DMARC (Domain-based Message Authentication Reporting and Conformance) is an email validation system designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cybercrimes. DMARC leverages the existing email authentication techniques SPF (Sender Policy Framework) DKIM (Domain Keys Identified Mail). DMARC adds an important function, reporting. When a domain owner publishes a DMARC record into their DNS record, they will gain insight in who is sending email on behalf of their domain. This information can be used to get detailed information about the email channel. With this information a domain owner can get control over the email sent on his behalf. You can use DMARC to protect your domains against abuse in phishing or spoofing attacks.
As a website owner, you want to know for sure that your visitors or customers will only see emails that you have sent yourself. Therefore, DMARC is a must for every domain owner. Securing your email with DMARC gives email receivers certainty whether an email is legit and has originated from you. This results in a positive impact on email delivery and also prevents others from sending email using your domain.
Tailor-made DMARC services
Get a customized plan and quote.
The DMARC standard was first published in 2012 to prevent email abuse. Several industry leaders have worked together to create the DMARC specification, DMARC was created by PayPal together with Google, Microsoft and Yahoo! These industry leaders came together to develop an operational specification, with the desire that it would be able to achieve formal standards status. They created the DMARC standard based on the existing email authentication techniques SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail).
DMARC is originally developed as an email security protocol. At first DMARC was mostly adopted by security experts in the financial industry. Since then the DMARC adoption is growing and becomes more spread over the online landscape. At this point DMARC is more and more recognised by email marketeers as an aspect of online security and improved deliverability.
DMARC is currently supported by all major ISPs (such as Google, Microsoft, Yahoo! etc). At the moment DMARC is awaiting approval to become an open standard approved The Internet Engineering Task Force (IETF).
With almost 5 billion email accounts worldwide, there’s no channel with a wider reach than the email channel. This ensures that cyber criminals like to use this channel for malicious purposes. Despite the fact that better security measures have been taken in recent years to protect this channel, the crime on this channel is increasing year by year. 95% of all hacking attacks and data breaches involve email.
This is the area where domain based authentication reporting and conformance (DMARC) adds value. DMARC does not only provides full insight in email channels, it also makes phishing attacks visible. DMARC is more powerful: DMARC is capable of mitigating the impact of phishing and malware attacks, preventing spoofing, protect against brand abuse, scams and avoid business email compromise. DMARC Analyzer enables organisations to deploy DMARC and simplify their DMARC deployment process.
DMARC Analyzer provides user friendly DMARC analyzing software and act as your expert guide to move you towards a reject policy as fast as possible.
Organizations and their clients are being harmed by malicious emails send on their behalf, DMARC can block these attacks. With DMARC an organization can gain insight into their email channel. Based on the insight this gives, organizations can work on deploying and enforcing a DMARC policy.
When the DMARC policy is enforced to p=reject, organizations are protected against:
With DMARC Analyzer organizations can gain full insight into their email channel. Since organizations previously could only get insight into phishing attacks when an attack had already happened, gaining full insight into the email channel is a big advantage of DMARC. With DMARC it becomes possible to gain insight into phishing attacks. This way, customers can be informed in advance and therefore are aware of these attacks.
| all guidance on how to create a DMARC record |
| use the DMARC Record Generator to generate your DMARC record |
| use the DMARC Record Checker to display, test and verify your DMARC record whether it’s valid |
| use the record setup guides for guidance on how to set up your DMARC record for specific webhosts |
| user friendly DMARC analyzing software |
The main goal of DMARC is to detect and prevent email spoofing. For example, phishing scams using domains from banks to send out email on their behalf. Customers from that bank think they receive a legit email, that their bank card isn’t valid anymore. The link to click on will lead to a fraudulent website. This website is exactly the same as the real website and logging in will provide the cyber criminals the possibility to use your credentials.
Originally the email authentication techniques DKIM and SPF helped to protect your domains from scams like this. However cyber criminals can bypass these security measures. In order to fully secure your domain and email channel, DMARC will create a link between SPF & DKIM. When implementing DMARC into your DNS record you gain insight in your email channel. ISPs will provide Aggregate (RUA) and Forensic (RUF) DMARC reports on a daily basis and these reports can be send to the email address that’s published in your DMARC record. There are two available types of DMARC reports the Aggregate Reports (RUA) and Forensic DMARC reports (RUF):
Please refer to our article about aggregate DMARC reports for more in-depth information about aggregate DMARC reports.
Please refer to our article about forensic DMARC reports for more in-depth information about forensic DMARC reports.
DMARC Analyzer provides a dashboard to monitor and analyse your SPF, DKIM and DMARC results. Publishing a DMARC record into your DNS itself isn’t enough to secure your domains. DMARC is working with 3 DMARC policies, this makes is possible for you to decide what will happen with your emails. The ‘none’ policy is only for collecting data and monitoring your current email channel. To enforce your email channel there are 2 more DMARC policies. The ‘quarantine’ policy will deliver malicious email into the spam folder of the receiver and the ‘reject’ policy goes a step further with not deliver that email at all.
