What Is DMARC?
Domain-based Message Authentication, Reporting & Conformance, or DMARC, is a protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine the authenticity of an email message. It makes it easier for Internet Service Providers (ISPs) to prevent malicious email practices, such as domain spoofing, to phish recipients’ personal information.
Essentially, it allows email senders to specify how to handle emails that were not authenticated using SPF or DKIM. Senders can opt to send those emails to the junk folder or have them blocked altogether. By doing so, ISPs can better identify spammers and prevent malicious emails from invading consumer inboxes while minimizing false positives and providing better authentication reporting for greater transparency in the marketplace.
It is based upon the results of SPF and/or DKIM, so at least one of those has to be in place for the email domain. To deploy, you need to publish a DMARC record in the DNS.
The record is a text entry within the DNS record that tells the world your email domain’s policy after checking SPF and DKIM status. It authenticates if either SPF, DKIM, or both pass. This is referred to as DMARC alignment or identifier alignment. Based on identifier alignment, it is possible that SPF and DKIM pass, but DMARC fails.
The record also tells email servers to send XML reports back to the reporting email address listed in the record itself. These reports provide insight into how your email is moving through the ecosystem and allow you to identify everything that is using your email domain.
Because reports are written in XML, making sense of them can be tricky, and they can be numerous. The platform can receive these reports and provide visualization on how your email domains are being used, so you can take action and move your DMARC policy towards p=reject.
Reasons To Implement DMARC
- Reputation: Publishing a record protects your brand by preventing unauthenticated parties from sending mail from your domain. In some cases, simply publishing a record can result in a positive reputation bump.
- Visibility: It reports increase visibility into your email program by letting you know who is sending emails from your domain.
- Security: DMARC helps the email community establish a consistent policy for dealing with messages that fail to authenticate. This helps the email ecosystem as a whole become more secure and more trustworthy.
If you would like to read more in-depth about DMARC, click here to read similar articles curated by us.
DMARC Deployment Steps
The DMARC technology permits one to specify what receivers should do with invalid emails that come from the sender. Deploy slowly, it’s strongly recommended to ramp up DMARC use slowly by employing these policies in this order. Monitor your traffic and look for anomalies in the reports, such as messages that are not yet being signed or are perhaps being spoofed.
Then, when you’re comfortable with the results, change the TXT record policy setting from “none” to “quarantine.”.
Once again, review the results, this time in both your spam catch and in the daily DMARC reports.
Finally, once you’re sure all of your messages are signed, change the policy setting to “reject” to make full use of DMARC.
Revisit reports to ensure your results are acceptable. Similarly, the optional pct tag can be used to stage and sample your DMARC deployment. Since 100% is the default, passing “pct=20” in your DMARC TXT record results in one-fifth of all messages affected by the policy receiving the disposition instead of all of them.
This setting is especially useful once you elect to quarantine and reject mail. Start with a lower percent, to begin with, and increase it every few days.
So, a conservative deployment cycle would resemble:
- Monitor all.
- Quarantine 1%.
- Quarantine 5%.
- Quarantine 10%.
- Quarantine 25%.
- Quarantine 50%.
- Quarantine all.
- Reject 1%.
- Reject 5%.
- Reject 10%.
- Reject 25%.
- Reject 50%.
- Reject all.
Attempt to remove the percentages as quickly as possible to complete the deployment. As always, review your daily reports.
To get expert consultancy in designing a deployment plan for your email infrastructure, you can ping us!
Click on the link and stay engrossed further – https://governmenttechnology.blog.gov.uk/2016/10/04/why-you-should-be-doing-dmarc/