search
Where Thought Leaders go for Growth
Reference a solution

How can you ensure that your emails are authenticated using DMARC?

How can you ensure that your emails are authenticated using DMARC?

By Jennifer Montérémal

Published: 29 October 2024

The DMARC (Domain-based Message Authentication) security protocol, applied when sending emails, is of increasing interest to businesses. And with good reason: not only does it protect recipients from fraudulent and malicious e-mails, it also helps to improve the reputation of senders, a guarantee of a better e-mail deliverability rate.

But while security standards such as DKIM and SPF have already been adopted by many organisations, how does DMARC stand out? What are its advantages?

To understand the benefits of Domain-based Message Authentication, let's look at its definition, how it works and how it is implemented.

DMARC: definition

What is DMARC?

DMARC is a technical specification created by a group of founding contributors (Gmail, Hotmail, AOL, etc.).

The aim of this standard is to alleviate the security problems associated with email authentication, in particular by detecting misuse of the sender's domain name.

What is it used for?

In the mailing world, identity theft has unfortunately become common practice. We have all been confronted with this type of malicious e-mail. For fraudsters, the practice consists of falsifying a company's domain and the emails it sends out, to make the recipient believe that they come from a familiar and/or legitimate sender. The aim? To trick victims into installing malicious software, or handing over confidential information such as bank details.

The aim of DMARC is to combat these practices by checking that the sender is trustworthy. In short, this technical specification is an excellent way of combating spam and other phishing attempts.

The stakes are twofold for businesses:

  • prevent malicious individuals from usurping their identity ;
  • to increase their e-mail deliverability rate. Thanks to DMARC, organisations are able to show a "clean bill of health" to their recipients' mail servers. In this way, they avoid finding themselves on blacklists (due to appropriation of their domain), and therefore seeing their emails rejected or relegated to junk mail.

How does DMARC work?

The DKIM and SPF protocols

DMARC relies on two other security protocols:

DKIM (DomainKeys Identified Mail)

With DKIM, the recipient can be sure that mail from a particular domain has been approved by that domain.

This standard is based on a cryptographic signature. Once this has been applied, it guarantees that the message sent has not been altered.

At the destination, the quality of the email can then be checked by matching :

  • the private key used to record the message,
  • and the public key available in the DNS (Domain Name System) record.

SPF (Sender Policy Framework)

The SPF protocol allows companies and organisations to specify who has the right to send emails using their domain name.

They then register the IP addresses they approve (such as the IP addresses of their emailing service provider) in their DNS.

SPF is therefore an excellent way of verifying the authenticity of the sender, by identifying fraudulent emails that usurp "from" addresses and domain names.

The limitations of the DKIM and SPF protocols

However, the use of the DKIM and SPF protocols alone has revealed a number of limitations. They require the recipient MTA (Mail Transfer Agent) to be fully aware of the measures to be taken in the event of failed authentication. What's more, the sender lacks visibility of the actions taken.

This is where DMARC comes into its own: the sender sets out in advance the measures to be taken by the recipient MTA, i.e. how it should react if the DKIM and SPF checks fail.

The DMARC process

The role of the DMARC configuration is to ensure that mail sent complies with at least one of the following two protocols:

  • SPF authentication and alignment,
  • DKIM authentication and alignment.

To do this, the domain name owner informs the mail servers that DKIM and SPF techniques have been implemented. When the email arrives on the server, the server checks that authentication has been successful using at least one of these two techniques.

DMARC will only take action if at least one of the above two protocols has not been respected, as the email in question will be considered suspicious. In this case, the action taken will depend on the security rules chosen upstream by the domain owner. There are three different types of policy:

  • DMARC policy none: here, the email is still delivered to the recipient. At the same time, a DMARC report is sent to the domain owner to indicate its status and inform them of the lack of alignment.
  • DMARC policy quarantine: the email concerned is placed in "quarantine", in a specific folder. It can be processed later.
  • DMARC policy reject: the email is rejected, i.e. it is not forwarded to the recipient.

DMARC is therefore the preferred authentication policy solution, since the sender tells the recipient what to do if he suspects something. It leaves no room for doubt.

In addition, thanks to its quarantine and rejection capabilities, the protocol prevents any exposure to dangerous messages.

How do you implement DMARC?

As you can see, since the DMARC policy is based on SPF and DKIM, you first need to implement these two protocols.

Next, you need to go to your domain's TXT field to set the tag. The tag must contain the following two elements:

  • v: this is the protocol version. The record must begin with "v=DMARC1;",
  • p: this letter corresponds to the security rule selected from the three described above:
    • "none
    • "quarantine
    • "reject".

In addition, there are some non-mandatory elements, which you may or may not choose to enter:

  • pct: the percentage of filtered messages,
  • adkim: alignment with the DKIM protocol:
    • "s" for strict,
    • "r" for relax,
  • aspf: alignment with the SPF protocol:
    • "s" for strict,
    • "r" for relax,
  • sp: the procedure applicable to sub-domains of your domain ("none", "quarantine" and "reject"). If you don't specify this, the value of "p" will be applied by default,
  • ruf: the email address that will receive the report in the event of failure,
  • fo: the conditions for sending the report:
    • "1" for DKIM and/or SPF failure,
    • "d" for DKIM failure,
    • "s" for SPF failure,
    • "0" for DKIM and SPF failure, by default,
  • rua: the email address that will receive the aggregated reports.

💡 To see concretely what a tag parameter can look like, here is an example provided by Wikipedia:

v=DMARC1;pct=42;adkim=s;aspf=s;p=quarantine;sp=none;ruf=mailto:forensik@example.org;fo=1;rua=mailto:postmaster@example.org!50m

However, it should be noted that the successful implementation of your DMARC policy can be complex. Good management involves more than simply configuring your DNS. That's why software such as Merox exists. Merox supports you in deploying and updating your DMARC protocol, by simplifying :

  • configuration
  • report collection
  • report aggregation
  • data visualisation.

So you can be sure of optimum protection for your domains, as well as the success of your marketing campaigns thanks to an optimal email deliverability rate!

Article translated from French