Understanding How DMARC Enhances Email Security Through Authentication and Reporting
Overview
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on two other email standards, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). DMARC adds a reporting mechanism, allowing domain owners to protect their domain from unauthorized use (email spoofing) and to receive feedback about authentication results from email receivers.
Key Functions of DMARC:
- Authentication: Validates that both SPF and DKIM are configured correctly and that their alignment is consistent with the "From" domain.
- Reporting: Provides domain owners with visibility into emails sent on their behalf, helping to detect misuse or attacks.
- Policy Enforcement: Enables domain owners to specify what to do with unauthenticated emails (none, quarantine, or reject).
DMARC Workflow
- Receiving System Queries DNS for DMARC Record:
- When an email is received, the mail server first queries the domain's DNS for the DMARC
TXTrecord to check whether the domain has an active DMARC policy.
- When an email is received, the mail server first queries the domain's DNS for the DMARC
- SPF and DKIM Validation:
- If a DMARC policy is found, the receiver evaluates the SPF and DKIM records:
- SPF verifies that the sending server's IP address is authorized to send emails on behalf of the domain.
- DKIM checks if the message has a valid digital signature and whether that signature aligns with the domain in the email header.
- If a DMARC policy is found, the receiver evaluates the SPF and DKIM records:
- Alignment Check (RFC5321.From and RFC5322.From):
- DMARC ensures that the RFC5321.MailFrom (Envelope From) and RFC5322.From (Header From) fields are aligned or match.
- The RFC5321.MailFrom is used during the email transport phase, while the RFC5322.From is the address displayed to the recipient in the email client.
- DMARC Alignment means that either SPF or DKIM has validated and the domain in those records matches the "From" address domain seen by the recipient.
- Policy Enforcement:
- At least one of the SPF or DKIM checks must pass for DMARC to validate successfully.
- If both checks fail, the DMARC policy (
ptag) determines how the receiving system handles the message.
DMARC DNS Record Details
The DMARC record is a TXT record in DNS under the subdomain _dmarc. The basic structure of a DMARC record includes mandatory tags and optional tags, each serving a specific function.
Name
_dmarc.[domain].[topdomain]
Example Value
v=DMARC1; p=reject; fo=1; rua=mailto:[email protected]; ruf=mailto:[email protected]; rf=afrf; pct=100
Mandatory Tags
| Tag | Description |
|---|---|
| v | Specifies the version of DMARC. This is always v=DMARC1. |
| p | Defines the policy for handling messages that fail DMARC checks. Possible values include: p=none: No action; monitoring only. p=quarantine: Treat mail that fails as suspicious (e.g., move to spam). p=reject: Reject mail that fails DMARC checks during the SMTP transaction. |
Optional Tags
| Tag | Description |
|---|---|
| sp | Subdomain Policy: Specifies the policy for subdomains. This is often used when subdomains follow a different policy from the top-level domain. If not set, subdomains inherit the policy from the p tag. Example: sp=reject to reject emails from subdomains that fail DMARC. |
| rua | Aggregate Reports (RUA): Specifies the address where aggregate reports (summary of authentication results) should be sent. The format is mailto:[email protected]. Aggregate reports give insights into how often mail is passing/failing DMARC. |
| ruf | Forensic Reports (RUF): Specifies the address where forensic (detailed) failure reports should be sent. These reports are more detailed and sent when individual emails fail authentication. Format: mailto:[email protected]. |
| adkim | DKIM Alignment Mode: Specifies how strict or relaxed the DKIM alignment should be. adkim=r: Relaxed (default). The domain in the DKIM signature can be a subdomain of the "From" domain. adkim=s: Strict. The DKIM signature domain must exactly match the "From" domain. |
| aspf | SPF Alignment Mode: Similar to DKIM alignment, this dictates how closely the SPF domain must align with the "From" domain. aspf=r: Relaxed (default). Subdomains are allowed to pass alignment. aspf=s: Strict. The domain in the SPF must match exactly with the "From" domain. |
| rf | Report Format: Specifies the format for failure reports. The default is afrf (Authentication Failure Reporting Format). This is the standard format used for DMARC reports. |
| ri | Report Interval: Specifies the interval (in seconds) between aggregate reports. The default is 86,400 seconds (24 hours). Receivers may send reports more frequently based on their settings, but this is only a guideline. |
| pct | Percentage: Specifies the percentage of messages to which the DMARC policy is applied. For instance, setting pct=50 applies the policy to only half of the emails. This allows gradual implementation. |
| fo | Failure Reporting Options: Determines the conditions under which failure reports are sent. Possible values include: fo=0: Default. Send reports if both DKIM and SPF fail. fo=1: Send a report if either DKIM or SPF fails. fo=d: Send a report if DKIM fails, regardless of alignment. fo=s: Send a report if SPF fails, regardless of alignment. |
Additional Details
DMARC Aggregate Reports
Aggregate reports provide information about how email flows are being authenticated, showing which emails passed or failed SPF, DKIM, and DMARC checks. These reports help domain owners monitor misuse, such as spoofing attempts. They are sent in XML format and include details like the volume of email from a specific sender and the authentication results.
DMARC Forensic Reports
Forensic reports, on the other hand, are more granular and focus on specific failed messages. These reports can include headers of failed emails and give domain owners insight into why specific messages are not passing authentication. However, forensic reports may pose privacy concerns since they contain more detailed information about individual emails.
DMARC Policy Gradual Implementation (pct)
The pct tag allows domain owners to gradually roll out their DMARC policies. For instance, starting with pct=10 applies the policy to only 10% of the domain's emails. This method is beneficial for organizations that want to monitor the effect of their DMARC policy without potentially impacting a large volume of legitimate mail.
SPF & DKIM Alignment Explained
- SPF Alignment: For DMARC to pass, the domain in the
Return-Path(envelope sender) used for SPF must match the domain in theFromheader. If relaxed alignment is used, subdomains are allowed to pass. - DKIM Alignment: The domain used in the DKIM signature (
d=tag) must match the domain in theFromheader. With strict alignment, the match must be exact, but with relaxed alignment, subdomains are allowed.
DMARC Failures and Considerations
When DMARC fails (meaning neither SPF nor DKIM align and pass), the recipient's mail server consults the DMARC p= policy (none, quarantine, or reject) to determine how to handle the message. Quarantine typically sends it to spam, and reject results in outright blocking.