What is DMARC? What you need to know in 2022?

June 17, 2022  |  5 min read

What is DMARC?

DMARC stands for “Domain-based Message Authentication, Reporting & Conformance” and is an open email authentication, policy, and reporting protocol that enables domain owners to combat phishing attacks.

Why should we implement DMARC?

DMARC’s purpose is to protect domains from unauthorized use, commonly known as email spoofing, and help reduce the risk of business email compromise (BEC) attacks, phishing emails, malware, and other cyber threat activities.

Use our free DMARC Checker to run a quick analysis if you’re interested in the status of your domain or anyone else’s. It examines DMARC, SPF, and DKIM and notifies you of the steps you must do to achieve compliance.

How serious is this?

Email impersonation bypasses any security measure in place, employee training, SOC, 2FA, HTTPS, strong passwords, and anything else that is already in place.

Attackers also realized that they can spoof your domain names and benefit from your already life-long built domain reputation, they ride the train until your domain reputation and deliver all their dirty mail into their victim’s inboxes while using your domain name. Until your domain reputation falls into the ground, when that’s done, they trash your domain and move on to the next one.

Leaving your domain with a heavily impacted and low-trusted email reputation (a lot of times blacklisted); and all of that, without your knowledge.

Result?

Spam and Junk.

Spam and Junk have become so unknown to companies that a lot of companies have taken a surprising action to inform their clients to check the Junk/Spam folder, once you think about it, it is unbelievable that this is yet that is the norm of sending transactional emails. This should have never been a use case. And we’re here to stop this.

Why doesn’t everyone have DMARC already?

The email was built a long time ago, and when it was initially built no one expected that third-party mail senders will send an email on your behalf; back in the days, the third party used to have an SMTP server that sends out the email afterward SPF, DKIM was put in place, and to seal the deal, and DMARC was introduced, to allow mail clients to see whether this is an authorized or a non-authorized sender.

Unfortunately, the setup of all those provisions is rigorous, and the reports are heavy to analyze, with data in tens of thousands on a daily basis; making it practically impossible for a human to analyze and take action in real-time.

All of those provisions work strictly on the DNS, leaving the domain owner solely responsible for those DNS-specific settings. A mail sender or a mail client is unable to set this up for you.

Why does this happen?

  1. Excessive usage of your domain name in an unauthorized way, spoofers sending out emails from your domain in mass.
  2. Excessive usage of your domain name in an unauthorized way, spoofers sending out emails from your domain in mass.
  3. Your emails are being sent from mail senders while being misconfigured.

Skysnag helps you discover the next level of autonomous email authentication while taking care of your domain reputation, DMARC enforcement settings, and SPF/DKIM alignment all automated.

Regain your email reputation and ensure every email that is sent from your domain name is going out authenticated.

  • Say no to Junk.
  • Say no to Spam.

DMARC Policies

The DMARC protocol comes with multiple options and levels of policy enforcement:

1. Monitor policy: p=none

The p=none is a monitoring policy, it doesn’t take any action when DMARC fails, yet it allows a domain owner to gain insight into what is happening on their domain. It is the policy that all domain owners start with and it leads the way to the ideal DMARC enforcement status.

2. Quarantine policy: p=quarantine

This is a stricter policy than the monitor policy whereby a domain owner can set a percentage of how many emails failing DMARC checks can get into the inbox and how other emails can land in the spam folder. You have probably seen some domains with a p=quarantine 30%, which means 30% of emails failing DMARC will land in recipients’ inboxes. Domain owners start with a low percentage and turn the dial up as they gain more confidence that they won’t lose a good email.

3. Reject policy: p=reject

This policy is the ultimate policy every domain should reach. It is the policy that rejects every email that fails DMARC checks, and guarantees all other email is properly authenticating DMARC and to be delivered to the receiver’s inbox

Why Does DMARC Fail?

DMARC can fail due to two main reasons:

Either the DMARC record is misconfigured or the domain name is being used by attackers. Let’s delve deep into all reasons reasons

1: DMARC Alignment Failures

DMARC uses [identifier alignment] to ensure that the message is coming from the domain that you specified in the “From” section of the email header. This process can be possible if your DKIM and SPF records are properly configured. Use our DMARC records generator tool to set up DMARC for your domain.

If your records are misconfigured, DMARC will fail even for authentic emails, so make sure your SPF record has your sending domain IP and if there is any third party sending on your behalf, they are included in your SPF. As for DKIM make sure that your domain key matches the From header key.

For DMARC to pass, either SPF or DKIM has to be aligned and you can set alignment modes to strict and relaxed. When setting alignment modes to the strict modern and you are sending emails from a subdomain, make sure to allow explicit permission for authentication from your subdomain.

2: Email Forwarding

Email pass through an intermediary server when forwarded. During that process, the SPF must fail since the IP address of the forwarding server doesn’t match the original domain’s SPF.

DKIM is there for the rescue as the signature of the email matches the public key signature that the receiving server checks

Yes DKIM doesn’t care about IPS it will check the receiver DNS which is a constant and thus doesn’t fail. Making sure SPF & DKIM records are properly configured and analyzing DMARC reports is crucial to avoid deliverability issues with forwarded emails.

3: Missing Sending Sources In DNS

When you enforce DMARC, it is crucial to add to your DNS the records of any third party sending service sending email on your behalf, as authentication will fail cause SPF alignment will fail due to the fact that the MTA won’t find the sending IPs in your records resulting in authentication failure of legitimate messages, to solve this create text entries in your DNS that include the SPF of all your sending source. or let Skysnag automated system do it for you, just signup and add all your sending sources now.

Conclusion

Skysnag’s automated software safeguards your domain’s reputation and keeps your business away from compromised business emails, password theft, and potentially significant financial losses. Unlock insights, bypass email authentication configuration issues including SPF and DKIM; and protect your domain from spoofing with strict DMARC enforcement, all autonomously with Skysnag. Get started with Skysnag and sign up using this link for a free trial today.