DMARC is an email authentication standard that can help businesses fight the rising threat of brand exploitation, including email phishing attempts and business email compromise attacks. But it’s a complex protocol, the benefits and mechanisms of which are not often well-understood by non-security professionals. Security teams who are able to clearly explain DMARC and its benefits in layman’s terms are more likely to win over unaware stakeholders — which is more and more important as businesses accelerate their adoption of digital technologies.
What Is DMARC?
DMARC is a Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol designed to detect and prevent email spoofing. Blocking unauthenticated email is only the beginning; DMARC was designed as a framework for building policies and reporting on communications practices. The Domain-based Message Authentication, Reporting & Conformance (DMARC) specification enables owners of email domains to take action to reduce spam and phishing by creating policies that specify how incoming email should be handled if it fails SPF or DKIM authentication checks. When you publish a DMARC policy, legitimate senders of email on your domain will not lose out on delivery of their legitimate messages.
There are many types of email fraud, but DMARC helps protect you from known sources of fraudulent or malicious emails. It is designed to reduce fraudulent or malicious email that can trick your recipients into clicking on links in the email. DMARC also enhances the protection that SPF and DKIM provide when they are deployed correctly. DMARC (Domain-based Message Authentication, Reporting and Confirmation), is a set of email security technologies that includes SPF and DKIM.
When someone sends an email message using your domain’s address and the DMARC records instruct that emails that claim to be from your domain should be treated as spam, organizations can use their DMARC reporting to gather data about where those spoofed emails are coming from so they can block the malicious senders. What is DMARC? Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. DMARC also provides reporting mechanisms for both senders and receivers.
In simple terms, DMARC analyzes SPF and DKIM results to instruct an inbound mail server what to do with messages that fail these checks. The choices are:
- Do nothing
- Quarantine in a spam folder
- Reject the email outright
DMARC also sends an informative report on all of the above to the domain owner
How Does DMARC Work?
To use a real-world analogy, imagine an email is a package that needs to be delivered to a recipient at an office park. Upon arrival, there are two security guards checking the delivery person’s credentials independently and simultaneously. With a DMARC policy of none, the email package would be allowed to be dropped off at the recipient’s door. This is akin to a policy of “none” from a traditional firewall or IPS. With a DMARC policy of “none”, you are not telling the receiving server how to handle your email. In this case, after checking with both security guards, the package would then be delivered to the recipient. This is akin to a SPF check, but no DKIM check being run by the receiving mail server. When a message with a DMARC policy is sent, SPF and DKIM checks are performed separately and in parallel by the receiver’s mail system to ensure that the message comes from a legitimate source.
If both checks pass, then the message is delivered. If either check fails or DMARC is set to unknown, the message may be blocked, held for further inspection or marked as spam. DMARC provides a means for companies to specify the actions associated with failed validation checks. For example, their policy might specify that for failed SPF or DKIM, the e-mail should be immediately rejected at the gate. With DMARC, instead of sending junk mail to your inbox, a message stating that it was a spoofed e-mail would be sent to a specified system responsible for handling such messages from the user.
It also makes it more difficult for spammers to forge e-mails from companies that have implemented DMARC. In this example, the expected driver was out sick and a replacement driver filled in, meaning every part of the delivery process was legitimate. The company might then change their DMARC policy so the guards take no action if and when packages are delivered by the substitute driver.
Why Is DMARC Important?
The Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol is one of the most effective measures available today to protect brands from increasingly sophisticated phishing and brand impersonation attacks. DMARC uses two existing communication protocols; DNS and SMTP, which already exist in most corporate IT infrastructures, to implement enhanced anti-phishing policies that aid in stopping both known and unknown phishing threats.” DMARC helps reduce the risk of brand impersonation attacks, such as spoofing and phishing, by enabling organizations to send email from domains they do not own and therefore cannot be sure are safe. DMARC achieves this by authorizing either a domain owner or their ISP to issue “reject” or “quarantine” instructions for all email received at a domain. If there is no valid DMARC record in the DNS for a domain, any email sent from that domain will be accepted by default. When an organization sets up DMARC, it automatically generates a pair of public-private keys and places them in the DNS.
DMARC is a tool that allows owners and operators of Internet domains and other email services to prevent authorized parties from using their brands to take advantage of the misdirected trust that results from brand impersonation. To protect access to its brand, Gerber created DMARC policies for each of its domains.
The Bottom Line
DMARC is an underused but highly effective tool in the fight against email phishing and business email compromise, and can help organizations maintain the trust of their customers, partners and suppliers.