DMARC (Domain-based Message Authentication Reporting and Conformance) is an email validation system that prevents your company’s email domain from being exploited for email spoofing, phishing scams, and other forms of cybercrime. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are two current email authentication systems that DMARC uses.
When a domain owner adds a DMARC record to their DNS record, they will be able to see who is sending email on their behalf. This data can be utilized to obtain more specific information about the email channel. A domain owner can get control over emails sent on his behalf using this information. DMARC can be used to defend your domains from phishing and spoofing attacks.
What is a DMARC record?
A DMARC record is stored in the DNS database of a company. A DMARC record is a properly structured DNS TXT record with a specific name, such as “_dmarc.mydomain.com” (note the leading underscore). The following is an example of a DMARC record:
dmarc.mydomain.com. IN TXT “v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.com\; ruf=mailto:dmarc-afrf@mydomain.com\; pct=100”
Reading left-to-right in plain English, this record says:
v=DMARC1 specifies the DMARC version
p=none specifies the preferred treatment, or DMARC policy
rua=mailto:dmarc-aggregate@mydomain.com is the mailbox to which aggregate reports should be sent
ruf=mailto:dmarc-afrf@mydomain.com is the mailbox to which forensic reports should be sent
pct=100 is the percentage of mail to which the domain owner would like to have its policy applied
DMARC record check
A genuine DMARC record must be published before DMARC implementation. We offer a free tool called DMARC Record Check that displays the DMARC record, tests it, and verifies that it is genuine. The DMARC Record Check tool is both free and simple to use. To do a DMARC check, simply input the domain name.
After that, the DMARC Record Check parses the DMARC record and displays it along with other information.
To test and lookup the DMARC record, use the DMARC Record Check. Then assess each potential alternative as well as the ones that have been implemented. If there are any external domains in use, DMARC Record Check will verify and test them.
Results of a DMARC Check
A DMARC test performed with DMARC Record Check will test and declare the following tags.
v-Version of the DMARC protocol.
p-This policy should be used for emails that fail the DMARC check. It might be “none,” “quarantine,” or “reject.” To gather the DMARC report and acquire insight into the current email flows and their state, the value “none” is utilized.
rua- A list of URIs for ISPs to send XML feedback to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form “mailto:test@example.com”.
ruf- ISPs can transmit forensic information to a list of URIs. Please note that this is not an email address list. A list of URIs in the format “mailto:test@example.org” is required by DMARC.
rf- Forensic reports are written in this format. This might be “afrf” or “iodef.”
pct- The percentage tag tells ISPs that the DMARC policy should only be applied to a certain percentage of failed emails. “pct=50” instructs receivers to use the “p=” policy only 50% of the time when dealing with emails that fail the DMARC check. NOTE: This will only work with the “quarantine” or “reject” policies, not the “none” policy.
adkim- The “Alignment Mode” for DKIM signatures can be “r” (Relaxed) or “s” (Strict) (Strict). Authenticated DKIM signature domains (d=) that share an Organizational Domain with an email’s “From” domain will pass the DMARC check in Relaxed mode. Strict mode necessitates a precise match.
aspf- SPF’s “Alignment Mode,” which can be either “r” (Relaxed) or “s” (Strict) (Strict). The DMARC check will pass in Relaxed mode for authenticated SPF domains that share an Organizational Domain with the email ‘From’ domain. A precise match is necessary in Strict mode.
sp- If a sub-domain of this domain fails the DMARC check, this policy should be enforced. Using this tag domain owners can publish a “wildcard” policy for all subdomains.
fo- Options for forensics. Allowable values: “0” to generate reports if both DKIM and SPF fail, “1” to generate reports if either DKIM or SPF fails to deliver a DMARC pass result, “d” to generate reports if DKIM failed, and “s” to generate reports if SPF failed.
ri- When the aggregate XML reports are sent, this is the reporting interval. This is a personal preference, and ISPs may (and very certainly will) transmit the report at different times (normally this will be daily).
What does DMARC compliance mean?
An organization can pass the DMARC check and become DMARC compliant by authenticating email channels with DKIM and/or SPF. DKIM and/or SPF must be aligned to become DMARC compliant. Only DKIM or SPF must be configured to be DMARC compliant.
User-friendly DMARC analyzing software
ProDMARC is a user-friendly DMARC analyzing software that acts as your professional guide to help you move as quickly as possible to a reject policy. ProDMARC is a SaaS product that enables organizations to manage complex DMARC deployments with ease. Across all email channels, the system provides 360-degree visibility and governance.