What is DMARC?

Tags email DMARC

Background/Overview

DMARC (Domain-based Message Authentication, Reporting & Conformance) uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to evaluate the authenticity of email messages. Together, these tools prevent practices like phishing and domain spoofing.

Phishing is a cybercrime in which someone poses as a credible entity — like a bank or a governmental agency or even your own employer — to try and gather sensitive information, like your credit card information or social security number. Domain spoofing is a form of phishing that entails using a fake email address or domain to appear legitimate.

DMARC allows domain owners to define how an email that appears to be sent from that domain gets handled if it doesn’t include the right information. For example, unauthenticated emails can be blocked or sent straight to a junk folder based on settings placed in the records for that email address’s domain.

Why is DMARC important?

Spammers and phishers have a lot to gain from compromising user accounts. By gaining access to passwords, credit card information, bank accounts, and other financial instruments, malicious actors can easily get access to their victims’ money before their victims are even aware they’ve been scammed.

Email is a particularly attractive and common target, especially for spoofing. Even something as simple as inserting the logo of a well-known brand into an email can trick some recipients into believing they’ve been sent a legitimate communication.

DMARC works to solve this problem at scale. Realistically, free email services like Google, Yahoo, or Hotmail can’t inspect every email that passes through their servers to determine which ones to allow and which ones may be fraudulent.

SPF and DKIM records can help, but these processes have limited scope on their own. When used with DMARC, these protocols help senders and receivers collaborate to better secure emails.

Benefits of DMARC

DMARC records are an important part of protecting yourself and the people you send emails to. In addition to protecting your domain from unauthorized use, DMARC can allow you to determine who’s using your email domain to send unauthorized emails.

DMARC provides 3 major benefits: security, reputation, and visibility.

Security

Along with protecting customers, using DMARC benefits the email community as a whole. By establishing a framework for a consistent policy to deal with unauthenticated emails, DMARC helps the email ecosystem become more trustworthy and secure.

Reputation

DMARC protects brands by serving as a gatekeeper — it prevents bad actors from spoofing your domain and sending out emails that appear to come from your brand. Publishing your DMARC record can result in a boost to your reputation.

Visibility

DMARC gives you more insight into your email program at a high level, letting you know the identity of everyone who sends email from your domain.

DMARC background

To understand DMARC, it’s important to understand the fundamentals of SPF and DKIM as well as Domain Name System (DNS) records. DMARC builds on SPF and DKIM techniques.

SPF

SPF helps detect forgery by reviewing an email’s listed return-path address. This email address is also referred to as the Mail From or the bounce address.

When an email can’t be sent to its intended recipient after several attempts or a delay, a notification of that failure is usually sent to the return-path address.

Here’s how the return-path address is used to help authenticate email.

How SPF Works

Domain owners can decide which mail servers their domain is allowed to send from when they connect a domain set up their SPF protocols.

  1. SPF information is entered into a TXT record to define the mail servers authorized to send email for a domain.
  2. An inbound mail server receives a new email and checks the written rules for the domain of the return-path email address. The inbound server compares the IP address of the mail sender with the domains and/or IP addresses defined in the SPF record.
  3. The receiving server uses the rules specified in the sender’s SPF record and determines whether it should accept, reject, or otherwise flag the message.

DKIM

DKIM is an email authentication technique that ensures email content is kept safe from tampering, using an encrypted digital signature. DKIM signatures are added as headers to email messages and secured with public key cryptography.

When a receiving server determines that an email has a valid DKIM signature, it can confirm that the email and attachments have not been modified. This process is not typically visible to end users such as the intended recipient of the email message.

How DKIM works

Here’s how DKIM signatures are validated:

  1. The domain owner publishes a unique cryptographic key, formatted as a TXT record within the domain’s DNS record.
  2. When a message is sent by an outbound server, it generates and attaches a unique DKIM signature to the header.
  3. Inbound servers receive an encrypted hash of the message body.
  4. The receiving server first locates the DKIM public key that’s referenced in the DKIM signature and stored in the DNS records.
  5. The key is used to decrypt the hash and then generate a new hash of the message body and compare it to the original included by the sender.
  6. If the two hashes match, they can validate that the message wasn’t altered in transit.

A record

The type of DNS record that points domains to an IP address is called an address record. When using IPv4 addresses, this record is referred to as an A record.

If you were to visit nebraska.edu, your browser would ask a nearby DNS server if it has the IP address of nebraska.edu. If it does have the IP on record, it sends it to your browser. If not, it tells your browser where it can find another DNS server that has it, and so on until the IP is relayed to you along with the website.

CNAME record

A CNAME (Canonical Name) record is a type of DNS record that maps an alias name to a true (canonical) domain name. CNAME records usually map a subdomain like “www” or “mailto:” to the domain that hosts that subdomain’s content. For example, a CNAME record can map the web address www.nebraska.edu to the website for the domain nebraska.edu.

You can add a CNAME record to your DNS settings if you want to customize a web address, verify domain ownership, reset your admin password, and much more.

DMARC history

SPF and DKIM were developed several years ago to help secure the email ecosystem. While the use of these tools has increased over time, fraudulent and deceptive emails are still a widespread issue. DMARC was established to overcome several frequent problems:

  • Senders with multiple systems sending email faced a great deal of complexity trying to work with SPF and DKIM.
  • When a mix of authenticated, unauthenticated, and unaligned emails are sent from the same domain, receiving servers have to discern which are legitimate and which may be fraudulent. This tends to trip up spam algorithms, leading to fraudulent messages winding up in inboxes.
  • With SPF and DKIM, senders get little feedback on their email authentication deployments. Unless the email bounces back, senders have no way of knowing how many legitimate messages are sent unauthenticated or the scope of fraudulent emails being sent from their domain.
  • Even when senders have secured their email authentication infrastructure, email receivers are programmed to accept some unauthenticated messages because it's possible that legitimate messages without signatures are passing through.

To solve these problems, senders and receivers must share information with one another. Ideally, receivers supply senders with reporting information, while senders tell receivers what to do when they receive unauthenticated messages.

DMARC is based on the idea of the sender and receiver collaborating to improve senders’ email authentication practices and to enable receivers to reject unauthenticated messages.

Print Article

Related Articles (1)

Guidelines for authenticating emails.

Related Services / Offerings (6)

Outlook is the Microsoft 365 application utilized for mail and calendaring at the University of Nebraska System.
Proofpoint Email Security Gateway is an email protection service provided to protect faculty and staff from email threats by securing and controlling inbound and outbound email.
In order for email messages from third-party email systems like newsletter and other bulk mail applications to pass DMARC requirements, they must pass SPF and DKIM checks.
Microsoft Outlook is the official Email tool for the University of Nebraska System
Desktop and cloud storage and applications