Indicates the domain claimed as the sender.

  • Additional information: Provides details like whether the message was forwarded or an autoreply.

Final thoughts

Implementing DMARC is a complex but essential process for protecting your domain from unauthorized use and email spoofing. By securing your email infrastructure, you can safeguard your business reputation, improve email deliverability, and protect recipients from phishing and spam.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close