So DMARC makes it possible to secure your domains and let you decide what must happen when servers from an ISP receive malicious email. Please note! that DMARC is a very powerful solution to fully secure your email domain when configured correctly. Going to a quarantine or reject policy immediately can lead to a lot of false positives. Make sure before enforcing your domains everything is setup correctly. DMARC Analyzer offers 5 easy stages to help you to secure your email channel.
Within DMARC it is possible to instruct email receivers what to do with an email which fails the DMARC checks. In the DMARC record a DMARC policy can be defined that, depending on the setting, instructs an ISP how to handle emails that fail the DMARC checks. Email receivers check if incoming messages have valid SPF and DKIM records and if these align with the sending domain. After these checks a message can be considered as DMARC compliant or DMARC failed. After the email receiver verifies the authentication status of a message they will handle the message differently based on the DMARC policy that is set.
There are 3 possible DMARC policies available: None (monitoring only), Quarantine and Reject.
The first policy is the none (monitor) policy: p=none. The DMARC policy none instructs email receivers to send DMARC reports to the address published in the RUA or RUF tag of the DMARC record. his is known as a Monitoring only policy because with this (recommended starting) policy you gain insight in your email channel. The none policy will give insight in the email channel but does not instruct email receivers to handle emails failing the DMARC checks differently, this is why it is also known as the monitor policy. The none policy only gives insight in who’s sending email on behalf of a domain and will not affect the deliverability.
The second policy is the quarantine policy: p=quarantine. Besides sending DMARC reports, the DMARC policy quarantine instructs email receivers to put emails failing the DMARC checks in the spam folder of the receiver. Emails that pass the DMARc checks will be delivered in the primary inbox of the receiver. The quarantine policy will already mitigate the impact of spoofing, but spoof emails will still be delivered to the receiver (in the spam folder).
The third policy is the reject policy: p=reject. The DMARC policy reject. Besides sending DMARC reports, the DMARC policy reject instructs email receivers to not deliver emails failing the DMARC checks at all. Emails that pass the DMARC checks will be delivered in the primary inbox of the receiver. This policy mitigates the impact of spoofing. Since the DMARC policy reject makes sure all incorrect setup emails (spoofing emails) will be deleted by the email receiver and not land in the inbox of the receiver.
A DMARC policy is a request not an obligation
It is important to note that a DMARC policy instructs to handle the emails according the DMARC policy, but email receivers are not obligated to take the DMARC policy into account. Email receivers sometimes use their own local policy. When a email receiver has reasonable thoughts that an email is legitimate, they will sometimes apply their own local policy. This means that an email failing the DMARC checks can land into the primary inbox of the receiver, despite the fact your enforced the DMARC policy reject. Occasionally email receivers will override DMARC policies with a local policy.
With DMARC an organization can block malware, phishing attacks and increase email deliverability! DMARC is powerful, but there are also some misunderstandings about DMARC:
By placing a DMARC record (and enforcing it), ISP’s who adopted DMARC will notice you are working on improving the security of your email channel. Therefore ISPs who adopted DMARC are more likely to let your emails land in the primary inbox of the receiver. However just deploying a DMARC policy is not just a quick email deliverability fix. By deploying and enforcing a DMARC policy your deliverability can improve, however this is not a guarantee.
When an organization encounters a phishing attack on their behalf, they are often likely to immediately lock down their email channel by placing a DMARC record and immediately enforcing this to a 100% p=reject policy. This is indeed effective to block phishing attacks immediately, however this will also lead to legitimate email being lost. DMARC Analyzer experiences that in 99% of the cases, organizations do not have a compliance rate of near 100% when they start with DMARC. DMARC Analyzer advices to start with a p=none policy and to monitor the results, improve SPF and DKIM authentication and than enforce the policy. Depending on the infrastructure of an organization this process can take one to twelve months. We strongly disencourage to immediately enforce a reject policy.
DMARC is not designed to protect the inbound part of the email channel, DMARC protects the outbound part of the email channel. However DMARC influences a little part of the inbound email channel. Emails that are being sent to colleagues will be influenced by DMARC. Since these are emails being sent (although the email stays inbound), DMARC can influence these emails.
DMARC Analyzer provides user-friendly DMARC analyzing software and act as your expert guide to move you towards a reject policy as fast as possible. DMARC Analyzer provides a SaaS solution which empowers organisations to easily manage complex DMARC deployment. The solution provides 360° visibility and governance across all email channels. Everything is designed to make it as easy as possible. Download the datasheet for more information about DMARC Analyzer
| all guidance on how to create a DMARC record |
| use the DMARC Record Generator to generate your DMARC record |
| use the DMARC Record Checker to display, test and verify your DMARC record whether it’s valid |
| use the record setup guides for guidance on how to set up your DMARC record for specific webhosts |
| user-friendly DMARC analyzing software |
DMARC Analyzer provides user-friendly DMARC analyzing software and act as your expert guide to move you towards a reject policy as fast as possible.
