Explain the DMARC, Hold the Jargon

How does it work? Should I use it?

There have been some big changes at gmail.com, yahoo.com, and aol.com recently regarding their DMARC policies, and this has affected some email marketers. Interest in DMARC has also been growing. You may have been wondering, other than a five-letter acronym, “what is this DMARC thing?”

What is DMARC?

First, the obligatory: DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.” That’s a mouth full!

DMARC is used to prevent email Phishing. This is when a bad actor sends an email impersonating another domain name, typically to steal personal information such as passwords. For example, before DMARC, there was a lot of email claiming to be from “paypal.com” trying to steal the passwords and money from real PayPal users.

To explain DMARC, we have to start with email authentication.

Email authentication allows the receiver of an email to “know for sure” that an email message is really from whom it says it is from. As crazy as it sounds, the underlying email protocols allow anyone to send an email with any From address. (Just as anyone can write any return address on a physical envelope.) It’s up to receiving and spam filtering systems to determine if the From address is forged or not, and DMARC helps them to do that.

DMARC lets a domain name publish a “policy” on how it sends email. This policy might, in a very rough first-person translation, be something like this: “All valid email from me is authenticated in this particular way. Any email claiming to be from me that doesn’t follow these standards, you can throw it away — because it’s not from me.”

DMARC builds on top of SPF and DKIM, the two most common email authentication methods, to accomplish all of this.

So how does DMARC work?

DMARC does three specific things:

(1) DMARC provides a way to tell if the From address of an email message is “proved authentic” by the DKIM and SPF authentication results

The problem DMARC solves is that DKIM and SPF prove that particular domain names sent the email, but these domain names are often “under the hood” technical details of the email and don’t always don’t match up with the domain name that the user sees: the domain name in the From address of the message.

DMARC defines how these “under the hood” domain names must match up (or align) with the domain name in the From address. When they match appropriately, the email is called “DMARC-aligned.”

The “DMARC-alignment” can be strict, which requires an exact match.

Or a domain name can say in its “DMARC policy” that “relaxed” alignment is allowed, which looks like this: the “under the hood” domain name can be “server1234.whatever.paypal.com” which, because this is a sub-domain of “paypal.com,” is “aligned” with a domain name in the From address of “paypal.com”.

When an email message is not aligned, it is called “unaligned.”

(2) DMARC provides a way to tell receivers and spam filters what to do with mail that is
not DMARC-aligned

The “DMARC policy” of a domain name says what should be done with email that is not DMARC-aligned.

If an organization is 100% sure that all legitimate email they send is DMARC-aligned, then the non-DMARC-aligned email is sure to be Phishing or Spam, and they can publish a policy saying “delete it all” or “put it all in the Spam folder.”

However, It’s really hard for a large organization with lots of departments and technical systems to be 100% sure that all legitimate mail is DMARC-aligned, so DMARC also allows organizations to phase into a strict policy gradually. For example, a policy could direct receivers to put 10% of the unaligned email into the Spam folder and to process 90% of it normally.

(3) DMARC provides a way for a domain to request reports on non-DMARC-aligned mail
claiming to be from it

This reporting feature is helpful in two ways:

(1) It helps organizations find sources of legitimate but non-DMARC-aligned mail so they can get to where 100% of their legitimate email is authenticated and DMARC-aligned.

(2) It can give a domain information on the phishing emails that are attempting to impersonate it. This can be helpful for anti-fraud departments.

Should I use DMARC?

DMARC is a powerful tool for fighting phishing, but it is not required to deliver your
permission-based email to the inbox as long as you’re sending email from your domain
name (which you should be).

DMARC is not for everyone. Properly deploying DMARC in a large organization and ensuring all legitimate email is DMARC aligned can be a lot of work. If you’re a target of phishing, then DMARC is an invaluable tool in that fight.


Don't Miss Out!

Sign up for the GreenArrow newsletter, and we’ll email you tips, updates, and resources.