Domain-based Message Authentication Reporting and Conformance, aptly shortened to DMARC, is a free and open email security protocol. It is used to authenticate an email by aligning SPF and DKIM mechanisms. Putting DMARC in place allows domain owners to defend against business email compromise, phishing attacks, and spoofing.
Businesses can institute a policy in their DMARC record and tell the online world how unauthorised use of their email domains will be handled. Your IT team can create these policies, or if your organisation does not have one in place, you can enlist the aid of IT consultancy services.
How Does DMARC Work?
DMARC has the following three policies:
The first policy monitors all of your email traffic.
- Outbound emails are monitored without affecting current arrangements
- Information is gathered, and an implementation plan is set
- Your IT department much have the processes to manage and disseminate information
- Open lines of communication will need to be available between email administrators, which includes external agencies and IT consultancy services
- Set up external feedback and aggregate report monitoring
- Assess security compliance
The second policy sends all unauthorised emails to the spam folder.
- All emails that do not follow implemented policy are sent to quarantine
- You can address edge cases before setting a policy to reject
The third policy ensures the prevention of all unauthorised emails.
- DMARC is now implemented and operational in full, as any email that doesn’t follow your policy can be rejected
SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) is necessary to deploy DMARC. As an email authentication protocol, SPF allows your company to specify who can access email on behalf of the domain. It’s also a part of email cybersecurity used to stop phishing attacks.
DKIM is an email security standard that helps detect whether alterations to messages, both sent and received, have been made while in transit. At least one has to be in place for the email domain.
A published DMARC record in the DNS is required to deploy DMARC. A DMARC record will tell the online world your email policies, depending on the status of the SPF and DKIM. If one or both pass, DMARC will authenticate. However, it is also possible that both can pass, but DMARC can fail, which depends on the DMARC alignment.
XML reports are received by the reporting email address listed within the DMARC record. They provide insight into the movement and flow of your emails, allowing you to identify everything in use on your domain. XML reports can be tricky to understand, but the DMARC can provide a visual representation of the email domain’s usage and what actions you need to take for the DMARC policy to move towards p=reject.
How To Implement DMARC
Here is a step-by-step method on how your business’ remote IT support services or IT support managed services partner can implement DMARC. Remember that interfaces vary between hosting providers, so they may not match your situation exactly.
To implement a DMARC:
- Visit your DNS hosting provider and log in with the appropriate credentials.
- Locate the prompt for creating a new record or, if necessary, open the TXT section to edit.
- Once in the wizard for new record creation, there will be three fields: Host/Name, Record Type, Value.
- In the Record Type section there should be a dropdown menu. This is based on your hosting provider. You’ll want to select the TXT option.
- In the Host or Name field, add _DMARC. The hosting provider will likely append the domain or subdomain value.
- Two tag-value pairs, ‘v’ and ‘p’, are required for every DMARC record for the Value field. The ‘v’ can only be a tag-value pair for v=DMARC1. The ‘p’ can be paired with none, quarantine, or reject.
- It is recommended that all new DMARC records start with p=none. This policy value will allow for identifying problems with email delivery brought about by SPF or DKIM. It will help ensure that emails are not accidentally sent to quarantine or rejected. To receive reports on email performance results, you can also include the ‘rua’ tag.
- It should look something like this: “v=DMARC1; p=none; rua=mailto:[email protected]”
- A semicolon must separate each tag, and the ‘rua’ tag can support multiple email addresses with each separated by a comma. Advanced tags are available but are not recommended during initial setup.
- Once all details are added, you can click the create button.
After creating the DMARC record, run a DMARC record check to verify that it is working. IT consultancy services can have DMARC checkers on their websites for public use. To fully implement DMARC, a p=quarantine or p=reject will be required. You can set up in-house remote IT support services for the task, or reach out to IT support managed services that can do it for you.
Why Use DMARC for Email?
With more than 90% of all network attacks involving email, it’s difficult to determine those that are real from fake. Without DMARC, malicious emails can slip through uninhibitedly. DMARC gives domain owners the power to protect their domain(s) from unauthorised use by fighting phishing, spoofing, CEO fraud, and Business Email Compromise.
DMARC allows operators to identify legitimate emails quickly and easily. Its anti-spoofing technology is a significant innovation over email filtering. So, instead of filtering out the “bad” emails, DMARC is designed to filter in only those emails considered “good”.
Email Spoofing Is a Major Issue in the UK
Spoofing emails trick users into believing the email is being sent from someone legitimate. In most cases, the “sender” is under the guise of being a relative, colleague, or vendor. The attacker will then elicit information from the recipient and use it for personal, often lucrative, use.
The UK government recognises the importance of DMARC. In 2012, the UK Government Digital Service issued guidelines on implementing DMARC for UK government services. Four years later saw the enactment of these services on service.gov.uk. Sadly, only 28% of all gov.uk domains had DMARC enabled by 2019.
In 2022, the UK is third on the list of countries with DMARC-protected domains. However, most of the country’s domains are still not DMARC protected. Email spoofing continues to be a serious threat to UK businesses.
Email clients that have been configured with SPF and DKIM will reject spoofing emails automatically.