Frequently asked
questions

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a global email authentication best practice that safeguards email senders and recipients against email-based attacks like phishing, spoofing and impersonation.

DMARC builds on key authentication protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), with an additional security layer. It provides visibility of who is using a domain and allows a domain owner to specify the action receiving servers must take when an email fails authentication.

Once a domain is DMARC compliant, email receivers are able to report back to senders about the statuses of the emails they receive, such as whether they pass or fail authentication checks, or whether they’re delivered, quarantined or rejected.

The main purpose of DMARC is to give email domain owners a way to protect their domain from unauthorized use, also known as spoofing. By publishing a DMARC policy in their DNS records, domain owners can specify which mechanisms are used to authenticate email messages sent from their domain, and what to do if a message fails authentication. This allows receiving mail servers to check the authenticity of messages and prevent them from being delivered if they fail the authentication check.

– Safeguard your reputation
– Boost email visibility
– Improve deliverability
– Email branding with BIMI
– Compliance

DMARC works by adding a special TXT record to the DNS (Domain Name System) of an email domain, which specifies how the domain owner wants the receivers to handle the messages that claim to come from that domain.

The TXT record contains a set of tags and values that define the DMARC policy, such as the alignment mode, the percentage of messages to apply the policy to, the reporting options, and the desired actions for failed messages.

When a receiver gets an email from a domain that has a DMARC record, it first checks if the message has a valid SPF and DKIM signature, and then compares the domains used in those signatures with the domain in the From header of the message.

If the domains match, or align, according to the DMARC policy, the message passes the authentication. If not, the message fails the authentication and the receiver follows the action specified by the DMARC policy, such as reject, quarantine, or none.

Get a demo

An organization’s DMARC policy is part of the DMARC record that’s published in the DNS. It tells a receiving server what to do with an email that fails SPF and DKIM email authentication checks. There are three DMARC policies a domain owner can choose from:

p=none – Monitoring only

Allows a domain owner to monitor email traffic, receive reports on email sources and understand how emails are being handled, without actively enforcing any measures to be taken on emails that fail authentication. This policy is often used during DMARC implementation to ensure that it’s configured correctly before moving to a stricter policy. This will not affect email deliverability.

p=quarantine – Quarantines suspicious emails

In addition to sending reports, this policy tells a receiving server to quarantine an email that fails DMARC checks by placing it in the Spam or Junk folder instead of delivering it to the inbox. This policy allows an email that fails DMARC checks to be delivered but quarantines it for further investigation before it makes it to an inbox.

p=reject – Rejects emails that fail authentication

P=reject is the strictest DMARC policy. On top of sending reports, it guarantees complete protection for internal and external recipients of a business’s emails because it instructs recipient servers to outright reject emails that fail DMARC checks, ensuring that they don’t reach the inbox. All organizations should seek to have a p=reject policy, as it provides the strongest protection against fraudulent emails.

Get a demo

SPF, or Sender Policy Framework, is an email authentication check that validates the origin of an email. A domain owner authorizes a list of the IP addresses that are permitted to send email from that domain. When an email is received by a server, it can be verified as coming from an authorized source if it comes from an IP address allowed by the domain owner.

DMARC relies on SPF for verification that a sender is who they say they are, and it ties SPF and DKIM together with a set of policies that determine what should happen with the email if it does not pass SPF or DKIM authentication.

DKIM is an email authentication check to verify that an email hasn’t been tampered with during transit, that the headers of the email haven’t changed, and that the sender is the legal owner of the domain or authorized by the owner to send on their behalf.

An encryption key and digital signature are attached to every email sent from an authorized list of addresses and these are used to verify that the email message wasn’t altered or faked.

When configured correctly, SPF, DKIM and DMARC prove that an email sender is legitimate and that the message hasn’t been compromised, ensuring that only emails that have passed these authentication checks reach an inbox.

SPF is an email authentication check that validates the origin of an email. A domain owner authorizes a list of the IP addresses that are permitted to send email from that domain. When an email is received by a server, it can be verified as coming from an authorized source if it comes from an IP address allowed by the domain owner.

DMARC relies on SPF for verification that a sender is who they say they are, and it ties SPF and DKIM together with a set of policies that determine what should happen with the email if it does not pass SPF or DKIM authentication.

Learn more

DKIM is an email authentication check to verify that an email hasn’t been tampered with during transit, that the headers of the email haven’t changed, and that the sender is the legal owner of the domain or authorized by the owner to send on their behalf.

An encryption key and digital signature are attached to every email sent from an authorized list of addresses and these are used to verify that the email message wasn’t altered or faked.

If an email passes SPF and DKIM authentication, a recipient can be 100% certain that both the sender and the message are authentic.

Learn more

Implementing DMARC can be somewhat complex, as it involves publishing a DMARC policy in your DNS records and regularly monitoring your DMARC reports. If you’re not familiar with DNS and email authentication mechanisms, it’s ideal to work with an organization like Sendmarc to help set up your DMARC policy. The Sendmarc tools also give you the visibility needed to monitor the progress on all your active domains (or customer domains) on an ongoing basis. Additionally, Sendmarc provides tools which make the management of SPF, DKIM and DMARC much easier.

DMARC reporting is a hugely valuable feature of the DMARC email authentication protocol that allows domain owners to gain insights into email sending activities using their domain. This reporting mechanism provides data on which emails are passing or failing DMARC checks, which helps in identifying both legitimate email sources and potentially fraudulent activities.

