Summary
What is DMARC?
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol that enhances the security of email communication by preventing email spoofing and phishing attacks. DMARC works in collaboration with two existing email authentication technologies: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
Why DMARC?
-
Authentication: DMARC adds an additional layer of authentication to verify that the sender of an email is legitimate.
-
Phishing Protection: It helps protect against phishing attacks by ensuring that emails sent from a domain are authorized and have not been tampered with.
-
Brand Protection: DMARC helps protect your brand reputation by reducing the likelihood of malicious actors impersonating your domain.
- Gmail and Yahoo's Email Security Initiatives for 2024: In an ongoing commitment to fortify email inboxes, both Gmail and Yahoo have announced the implementation of new protection standards for bulk email senders. To find details on this matter, kindly refer to the following guide.
DMARC Tags
DMARC tags are key components within a DMARC record. They help define the DMARC policy for a domain, specifying how receivers should handle emails that claim to be from that domain. Here are some important DMARC tags:
DMARC Policies for Unauthenticated Messages
These policies are set in the "p" tag of the DMARC record and define the action to be taken when DMARC authentication fails. Choose the policy that aligns with your organization's security requirements and risk tolerance.
Once you are confident in the authentication of your traffic, you can progress to more restrictive options like "p=quarantine" or the strictest "p=reject." Please exercise caution with the "p=reject" policy, as it can significantly impact all traffic sent from your domain and should only be set if you are absolutely certain of its appropriateness.
Understanding DMARC Alignment and its Crucial Role
DMARC operates on the principle of alignment, determining the validity of a message based on how closely the "From:" header matches the sending domain specified by SPF or DKIM.
While SPF and DKIM are well-known technologies, it's vital to recognize that individually, they don't directly influence the From address - the part visible to users in an email. This gap leaves room for phishing, spoofing, and other malicious activities. DMARC acts as a crucial control, addressing these vulnerabilities and enhancing email security.
Identifier alignment lies at the core of DMARC, bridging the authentication mechanisms of SPF and DKIM with the enforcement policy outlined in the DMARC record. Alignment specifically refers to the relationship between the domain in the From Header address and the domains verified by SPF and DKIM authentication checks. Successful alignment ensures that these domains match, allowing emails to pass DMARC. Conversely, a domain mismatch leads to a DMARC failure.
Let's explore alignment through the following examples:
Aligning your email correctly signals to the outside world that a specific vendor (in this case Mailjet) or server is explicitly authorized to send emails on behalf of your organization. Achieving alignment ensures that only approved emails are delivered, allowing you to instruct email receivers to discard unauthorized messages. Without alignment, uncertainty arises when email receivers attempt to verify the origin and trustworthiness of a message.
As DMARC operates on a domain basis, configuring your sending emails on your behalf is essential. Access your organization's DNS and coordinate with Mailjet to align your email-sending configurations. Given the unique variations in configuration methods, understanding how to identify, organize, and manage these sources within your email ecosystem is crucial.
Your ultimate objective is to achieve near 100% alignment. Subsequently, implement an increasingly restrictive DMARC policy, progressing from p=none to p=quarantine to p=reject.
DMARC Alignment Options
Alignment Modes
You have the flexibility to choose between two alignment modes: strict and relaxed. The alignment mode is specified in the DMARC record using the "aspf" and "adkim" tags for SPF and DKIM, respectively.
This choice aims to provide flexibility and accommodate common email sending scenarios. While "strict" alignment can offer enhanced protection against certain spoofing scenarios, it might lead to rejections or spam designation for messages from associated subdomains.
Strict Alignment:
- SPF (Sender Policy Framework): Requires an exact match between "Header From” domain and the “Return Path” domain.
- DKIM (DomainKeys Identified Mail): Requires an exact match between the “Header From” domain and the DKIM signature domain.
Relaxed Alignment:
-
SPF (Sender Policy Framework): Requires an exact OR partial match between "Header From” domain and the “Return Path” domain.
In SPF alignment, a partial match occurs when the "Header From" domain aligns with the "Return Path" domain if the parent/root domains match.
Example:
- "Header From" domain = yourdomain.com
- "Return Path" domain = bnc3.yourdomain.com
While it's not an exact match, it's a partial match because "yourdomain.com" is the parent/root domain in both the "Header From" and "Return Path" domains. In this scenario, SPF alignment will PASS in relaxed mode.
