What is DMARC and what is this record used for?

DMARC (Domain-based Message Authentication, Reporting and Conformance) was developed to limit and reduce the misuse of emails, such as mail spoofing. The specification attempts to address the long-standing inadequacies associated with email authentication by ensuring that the domain's "FROM:" header is trustworthy.

With DMARC, you define for your domain how the recipient server should authenticate incoming emails and what it should do with the message in the event of an authentication error. The recipient server uses both the SPF and the DKIM entry of the sender domain for the check. While SPF specifies who may send a message on behalf of the domain and DKIM ensures that the message originates unchanged from the sender, the sender can also use the DMARC specification to make recommendations on how the recipient should handle the mail that does not meet the requirements in one or more cases. If the recipient of an email uses the DMARC specification, this ensures consistent verification of the authenticity of this email.

Which attacks can be prevented with DMARC?

Domain spoofing
To make an email appear legitimate, an attacker can spoof the domain of a company.
Email spoofing
In order to make an email appear legitimate, an attacker can forge the sender in the "FROM:" header of an email.
Business Email Compromise (BEC)
In this attack, the attacker pretends to be an executive of a company and asks "his" employee to send either money or confidential information to him.
Impostor e-mails
In a fake e-mail, the attacker pretends to be someone else.
Phishing e-mails
With an e-mail, an attacker tries to get his victim to install malware on his device or provide secret access data. The attacker uses the layout and wording of a well-known company/organization to make the message appear genuine.
Consumer phishing
This involves sending a fake email to a company's customers in order to obtain their payment details.
Partner spoofing
With the help of fake business emails to a partner in a company's supply chain, an attacker tries to change the payment details in order to siphon off money.
Whaling
Whaling involves sending a fake email to a company executive in order to obtain large sums of money.

How do DMARC, SPF and DKIM work together?

The Sender Policy Framework (SPF) is an email verification process that enables companies to determine which senders are authorized to send emails from their domains. For this purpose, an SPF record is created in the Domain Name System (DNS), which contains the authorized sender addresses.

The SPF record lists the authorized IP addresses of the senders, including those of service providers who are authorized to send emails on behalf of the company. Publishing and verifying SPF records is an effective measure against phishing attacks and other threats posed by spoofed "from" addresses and domains.

DomainKeys Identified Mail (DKIM) is another authentication method for emails that enables the recipient to check whether an email actually comes from the owner of the specified domain. For this purpose, a digital signature is attached to the email, which is verified using a public key stored in the DNS. This signature guarantees that the email has not been changed after it was sent.

Both SPF and DKIM help to ensure the authenticity of emails and prevent threats such as spoofing and phishing. In combination with DMARC, which is published as a DNS record, these mechanisms specify how recipient servers should handle emails that fail SPF or DKIM checks. DMARC allows domain owners to set policies that determine whether unauthenticated emails should be quarantined or rejected. This increases control over the delivery of emails and reduces the risk of fraud.

How is DMARC structured?

DMARC uses, similar to DKIM and SPF, a TXT record in the DNS settings. A resource record is created for the subdomain "_dmarc", which describes the DMARC policy for the sender domain. Below you will find an example how the DMARC of one of the domains "test.de" might look like:

v=DMARC1;p=quarantine;pct=100;rua=mailto:RUA@test.de;ruf=mailto:RUF@example.org;adkim=s;aspf=r

Parameter	Meaning	Specification	Allowed values
v	Protocol version	required	"DMARC1"
pct	Percentage of mails to be filtered	optional	integer between 0 and 100
ruf	Forensic report is to be sent to:	optional	"mailto:mailadress@YOURDOMAIN.tld"
rua	Aggregated report is to be sent to:	optional	"mailto:mailadress@YOURDOMAIN.tld"
rf	Error report format	optional	"afrf" or "iodef"
p	Instruction, how to handle the mails of the main domain	required	"none", "quarantine" or "reject"
sp	Instruction, how to handle the mails of the sub domain	optional	"none", "quarantine" or "reject"
adkim	Adjustment mode for DKIM	optional	"r" or "s"
aspf	Adjustment mode for SPF	optional	"r" or "s"
fo	Error reporting options	optional	"0", "1", "d" "s"