Benefits of DMARC reporting include:

– Early threat detection
– Enhanced visibility and control
– Increased email deliverability

Read more on this here.

There are two types of DMARC reports:

1. Aggregate reports (RUA): These are usually sent daily or weekly and provide a detailed overview of email authentication data collected from various sources. This includes a view of all email traffic, information on IPs sending emails on behalf of the domain, and each email’s authentication status. RUA reports are useful for monitoring trends and identifying potential issues.

2. Forensic reports (RUF): These are sent in real-time or near-real-time and provide detailed information about individual email failures to assist in incident investigation. RUF reports include email headers, body, and authentication results.

Through DMARC reporting, organizations can monitor and protect their domains from unauthorized use, improving email security by preventing email spoofing and phishing attacks. This helps in maintaining the integrity of the email ecosystem and the organization’s communication channels.

Yes. SPF and DKIM help protect against email-based attacks that use forged sender addresses or rely on editing the contents of an email. By implementing both these protocols and monitoring their records, domain owners can help protect their domains from being used in these types of attacks. However, it’s important to note that SPF and DKIM alone aren’t a complete solution for protecting against email-based attacks, and should be used in conjunction with DMARC, user awareness training, and the implementation of a secure email gateway.

Brand Indicators for Message Identification (BIMI) is an email authentication protocol that’s additional to DKIM, SPF and DMARC. An organization can’t implement BIMI unless it is DMARC compliant with a p=reject policy.

BIMI is a type of email branding that allows for the display of a company’s logo beside emails in recipient inboxes. It improves email impact, instantly providing brand recognition and credibility, and boosts trust by letting recipients know that an email is from a legitimate sender.

BIMI also lets the receiving servers authorize legitimate emails as it adds a corresponding DNS record. It acts as an extra anti-fraud measure against email spoofing, phishing and impersonation. The BIMI protocol has protection against illegitimate senders spoofing logos, making it an extremely powerful protection tool for companies committed to the security of all internal and external stakeholders.

Once an organization has implemented BIMI, a cybercriminal can’t copy or display its logo in a recipient’s inbox because their fraudulent email will not be approved and will never reach the inbox. This means that recipients can confidently associate emails displayed with a company’s logo as trustworthy, because BIMI adoption is only possible with the strongest authentication protocols in place.

Learn more

Sendmarc and your SEG complement each other in multiple ways. By implementing DMARC with Sendmarc, you’ll provide your SEG with additional signals to effectively identify and reject impersonation emails.

Additionally, Sendmarc will protect your domain from impersonation attempts outside the perimeter of your SEG. This means that every company and individual that receives email from your domain will be able to easily distinguish between legitimate email and an attacker’s attempts to impersonate your organization. While your SEG is a crucial component of your security strategy, Sendmarc enhances that protection by ensuring that only real email is delivered, shielding your staff and the rest of the world.

As stated by Google, starting February 2024 all Gmail senders must:

1. Have DKIM or SPF email authentication protocols set up for your domain. Get in touch, we can help.
2. Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records.
3. Use a TLS connection for transmitting email.
4. Avoid ever reaching a spam rate of 0.3% or higher.
5. Format messages according to the Internet Message Format standard (RFC 5322).
6. Never impersonate Gmail From: headers. Sending email from any platform or email-sending service other than a Google platform (E.g. Mailchimp, SendGrid or Zendesk) with a From: address with the gmail.com domain qualifies as impersonating Gmail From: headers. To prevent this Google will start enforcing a DMARC quarantine policy. So, for example, if you’re using joeplumbing@gmail.com to send business emails instead of info@joeplumbing.com, AND sending emails from any platform other than Gmail, those emails are likely to land in Spam or Junk folders.
7. Add ARC headers to outgoing email, especially if you regularly forward email, including using mailing lists or inbound gateways. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.

As stated by Yahoo, starting February 2024 all Yahoo senders must:

1. Authenticate email by implementing SPF or DKIM at a minimum
2. Keep spam rate below 0.3%
3. Have a valid forward and reverse DNS record for sending IPs
4. Comply with RFCs 5321 and 5322

Microsoft may be involved in DMARC, but there are areas where its platform and services fall short when it comes to solving DMARC-related issues. Microsoft’s two primary roles in the DMARC ecosystem include sending reports and enforcing DMARC, which are required, but not enough, for a domain owner to achieve DMARC compliance.

Sendmarc complements Microsoft’s work in two ways:

1. Reporting: Our platform gathers and enriches DMARC data sent to it from thousands of email receivers worldwide. It then summarizes, enriches, and visualizes all the DMARC data generated by your domain and displays it in one place for easy viewing, giving you understandable and actionable insights for protection.
2. Configuration: While Microsoft will honor DMARC, SPF, and DKIM, it’s up to the domain owner (with the help of a platform like Sendmarc) to ensure that these standards are configured correctly. If not, Microsoft will reject legitimate emails, causing delivery issues. So, while Microsoft will reject emails that fail DMARC, it’s up to the domain owner to ensure that your domain has the correct instructions for Microsoft to be able to do that.

While Microsoft’s role in DMARC is critical in securing your organization against inbound threats, the journey to complete DMARC protection requires more. It calls for your business to interpret reports from all providers, configure all platforms for DMARC compliance (not just Microsoft), and maintain complete DMARC, SPF, and DKIM records for ultimate protection against cyberthreats.