How DMARC record helps?

I understand SPF is Sender Policy Framework that instruct which server IP address is allowed to send email using the from address of example.com

Then we have DKIM which is a Digital Signature to ensure email content has not been tampered.

After then what is role of DMARC? I want to understand. It seems pretty confusing.

1 Like

To prevent email spoofing, all domains must have an Email Authentication system. Maybe you’ve heard about the SPF and DKIM mechanisms. But the problem is not that SPF and DKIM alone can’t stop impersonating your domain and can’t prevent email spoofing. DMARC (Domain-based Message Authentication, Reporting & Conformance) came to the rescue. It combines the SPF and DKIM mechanisms, and provides 100% protection from domain-precise attacks.

DMARC can protect you from phishing attacks. Phishing is a fraudulent attempt to obtain confidential information. By posing as a legitimate individual hacker manipulates victims into certain actions.

1 Like

To clarify a bit, SPF and DKIM are how you take responsibility for a particular message (SPF by sending IP and DKIM by digital signature) and DMARC is how you tell recipients what to do when a message is not authenticated.

Technically SPF has a negative action, but the reality is most recipients ignore it and focus on the positive signal.

DKIM has no negative action, a message is either signed and validated or not, but you cannot make any assumptions about messages being signed until you get to DMARC.

DMARC is a way to express to the world that you are authenticating all messages (in practice with SPF and/or DKIM, although other mechanisms can be used with private arrangement or future protocol development), and also to suggest what should happen to unauthenticated messages. You can request recipients quarantine or reject, although this is just a request. You can also request automated feedback reports to help you understand when your domain is spoofed (legitimately or not, even just forwarding can cause a message to become unauthenticated).

There is more to it, in particular domain alignment (the From header vs the RFC5321.Mail command) and signing details come into play with DMARC.

In short though, do your best to deploy SPF and DKIM as these help you build a positive reputation so that receiving servers are more likely to place your mail into the Inbox if they can build a reputation score. Assuming your mail is wanted by recipients.

I would not recommend deploying DMARC in quarantine/reject mode unless you have a compelling reason to do so, or unless you use reporting mode for several weeks and understand what failures are occurring.

4 Likes

Thanks to all for trying to explain in best possible way.

I have implemented SPF & DKIM correctly as per instructions of SMTP provider with proper bounce address.

Not sure if this is worth the hassle. Once I had implemented DMARC in G Suite, all I could see is daily report perhaps in XML file coming to my inbox. I was irritated with unclear jargon and had to stop it.

Agreed. To be honest, I wouldn’t bother with DMARC at all unless you have a compelling reason as there are a lot of pitfalls that aren’t immediately obvious.

If you ever do decide to do DMARC, Postmark will send you weekly easy to read reports for free.

You can start with Report Only and see who’s sending mail as you. After you’ve confirmed all your sources are legitimate for several weeks and are passing SPF and DKIM, you can move to Reject. I think Quarantine is somewhat pointless, but that might just be me. DMARC has blocked spoofing attempts for me. I’m glad that I use it.

While I’m not in financial services, I think anyone who is should consider it strongly.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.