The value for v must always be "DMARC1".
For ruf or rua you can enter any valid email address on which you want to receive the reports. If you want to receive the reports on an external email address, you have to confirm that you as the owner of the external domain also want to receive the reports. This is done via a TXT entry at the external domain.
Example: A DMARC should be set up for the domain "beispiel.de" and the reports then sent to "dmarc@example.com". With the following TXT entry the owner of the domain "example.com" can confirm that he wants to receive the reports:
beispiel.de_report_dmarc.example.com IN TXT "v=DMARC1"
The p and sp parameters specify how the receiving mail server should react if the DMARC check fails. If none is specified, no action is taken and the message is accepted. If quarantine is set, the message is automatically quarantined or moved to the spam folder. With reject, the message is getting rejected by the destination server.
The matching modes for DKIM and SPF have a special meaning. For SPF, the DMARC specification requires that, first, the verification is positive and, second, the "From" header of the email has the same domain as stored in the SPF record. For DKIM, it is required that the signature is valid and, in addition, that the domain named there is the same as in the "From" header of the email. The matching modes are s for "strict" and r for "relaxed". With "strict" the domains must match exactly, with "relaxed" the "From" header may also contain a subdomain.
The fo parameter controls when an error report should be generated. The default value 0 generates a DMARC error report when all underlying authentication mechanisms (SPF and DKIM) fail to produce an aligned "pass" result. At value 1, an error report is generated if any of the underlying authentication mechanisms (SPF or DKIM) return anything other than an aligned "pass" result. The value d indicates that a report should be generated if the message contained a signature that could not be evaluated, regardless of its alignment. The value s shall be used to generate a report if the message failed the SPF evaluation, regardless of its orientation. Multiple values can be separated with a colon, e.g. fo=1:d:s.

What are the advantages of DMARC?

DMARC offers companies numerous advantages for improving cyber security in the email sector. The main benefits of DMARC include

Increased email deliverability
Setting up a DMARC record in DNS settings can improve the delivery rate of emails while preventing malicious emails from being sent through your domain.
Reducing the risk of phishing
DMARC effectively reduces the risk of phishing attacks, which can have costly consequences for organizations.
Enforce authentication policies
DMARC allows organizations to set and enforce specific authentication policies and provide instructions to receiving mail servers to enforce these policies.
Corporate Reputation Protection
DMARC helps protect an organization's reputation by preventing cybercriminals from abusing the domain to deceive customers and business partners.
Detailed authentication reports
DMARC provides comprehensive email authentication reports that support an organization's email system.
Scalability
DMARC is scalable, making it particularly useful for large enterprises, institutions and organizational units.

Although many of these benefits overlap, the main purpose of DMARC is to better protect email through reliable authentication and threat defense.

What is the difference between DKIM and DMARC?

DMARC and DKIM are email authentication protocols that help organizations prevent email fraud and identity misuse. However, DMARC offers advanced policy implementation and reporting capabilities compared to DKIM. Both protocols use public key cryptography, but they validate emails in different ways. While DKIM focuses on authentication, DMARC provides detailed reporting to optimize an organization's email security.

DMARC coordinates the SPF and DKIM mechanisms and provides comprehensive reports on the activities monitored by these policies. Domain owners can set policies in their DNS records that determine how the "From:" field is checked and how authentication failures are handled.

In summary, DKIM checks the legitimacy of an email, while DMARC also determines how such emails should be handled.

How can I generate a DMARC entry for my domain?

In order to generate a DMARC record for your domain, you can find a DMARC Generator.

Due to the large number of reports that you will receive after setting up DMARC, it is advisable to use a DMARC analyzer tool. With our free DMARC report analysis tool, you receive aggregated reports and can see at a glance where you need to take action.

Was this article helpful?
No Yes