Understanding DMARC
Overview
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a widely recognized email protocol, which helps people and businesses protect their email addresses and domains from being misused by third parties.
It helps identify that an email you send comes from the real you. This method of email authentication protects both senders and recipients from activities like spamming, phishing, and spoofing.
In this guide, you will learn more about DMARC and how to make your emails DMARC compliant.
About DMARC
DMARC uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to evaluate the authenticity of email messages. Together, these tools prevent activities like phishing and domain spoofing.
Phishing is a cybercrime in which someone poses as a credible entity, like a governmental agency or a bank or even your own employ, to try and gather sensitive information (i.e., credit card information or social security number). Meanwhile, domain spoofing is a form of phishing that entails using a fake domain or email address to appear legitimate.
DMARC lets domain owners define how an email that appears to be sent from that domain gets handled if it doesn't include the right information. For instance, unauthenticated emails can be blocked or sent straight to a junk folder based on settings placed in the records for that email address's domain.
The importance of DMARC
Phishers and spammers have a lot to gain from compromising user accounts. By gaining access to passwords, credit card information, bank accounts, and other financial instruments, malicious actors can easily get access to their victims' money before their victims are even aware they have been scammed.
Email is a particularly common and attractive target, especially for spoofing. Even something as simple as inserting the logo of a well-known brand into an email can trick some recipients into believing they have been sent a legitimate communication.
DMARC works to solve this problem at scale. Realistically, free email services like Yahoo, Google, or Hotmail can't inspect every email that passes through their servers to determine which ones to allow and which ones may be fraudulent.
SPF and DKIM records can actually help, but these processes have limited scope on their own. When used with DMARC, these protocols help senders and receivers collaborate to better secure emails.
DMARC provides 3 main benefits: security, reputation, and visibility.
- Security. Along with protecting customers, using DMARC benefits the email community as a whole. By building a framework for a consistent policy to deal with unauthenticated emails, DMARC helps the email ecosystem become more trustworthy and secure.
- Reputation. DMARC protects businesses by serving as a gatekeeper - it prevents bad actors from spoofing your domain and sending out emails that appear to come from your brand. Publishing your DMARC record can result in a boost to your reputation.
- Visibility. DMARC gives you more insight into your email program at a high level, allowing you to know the identity of everyone who sends email from your domain.
DMARC background
To understand DMARC, it is essential to understand the fundamentals of SPF and DKIM as well as DNS (Domain Name System) records. DMARC builds on SPF and DKIM techniques.
SPF
SPF helps detect forgery by reviewing an email's listed return-path address. This email address is also referred to as the Mail From or the bounce address. When an email can't be sent to its intended recipient after a delay or several attempts, a notification of that failure is often sent to the return-path address.
DKIM
DKIM is an email authentication technique that ensures that email content is kept safe from tempering, using an encrypted digital signature. DKIM signatures are added as headers to email messages and secured with public key cryptography.
When a receiving server determines that an email has a valid DKIM signature, it can confirm that the email and attachments have not been modified. This process is not typically visible to end users such as the intended recipient of the email message.
A record
A record (address record) is a type of DNS record that points domains to an IP address. When using IPv4 addresses, this record is referred to as an A record.
If you were to visit avada.io, your browser would ask a nearby DNS server if it has the IP address of avada.io. If it has the IP on record, it sends it to your browser. If not, it tells your browser where it can find another DNS server that has it, and so on until the IP is relayed to you along with the website.
CNAME record
A CNAME (Canonical Name) record is a type of DNS record that maps an alias name to a true (canonical) domain name. CNAME records often map a subdomain like "www" or "mailto:" to the domain that hosts that subdomain's content. For instance, a CNAME record can map the web address www.avada.io to the website for the domain avada.io.
You can add a CNAME record to your DNS settings if you would like to customize a web address, verify domain ownership, reset your admin password, and much more.
How does DMARC influence email marketing?
Problem: If you send mass emails with any third-party email marketing platform (not only AVADA) and use Gmail, Yahoo, Outlook, AOL, Hotmail, MSN, or Live email addresses as the sender's email address, your emails will be bounced (not delivered) or delivered to spam boxes.
Why?
Because the emails you sent were from servers of your email marketing platform, instead of from a Gmail, Yahoo, Outlook, AOL, Hotmail, MSN, or Live server. As a result, email marketing campaigns will not reach your audiences and generate less revenue.
What is the solution for email marketers?
The best way to boost email deliverability is using a business email sender that is verified with your business domain. Let's say, our business domain is avada.io. We should verify this domain in the third party email marketing platform, then we can confidently use an email with this domain as an authorized sender, like support@avada.io, success@avada.io.
You can see the detailed guide right here.
If you're running a business and sending emails to your customers, whether transactional or promotional emails, it's essential to verify them.
Creating a professional email address will serve both purposes - email deliverability as well as marketing and credibility in front of your customers.
In AVADA, we do offer different ways for you to verify a sender:
- You can use your sender under our verified domain
- You can verify your own domain and add a sender belong to it
- You can set up a custom SMTP sender if you're using SMTP service to send emails
All of these methods are compliant with the DMARC policy, and ensure you can send emails without worrying they are not delivered to your customers.
DMARC limitations
DMARC is undoubtedly a robust technique for reducing the likelihood of email phishing and spoofing, but it does have a few limitations.
One of the most significant is that it can't combat spear phishing attacks using DNI (Display Name Imposters), which make up a large percentage of email fraud attempts.
Besides, DMARC is unable to protect against lookalike domain spoofs, DMARC should be used in conjunction with other protocols for protection against email fraud.
DMARC is complicated, as well. Companies with large IT talent pools have an advantage here. However, there are many resources out there to teach anyone how to deploy DMARC. It may be a large time commitment, but domain owners who want to mitigate vulnerabilities in their email systems will find it worthwhile to put in the time.
It is hard to say how many organizations will ultimately use DMARC, though the numbers are steadily growing. Considering that the vast majority of successful data breaches originate with email, though, it is clear that we will all be better off when DMARC usage is widespread.
Updated on: 28/08/2021
Thank you!