- DMARC is a mechanism that lets organizations enforce that their emails are delivered to recipients only if they’re properly authenticated.
- A common misconception is that SPF and DKIM are enough to prevent spoofing attacks, but they’re not.
- DMARC ensures that SPF and DKIM identifiers are aligned with your domain, thus preventing attacks. DMARC also allows to define a policy to apply on failure and supports the generation of reports.
- DMARCwise helps you monitor and identify email authentication issues, with a powerful dashboard to browse DMARC reports, unlimited email diagnoses, weekly email digests, and more.
DMARC is a mechanism that lets organizations express that they want their email delivered to recipients only if the messages are properly authenticated.
Electronic mail is in fact unauthenticated by design: anyone can spin up an SMTP server (the software that is responsible for sending emails behind the scenes) and send email from any domain.
In SMTP there’s no built-in mechanism to verify the identity of who’s sending an email, so anyone can send a message pretending to be someone else. This can be prevented by setting up email authentication (SPF and DKIM) and, most importantly, DMARC.
Overall, there are two reasons why you would want to setup DMARC:
- Prevent email spoofing, i.e. unauthorized people sending emails from your domain. This is especially important to ensure that your users aren’t tricked into phishing campaigns. It also helps preserve the email sending reputation of your domain and avoid ending up in the spam folder.
- Comply with email providers requirements: in 2024, Google and Yahoo started requiring DMARC on incoming mail from high-volume senders. If you send email to Gmail or Google Workspace addresses, you may be affected by this. Even if you aren’t, this is likely just Google’s and Yahoo’s first step in a path to enforce DMARC checks on all incoming email, and organizations must prepare in advance.
So how do you comply?
Everything starts with setting up SPF and DKIM, which are the two authentication mechanisms on which DMARC relies. Both of these are relatively recent (SPF as we currently know it was formalized in 2014, DKIM in 2011) but are essential to achieve DMARC compliance.
In extreme summary, this is what SPF and DKIM do:
- SPF checks whether the sending domain explicitly authorizes the sending SMTP server to send email for that domain. If it doesn’t, it means that someone is using an unauthorized SMTP server to spoof the domain. There’s a catch though, as we will see in a moment.
- DKIM provides a mechanism to digitally sign and verify the contents of an email message. It ensures that the integrity of a message is preserved (i.e. it wasn’t modified while being transmitted through the network) but also serves as an authentication mechanism: if a DKIM signature, which is tied to a domain, is valid, we know that only the domain owner could have created that signature (unless something very bad happened).
A very common misconception is that SPF and DKIM are enough to prevent spoofing: after all, if you ensure that the sending server is authorized to send from your domain, and in addition to that you also have a valid cryptographic signature that only the domain owner can generate, you have just proven that an email message is legitimate.
Unfortunately, it’s not exactly like that: SPF and DKIM alone do not prevent spoofing, unless DMARC is also configured.
SPF and DKIM aren’t enough
The reason why SPF and DKIM alone do nothing to prevent spoofing is that when we reason about spoofing we think about the From
address, while SPF and DKIM use different identifiers.
The From
address is the one that you see in your email inbox, the address that we commonly refer to as the email sender.
SPF and DKIM do not look at the From
address, at all! Here’s what they do instead:
- SPF is a mechanism that works at the SMTP level, since its purpose is to validate if a mail server is authorized. Therefore, it runs its checks not on the
From
address but on another address that is often calledEnvelope From
. This address is to be found outside the actual email message: it’s what SMTP servers use to communicate.- It’s trivial for an attacker to use a valid
Envelope From
they control, while spoofing theFrom
address, and SPF wouldn’t catch that!
- It’s trivial for an attacker to use a valid
- DKIM signatures have a similar issue: they are tied to a domain, but the signature domain has nothing to do with the
From
domain. It can really be anything.- It’s trivial for an attacker to generate a valid DKIM signature for a domain they control, but this would do nothing to prove that the
From
address is valid.
- It’s trivial for an attacker to generate a valid DKIM signature for a domain they control, but this would do nothing to prove that the
You might have grasped where we’re going: if we ensure that all these identifiers are aligned to the From
address, we can solve this misalignment issue and detect if an email is spoofed. That is indeed DMARC’s core. (Except it’s not that simple 😵💫.)
DMARC prevents spoofing
DMARC is the acronym for Domain-based Message Authentication, Reporting, and Conformance and was formalised in 2015.
It mainly does three things:
- DMARC provides an algorithm to verify alignment of authentication mechanisms. In practice:
- If SPF checks pass, it verifies that the
Envelope From
domain is aligned with theFrom
domain (with a level of strictness that you can decide). - For valid DKIM signatures, it checks that the DKIM signature domain is aligned with the
From
domain (you can apply different levels of strictness here too). - If at least one of these two alignment checks passes, DMARC says OK. Otherwise it fails and we say that the message is not DMARC compliant (or not DMARC aligned).
- Be careful you get this right (there’s lots of incorrect information on the web): you can get a successful DMARC result by achieving either SPF alignment or DKIM alignment. You can have both, but you don’t need both. This is an essential property that prevents “incorrect” failures when an email is forwarded by a server.
- If SPF checks pass, it verifies that the
- DMARC defines a DNS record format that can be used to specify the level of alignment strictness and the action that should be taken when DMARC alignment fails, i.e. the DMARC policy.
- The DMARC policy can be
none
(do nothing, accept the email message),quarantine
(move the email to spam) orreject
(refuse to deliver the email message). In practice, each email provider interprets the policy in its own way so you shouldn’t take this literally.
- The DMARC policy can be
- DMARC also provides a way to get visibility into DMARC checks and the actions taken by mail servers. This is where DMARC reporting comes into play: in the DMARC DNS record you can specify an inbox address that will receive XML reports from mail servers periodically.
Why you need DMARCwise
DMARCwise assists you in achieving DMARC compliance in multiple ways:
- We will provide you with a DMARC record to start monitoring your sending setup.
- We will process the aggregate DMARC reports, then organize and visualize them.
- We will provide you with a powerful dashboard that makes it easy to highlight potential authentication issues.
- You will be able to run unlimited email diagnoses: send us an email and we’ll check if your sending setup is properly configured, without waiting for DMARC reports.
- You will be able to see who’s sending from your domain without authorization.
- You will be able to identify and fix authentication issues on your legitimate sending sources.
- We will help you identify forwarded sources, so that you don’t confuse them with non-compliant sources.
- We will send you weekly email digests, so that you can keep an eye on your email delivery setup without having to visit the dashboard.
You can try DMARCwise for free, either with our free plan or with the 14-day trial for paid plans.