How to use DMARC and secure your email

With the ever-present threat of phishing attacks, spoofing, and other malicious activities, protecting your inbox and your identity online is crucial.

Domain-based Message Authentication, Reporting, and Conformance (DMARC), is a powerful email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorised use, commonly known as email spoofing.

This can ultimately be used to gain unauthorised access to services or acquire sensitive information such as financial information, intellectual property or personal data. 

DMARC helps reduce these types of threats and is implemented through the DNS of the domain.

DMARC is used in conjunction with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records to further bolster email security. 

What are the benefits of using a DMARC? 

DMARC records will benefit the majority of mail users, regardless of what the mailboxes are used for.

As it builds on SPF and DKIM, DMARC is a very useful tool which aids in preventing domain spoofing and bolstering your company or domain’s reputation. 

DMARC also provides security benefits as the policies implemented will automatically handle mail that is not authenticated or validated, which ensures the mail environment is more secure and trusted.

Coupled with the reporting mechanism, the domain owner can see exactly who is sending emails from their domain, how all mail is handled and when. 

What are SPF and DKIM records? 

SPF (Sender Policy Framework)

An SPF record is a type of DNS record that dictates which IP addresses or hostnames are authorised to send mail for the domain.

This record greatly reduces the risk of your domain being spoofed and it can also improve deliverability to stricter mail providers, such as Outlook and Gmail.  

ℹ️ How to add an SPF record on our platform: https://docs.20i.com/email-hosting/spf-records

DKIM (DomainKeys Identified Mail) 

DKIM, like SPF, is a type of DNS record that enables a specific aspect of email-sending processes to be authenticated.

This record will provide a foundation for distinguishing legitimate mail by placing a DKIM signature in the headers sent from the mail server.

The receiving server will then extract the DKIM signature from the mail header, fetch the DKIM record from the domain’s DNS and then validate the message using the 2048-bit public key from the DKIM DNS entry.  

ℹ️ How to add a DKIM record on our platform: https://docs.20i.com/domain-names/add-dkim

How does DMARC work?

A DMARC record can be customised and can vary in how they look. Most DMARC records will typically look like this: 

v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=r;pct=100;rf=afrf;ri=86400 

• Authentication: DMARC will check if the sender’s domain in the email aligns with SPF and DKIM authentication.  
• Alignment: DMARC requires that either SPF or DKIM authentication is passed, and the outcome is based on the policy enforcement. 
• Policy Enforcement: The policy enforcement is defined by ‘p=’ and can be modified to define what happens to incoming emails that fail authentication or alignment checks. 
• No action (p=none): This is simply for monitoring and will not take any action against emails that fail to pass the appropriate checks. 
• Quarantine (p=quarantine): Emails that fail the set checks will be placed in the recipient’s spam or quarantine folder. 
• Reject (p=reject): Any emails that do not pass the checks are completely rejected and will not be delivered to the recipient. 
• Reporting: If your ISP or email provider supports DMARC, they will likely include a reporting feature, which allows you to receive DMARC reports. This can be useful to monitor mail, how the mail is being used and if there are any instances of unauthorised sources sending email from the domain. 

How to implement DMARC

Implementing a DMARC will vary depending on your hosting, internet or mail provider, however, the records themselves are typically universal.

If you are unsure of how to apply a DMARC to your domain, it is best to contact your provider. 

ℹ️ If you’re hosted with us, simply use our free and easy DMARC Wizard. Learn how to implement a DMARC here https://docs.20i.com/domain-names/how-to-use-the-dmarc-wizard-tool.