search
Where Thought Leaders go for Growth
Reference a solution

How can DMARC authenticate your e-mails?

How can DMARC authenticate your e-mails?

By Jennifer Montérémal

Published: October 29, 2024

The DMARC (Domain-based Message Authentication) security protocol, applied when sending e-mails, is of growing interest to businesses. And with good reason: not only does it protect recipients from fraudulent and malicious e-mails, but it also helps to improve senders' reputations, which in turn ensures better e-mail deliverability rates.

But while security standards such as DKIM and SPF have already been adopted by many organizations, how does DMARC stand out? What are its advantages?

To understand the benefits of Domain-based Message Authentication, let's take a look at its definition, how it works and how it's implemented.

DMARC: definition

What is DMARC?

DMARC is a technical specification created by a group of founding contributors (Gmail, Hotmail, AOL, etc.).

The aim of this standard is to alleviate the security problems associated with e-mail authentication, in particular by detecting the misuse of sender domain names.

What is it used for?

In the mailing world, identity theft has unfortunately become a common practice. We've all been confronted with this type of malicious e-mail. For fraudsters, the practice consists in falsifying a company's domain and the e-mails it distributes, in order to make the recipient believe they come from a familiar and/or legitimate sender. The aim? To trick victims into installing malicious software, or handing over confidential information such as bank details.

The aim of DMARC is to combat such practices, by verifying that the sender is trustworthy. In short, this technical specification is an excellent way of combating spam and other phishing attempts.

The stakes are twofold for companies:

  • prevent malicious individuals from usurping their identity;
  • increase their e-mail deliverability rate. Thanks to DMARC, organizations can show a "clean bill of health" to their recipients' mail servers. As a result, they avoid finding themselves on blacklists (due to domain appropriation), and thus having their e-mails rejected or relegated to junk mail.

How does DMARC work?

DKIM and SPF protocols

DMARC relies on two other security protocols:

DKIM (DomainKeys Identified Mail)

With DKIM, the recipient can be sure that mail from a particular domain has been approved by that domain.

This standard is based on a cryptographic signature. Once the signature has been affixed, it guarantees that the message sent has not been altered.

At destination, the quality of the e-mail can then be verified by matching :

  • the private key used to record the message,
  • and the public key available in the DNS (Domain Name System) record.

SPF (Sender Policy Framework)

The SPF protocol enables companies and organizations to specify who has the right to send e-mails using their domain name.

They then register the IP addresses they approve (such as the IP addresses of their emailing service provider) in their DNS.

SPF is therefore an excellent way of verifying the authenticity of the sender, by identifying fraudulent e-mails that usurp "from" addresses and domain names.

Limitations of the DKIM and SPF protocols

However, the use of the DKIM and SPF protocols alone has revealed a number of limitations. They require the recipient MTA (Mail Transfer Agent) to be fully aware of the steps to be taken in the event of authentication failure. What's more, the sender lacks visibility of the actions deployed.

This is where DMARC comes into its own: the sender frames upstream the measures to be adopted by the recipient MTA, i.e. how it should react in the event of DKIM and SPF verification failure.

The DMARC process

The role of DMARC configuration is to ensure that mail sent complies with at least one of the following two protocols:

  • SPF authentication and alignment,
  • DKIM authentication and alignment.

To achieve this, the domain name owner informs the mail servers that DKIM and SPF techniques have been implemented. When the mail arrives on the server side, the latter checks that authentication has been successful using at least one of these two techniques.

DMARC will therefore only take action if at least one of the above two protocols has not been respected, as the e-mail concerned will be considered suspicious. In this case, the action taken will depend on the security rules chosen upstream by the domain owner. There are three different types of policy:

  • DMARC policy none: here, the e-mail is delivered to the recipient anyway. At the same time, a DMARC report is sent to the domain owner to inform him of its status and the lack of alignment.
  • DMARC policy quarantine: the e-mail concerned is placed in "quarantine", in a specific folder. It can be processed at a later date.
  • DMARC policy reject: the e-mail is rejected, i.e. it is not forwarded to the recipient.

DMARC is therefore the preferred authentication policy solution, since the sender tells the recipient what to do in the event of suspicion. It leaves no room for doubt.

In addition, thanks to its quarantine and rejection capabilities, the protocol prevents any exposure to dangerous messages.

How to implement DMARC?

As you can see, since the DMARC policy is based on SPF and DKIM, you first need to implement these two protocols.

Next, you need to go to your domain's TXT field to set the tag. The tag must contain the following two elements:

  • v: this is the protocol version. The record must begin with "v=DMARC1;",
  • p: this corresponds to the security rule selected from the three described above:
    • "none,
    • "quarantine
    • "reject".

In addition, there are some non-mandatory elements, which you may or may not choose to enter:

  • pct: percentage of filtered messages,
  • adkim: alignment with DKIM protocol:
    • "s" for strict,
    • "r" for relax,
  • aspf: alignment with SPF protocol:
    • "s" for strict,
    • "r" for relax,
  • sp: the procedure applicable to sub-domains of your domain ("none", "quarantine" and "reject"). If you don't specify this, the default value is "p",
  • ruf: the email address to receive the report in the event of failure,
  • fo: the conditions for sending the report:
    • "1" for DKIM and/or SPF failure,
    • "d" for DKIM failure,
    • "s" for SPF failure,
    • "0" for DKIM and SPF failure, by default,
  • rua: the email address that will receive aggregated reports.

💡 To see concretely what a tag parameter can look like, here's an example provided by Wikipedia :

v=DMARC1;pct=42;adkim=s;aspf=s;p=quarantine;sp=none;ruf=mailto:forensik@example.org;fo=1;rua=mailto:postmaster@example.org!50m

Please note, however, that successfully implementing your DMARC policy can be complex. Indeed, good management involves more than simply configuring your DNS. That's why software such as Merox is available. Merox supports you in deploying and updating your DMARC protocol, by simplifying :

  • configuration,
  • report collection,
  • report aggregation,
  • data visualization.

This not only ensures optimum protection of your domains, but also the success of your marketing campaigns, thanks to an optimal email deliverability rate!

Article translated from French