DMARC - Secure Your Domain
This article covers some basic DMARC information, including what it is and how it works, its benefits, and a brief overview of the steps involved to set it up. For assistance with setting up DMARC, we recommend you speak with your DNS provider's support or a third-party DMARC provider as DMARC is implemented at the domain level (your domain's DNS settings) rather than via the SMTP2GO platform.
What is DMARC and how does it work?
Domain-based Message Authentication Reporting and Conformance (DMARC) is an email security standard that leverages SPF and DKIM checks to perform a more advanced validation on emails received. Its purpose is to provide better email security and protect domains from being used by unknown or untrusted sources, such as cybercriminals attempting phishing or spoofing attacks.
DMARC allows the domain owner to set policies that instruct recipient servers on how to handle unauthorized email if authentication checks fail. With DMARC set up, receiving mail servers will check the SPF and DKIM records for the domain of the email sender. If both records pass, the email will be considered authentic and delivered. If either record fails, the email will be considered unauthenticated and the policies defined in the DMARC record determine what should happen to the email with the most common policy being "quarantine". Other possible policies include rejecting unauthenticated emails outright or sending them to a specific mailbox.
Another main feature of DMARC is the ability for the domain owner to receive valuable reports for each failed check. This provides notification when someone is sending on behalf of the domain and the domain owner can then take necessary action.
A visual flow of the basic DMARC process:
The benefits of DMARC
- As a sender, utilizing DMARC is the most effective way to protect your company's brand reputation from email compromise, spoofing, or phishing.
- DMARC provides domain owners with timely reports showing insights into email traffic from the domains which are failing authentication, thus allowing them to identify and investigate suspicious or unknown activity. It also helps to troubleshoot delivery issues and ensure your email communications are secure.
- All major mailbox providers (e.g. Gmail, Outlook, Yahoo, Apple Mail, and AOL) support DMARC. Implementing DMARC shows these providers that you’re a responsible and reputable sender they can trust which helps to increase deliverability (email landing in the inbox).
The risks of not implementing DMARC (or using it incorrectly)
- Spammers and phishers could send emails from your domain that appear to be from you. This can then potentially lead to recipients being tricked into clicking on malicious links, providing personal/confidential information or falling victim to a scam.
- If your domain is used for the above purposes, it can harm your brand's reputation and potentially result in lost customers, which in turn can make it difficult to gain new customers or it could lead to financial loss.
- If legitimate emails from your domain are not delivered due to failing authentication, it could result in missed communication or lost opportunities (e.g. sales).
How to set up DMARC when sending via SMTP2GO
Setting up DMARC involves three steps which include ensuring you have SPF and DKIM set up (this is the only part handled in the SMTP2GO platform), creating the record with your desired policies and finally adding the record to your domain's DNS settings. To check a domain for DMARC, you can use websites such as dmarcian, mxtoolbox or valimail.
1. Ensure SPF and DKIM are set up for the sending domain
To set up SPF and DKIM when sending via SMTP2GO, you will need to add the sending domain to the "Sending > Verified Senders > Sender domains" section of your SMTP2GO dashboard and ensure it is verified. We provide three CNAME records to add to the domain's DNS settings with the top two records taking care of SPF and DKIM, and the third record is for tracking and URL rewriting. Once the CNAME records have been added and the domain shows as verified, SPF and DKIM are now handled automatically by SMTP2GO when emailing via our service.
2. Create the DMARC record for the domain
Decide on the policies you want to implement and the different stages you want to go through, set up the addresses you'll use for reporting, and then create the DMARC record. There are a range of DMARC generation tools to help create the record and make it a simple process such as the one by EasyDMARC.
DMARC consists of 11 tag-value pairs in total with 2 being required which must be present on every DMARC record, these are "v" and "p".
- "v=DMARC1" specifies the version being used (there's only one version at this point in time).
- "p=" specifies the policy. This can be set to:
p=none: This informs mailbox providers to take no specific action on emails that fail authentication. They will most likely be delivered unless it triggers the recipient's spam filtering.
p=quarantine: This informs mailbox providers to send emails that fail authentication to spam or junk folders. These messages may also be blocked.
p=reject: This is the strongest DMARC policy value. If a message fails DMARC when set to "reject" it will not be delivered.
Note: When implementing DMARC, it is recommended you initially start with the "p=none" policy to begin receiving reports as ISPs will perform the checks and then report on failures but won't act on those so you can monitor and analyze the activity from your domain. You can then understand all sources/senders (e.g. support systems, marketing services or others you may not be aware of) and make the necessary changes so they're compliant with SPF and DKIM).