-
DKIM (DomainKeys Identified Mail): Requires an exact OR partial match between "Header From” domain and the DKIM signature domain.
In DKIM alignment, a partial match occurs when the "Header From" domain aligns with the DKIM signature domain if the parent/root domains match.
Example:
- "Header From" domain = yourdomain.com
- DKIM signature domain = test.yourdomain.com
While it's not an exact match, it's a partial match because "yourdomain.com" is the parent/root domain in both the DKIM signature domain and the "Header From" domain. In this scenario, DKIM alignment will PASS in relaxed mode.
For instance, "bnc3.yourdomain.com" differs from your From header, which is typically "yourdomain.com." This balanced approach optimizes email authentication while acknowledging specific domain distinctions.
Relaxed alignment provides sufficient protection against spoofing, and it is commonly used to prevent unnecessary rejections or spam classification.
On the other hand, with DKIM, achieving a "strict" alignment match is feasible, when configured correctly with Mailjet.
To gain further insights on configuring your SPF and DKIM correctly with Mailjet to achieve optimal DMARC check alignment, consult our guide.
DMARC Checks
For a message to pass DMARC, it must successfully pass at least one of the following checks:
- SPF authentication and SPF alignment.
- DKIM authentication and DKIM alignment.
Important Note
While relaxed alignment typically provides sufficient protection against spoofing, adopting strict alignment may lead to the rejection or classification as spam of messages from associated subdomains.
Setting Up DMARC
Step 1: DNS Record Setup
-
Access Your DNS Settings:
- Log in to your domain registrar or DNS hosting provider.
- Log in to your domain registrar or DNS hosting provider.
-
Create a DMARC TXT Record:
- Add a DMARC TXT record to your DNS settings. The record should specify the policy for handling emails that fail DMARC authentication.
- The TXT record host/name should be "_dmarc.yourdomain.com" with "yourdomain.com" replaced by your actual domain name or subdomain.
- Ensure that the record type is set to 'TXT', the host/name is configured as '_dmarc', and the TXT value matches the record provided below.
- Important: Some domain hosts automatically add the domain name after _dmarc. After you add the TXT record, verify the DMARC TXT record name to make sure it's formatted correctly.
- We recommend using the default TTL.
Example DMARC TXT Record Value:
v=DMARC1; p=none; rua=mailto:your@email.com; ruf=mailto:your@email.com
-
v=DMARC1
: Indicates the use of DMARC version 1. -
p=none
: Specifies the policy if an email fails DMARC. Options include "none," "quarantine," and "reject."
-
Specify Aggregate and Failure Reporting Addresses:
-
rua=mailto:your@email.com
: This email address will receive aggregate reports. -
ruf=mailto:your@email.com
: This email address will receive failure reports.
-
Step 2: Gradual Implementation
After the initial implementation, the crucial step is to monitor the authentication of your traffic (p=none). Review DMARC aggregate and/or forensic reports daily. As you accumulate enough data demonstrating successful authentication of legitimate emails, you can confidently proceed with gradually implementing a stricter DMARC policy ("p=quarantine" or "p=reject"). This phased approach enhances your email security over time.
Step 3: Adjusting Policy
-
Transition to Quarantine or Reject:
- Once confident in the results, adjust the DMARC policy to "quarantine" or "reject" to protect against unauthorized emails.
Example DMARC TXT Record Value for Reject:
v=DMARC1; p=reject; rua=mailto:your@email.com; ruf=mailto:your@email.com
Best Practices
-
Implement SPF and DKIM:
- Ensure that Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are correctly configured.
-
Gradual Policy Implementation:
- Begin with a "none" policy, analyze reports, and gradually move to "quarantine" or "reject."
-
Regularly Monitor Reports:
- Stay informed about email authentication results through DMARC reports.
-
Update SPF and DKIM Records:
- Regularly update SPF and DKIM records to include all legitimate email sources.
Conclusion
Implementing DMARC is a crucial step in securing your email communication, preventing phishing attacks, and safeguarding your brand reputation. Regularly monitor reports, adjust policies as needed, and stay proactive in maintaining a secure email environment.
Remember, the success of DMARC implementation lies in continuous monitoring, analysis, and adaptation to evolving email threats.