We looked at SPF and DKIM as two email authentication protocols that help us improve our email security. DMARC builds on top of these protocols to prevent spam or phishing emails. With SPF and DKIM implemented, the domain owners did not have a way to know whether their outbound emails were processed correctly, i.e., whether these outbound emails were marked as spam or rejected by the recipient email server. There was no way to debug and find out more about these issues. DMARC helps address these with Reporting & Conformance.
Without DMARC, some recipient mail servers might reject or mark an email as spam if the SPF/DKIM authentication fails. DMARC provides precise instructions on what action the recipient mail servers should take with a non-conforming (non-compliant) email.
It is also a TXT record that goes into the DNS settings of your domain, with the Name field as _dmarc
v=DMARC1; p=quarantine; sp=reject; pct=100; adkim=s; aspf=s; rua=mailto:[email protected]; ruf=mailto:[email protected]
| v=DMARC1 | defines that this txt record contains a DMARC policy |
|---|---|
| p=quarantine | defines the policy for the domain, i.e., how should this email be treated |
| sp=reject | optional field, defines the policy for the subdomains |
| pct=100 | optional field, specifies the percentage of messages on which this policy has to be applied |
| adkim=s | optional field, defines the alignment mode for DKIM (s=strict / r=relaxed) |
| aspf=s | optional field, defines the alignment mode for SPF (s=strict / r=relaxed) |
| rua= | optional field, defines the reporting address for aggregate reports |
| ruf= | optional field, defines the reporting address for forensic reports |
Note: there are few more optional fields available & more on that here.
The v & p fields are the mandatory fields (& should be in that order) and make up the basic version of a DMARC policy. Upon receiving an email, the recipient mail server performs SPF/DKIM authentication checks. It is important to note that:
If successful, then the action defined in the policy p takes effect.
DMARC implementation is usually carried out in a phased manner, providing the administrator time to evolve from a relaxed control to a stricter control. The p can have the following values to support this:
none this is the relaxed option, where DMARC enforcement doesn’t take effect. The outcome would depend on the recipient email server’s default behaviour for emails that fail SPF and DKIM.quarantine it is the midpoint where the recipient server can accept emails that fail SPF and DKIM but mark such emails (e.g. Spam or Junk email)reject it is the stricter option which rejects all inbound emails.One can use any of these services to validate their DMARC deployment