DMARC (Domain-based Message Authentication, Reporting and Conformance) was developed to limit and reduce the misuse of emails, such as mail spoofing. The specification attempts to address the long-standing inadequacies associated with email authentication by ensuring that the domain's "FROM:" header is trustworthy.
With DMARC, you define for your domain how the recipient server should authenticate incoming emails and what it should do with the message in the event of an authentication error. The recipient server uses both the SPF and the DKIM entry of the sender domain for the check. While SPF specifies who may send a message on behalf of the domain and DKIM ensures that the message originates unchanged from the sender, the sender can also use the DMARC specification to make recommendations on how the recipient should handle the mail that does not meet the requirements in one or more cases. If the recipient of an email uses the DMARC specification, this ensures consistent verification of the authenticity of this email.
The Sender Policy Framework (SPF) is an email verification process that enables companies to determine which senders are authorized to send emails from their domains. For this purpose, an SPF record is created in the Domain Name System (DNS), which contains the authorized sender addresses.
The SPF record lists the authorized IP addresses of the senders, including those of service providers who are authorized to send emails on behalf of the company. Publishing and verifying SPF records is an effective measure against phishing attacks and other threats posed by spoofed "from" addresses and domains.
DomainKeys Identified Mail (DKIM) is another authentication method for emails that enables the recipient to check whether an email actually comes from the owner of the specified domain. For this purpose, a digital signature is attached to the email, which is verified using a public key stored in the DNS. This signature guarantees that the email has not been changed after it was sent.
Both SPF and DKIM help to ensure the authenticity of emails and prevent threats such as spoofing and phishing. In combination with DMARC, which is published as a DNS record, these mechanisms specify how recipient servers should handle emails that fail SPF or DKIM checks. DMARC allows domain owners to set policies that determine whether unauthenticated emails should be quarantined or rejected. This increases control over the delivery of emails and reduces the risk of fraud.
DMARC uses, similar to DKIM and SPF, a TXT record in the DNS settings. A resource record is created for the subdomain "_dmarc", which describes the DMARC policy for the sender domain. Below you will find an example how the DMARC of one of the domains "test.de" might look like:
v=DMARC1;p=quarantine;pct=100;rua=mailto:RUA@test.de;ruf=mailto:RUF@example.org;adkim=s;aspf=r
Parameter | Meaning | Specification | Allowed values |
---|---|---|---|
v | Protocol version | required | "DMARC1" |
pct | Percentage of mails to be filtered | optional | integer between 0 and 100 |
ruf | Forensic report is to be sent to: | optional | "mailto:mailadress@YOURDOMAIN.tld" |
rua | Aggregated report is to be sent to: | optional | "mailto:mailadress@YOURDOMAIN.tld" |
rf | Error report format | optional | "afrf" or "iodef" |
p | Instruction, how to handle the mails of the main domain | required | "none", "quarantine" or "reject" |
sp | Instruction, how to handle the mails of the sub domain | optional | "none", "quarantine" or "reject" |
adkim | Adjustment mode for DKIM | optional | "r" or "s" |
aspf | Adjustment mode for SPF | optional | "r" or "s" |
fo | Error reporting options | optional | "0", "1", "d" "s" |
DMARC offers companies numerous advantages for improving cyber security in the email sector. The main benefits of DMARC include
Although many of these benefits overlap, the main purpose of DMARC is to better protect email through reliable authentication and threat defense.
DMARC and DKIM are email authentication protocols that help organizations prevent email fraud and identity misuse. However, DMARC offers advanced policy implementation and reporting capabilities compared to DKIM. Both protocols use public key cryptography, but they validate emails in different ways. While DKIM focuses on authentication, DMARC provides detailed reporting to optimize an organization's email security.
DMARC coordinates the SPF and DKIM mechanisms and provides comprehensive reports on the activities monitored by these policies. Domain owners can set policies in their DNS records that determine how the "From:" field is checked and how authentication failures are handled.
In summary, DKIM checks the legitimacy of an email, while DMARC also determines how such emails should be handled.
In order to generate a DMARC record for your domain, you can find a DMARC Generator.
Due to the large number of reports that you will receive after setting up DMARC, it is advisable to use a DMARC analyzer tool. With our free DMARC report analysis tool, you receive aggregated reports and can see at a glance where you need to take action.