Now when the two major ESPs are announced their DMARC (Domain Based Message Authentication, Reporting and Conformance) policy changes back to back many people are still wondering about “what is DMARC?” and “How it is going to help in restricting spoofing?”. We got various queries from our readers about DMARC, so here it is in this post we are going to discuss about the DMARC and how it works?
Due to the openness of SMTP which was initially introduced to help making email infrastructure stronger has become the very weak point of it by allowing spoofing and making it universal. So major ESPs and criminal justice authorities have united to combat this by creating standards that will reduce the risk and control the damage done to the email channel as reliable means of communication.
To take care of this problem senders and ISPs need to share information about how they want to handle emails that are flagged by SPF (reject, quarantine or deliver). Basically DMARC helps ISPs to use DKIM and SPF to:
- Identify and separate legitimate email from fraudulent email.
- Act on what they have found.
- Monitor and send report to senders about effectiveness of their email authentication efforts. This also allows the original senders to get feedback about if their brand is being abused.
- Increase the percentage of authenticated emails.
DMARC was developed by a group of organizations consisting of AOL, Comcast, Gmail Netease, Outlook.com and Hotmail,Yahoo! Mail, Mail.ru, XS4ALL, American Greetings, Bank of America, Facebook, Fidelity Investments, LinkedIn, PayPal, JPMorganChase, Twitter, Agari, Cloudmark, Return Path, Trusted Domain Project and Symantec.
How it works
The sender has to add a new type of text resource record to its DNS. This record will then specifies the sender’s email authentication policies which will also include:
- What the ISP should do with the non-authenticated emails (reject, monitor or quarantine).
- How the process of matching domain name and the sender name under SPF or DKIM should be taken care off in a relaxed way or strictly.
- An alternative ‘percent’ tag that can specify the maximum percent of emails from the domain can be sent to which the policy should be applied to. It will allow the senders to test and monitor the results of applying the policy.
- Sender’s URI or URIs to which the ISPs can send the aggregated data, so that the sender can monitor and improve their email authentication deployment.
Usually a sender can start by setting the policy of ‘monitor’ so that they can appraise the performance of their email infrastructure. When they become assured that their email stream is authenticated, they can change their policy to ‘quarantine’ (sending emails to the junk folder of recipient) or to ‘reject’ (blocking all flagged and unauthenticated emails). The main aim of the sender who implements DMARC is to monitor their results and eventually authenticate their entire email stream.
As effective as DMARC is at assisting defending your brand, it’s worth noting that it does not fix all factors of email misuse. For example, it does not deal with the problem of “sister domains” where scammers register a domain that looks just like yours. And it does not deal with manipulation of the “From” field.
But the positive effect is tremendous, and the technological innovation used is simple (DNS records and XML reports) and very simple and easy to apply if you already have SPF and DKIM in position. One precaution: DMARC needs that the domain used on the “From” field with on your emails aligns with the address used in your return path (the envelope). Even if you are using SPF and DKIM already, you may need to modify your DNS settings for DMARC.