Major delivery issues could occur if you immediately begin with "p=quarantine" or "p=reject" as it may impact legitimate emailing from services you use if they've not been configured with SPF and DKIM.
DMARC is an ongoing process of regularly monitoring, analzing and making updates. You should aim to work towards updating the policy to "p=quarantine" and finally the end goal of "p=reject" when you better understand all of your emailing activity.
DMARC tags and definitions:
Tag | Definition |
v= | The version of DMARC used (DMARC1). |
p= | The DMARC enforcement policy: none, quarantine, or reject. |
rua= | A list of email addresses where DMARC aggregate reports are sent. |
pct= | The percentage of messages that are subject to the enforcement policy. The default is pct=100. |
aspf= | Defines the alignment mode for SPF, which could be strict or relaxed with pass/fail scenarios. |
adkim= | Defines the alignment mode for DKIM, which could be strict or relaxed with pass/fail scenarios. |
sp= | Represents different enforcement policies for subdomains. |
ruf= | Lists email addresses for sending DMARC failure/forensic reports, which are more detailed than aggregate reports. |
fo= | Indicates the options for creating a DMARC failure/forensic report. |
rf= | Declares the forensic reporting format for message-specific failure reports. |
ri= | Sets the interval for sending DMARC reports, which is defined in seconds but is usually 24 hours or more. |
Note: If you are using BIMI, the "p=" tag must be set to "quarantine" or "reject" as BIMI does not support "none".
Example DMARC records:
Basic:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:abuse@yourdomain.com;
Strict:
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourdomain.com; ruf=mailto:abuse@yourdomain.com; ri=86400;
3. Add the DMARC record to the domain's DNS
DMARC is set by adding a TXT record to the domain's DNS settings.
The TXT record's hostname will be "_DMARC" (your hosting provider will typically append the domain or subdomain after that e.g. "_DMARC.example.com" otherwise you may need to include that).
The value you enter for the TXT record is the DMARC record you created/generated and will define the policies for recipient servers to adhere to. If you need assistance adding the record to your domain's DNS settings, we recommend you contact your DNS provider's support team.
Once your DMARC record has been added to your DNS and the update has propagated, you can check to ensure the record exists using services such as dmarcian, mxtoolbox or valimail.
An example check for smtp2go.com:
DMARC Reporting
With DMARC set, you can rest assured that ISPs that participate in DMARC will handle unauthorized emails from your domain according to your specified policy. If unauthenticated emails are received, the recipient will generate reports for these emails and send them back to the addresses specified in the DMARC record (if you have added the "rua" and/or "ruf" tags with specified email addresses - this is highly recommended).
There are two different types of DMARC reports - Forensic/Failure ("ruf" tag) and Aggregate ("rua" tag). Further information in regard to the two types of reporting and benefits can be seen on this helpful page or in the following short video. These reports will give you deeper insights into the unauthenticated sending with detail including:
- All domains sending emails using your domain in their From field
- The sending IP
- DMARC results / SPF and DKIM results
- The number of emails being sent each day
- Emails that failed authentication and were quarantined (if you used p=quarantine)
- Emails that never got delivered (if you used p=reject)
- Forensic/Failure reports (if you use the ruf tag)
DMARC reports can be difficult to read and interpret in raw XML format so it is recommended to use a third-party service that specializes in DMARC to receive, store, and analyze the reports for you into a useful format. A quick Google search will reveal a number of services that can assist with this.
Do I need DMARC?
From February 1, 2024, onwards, Google and Yahoo are requiring that a sender has a DMARC record if they are sending more than 5,000 emails per day. If you are sending around that level or more, then a DMARC record is now something you must have.
It is not mandatory to implement DMARC but when added correctly with the right procedures taken, along with continued monitoring, it is a powerful tool to defend your domain against phishing and spoofing attacks, untrusted sending, and helps to improve overall deliverability. Whether you're a large or small sender, cybercriminals are an increasing threat so taking the available steps to ensure your emailing communication is secure as possible should be paramount as well as gaining further understanding into all sending and where it's coming from for your domain. If you send emails including personal information, payment details, invoicing etc, then DMARC is a must. Overall, there's no downside to implementing DMARC (remember to start relaxed and become more strict over time as you monitor and analyze email delivery) and although it may appear overwhelming, there is a range of helpful sites and services available to help secure your domain with ease.
Support
If you have specific questions or need assistance in regard to DMARC in conjunction with SMTP2GO, please reach out to our award-winning support team who can point you in the right direction. Typically, your best point of call will be to contact your DNS provider's support or third-party DMARC provider as DMARC is not directly set up via SMTP2GO.