What is DMARC and why should I be concerned?
DMARC stands for “Domain-based Message Authentication, Reporting and Conformance”. It’s an email validation system designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cyber crimes.
DMARC empowers SPF by stating a clear policy which should be applied and allows to set an email address which can be used to send the statistics reports regarding a specific domain. Both methods use DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send emails on behalf of your domain.
- If you don’t have a DMARC policy, this means that emails impersonating your organisation can be delivered to recipient inboxes, and you won’t receive any alerts of these attacks.
- If your policy is set to "none", this means that it is in monitoring mode. Unfortunately, attackers can impersonate your domain, and email recipients won't receive any warning of their malicious nature.
- If your policy is set to "quarantine", this means that you do not have an effective DMARC policy to prevent emails spoofing emails from being delivered to recipient inboxes. Recipients will generally receive a warning of spoofing, but spoof emails will still be delivered.
How do I resolve this?
You should first warn recipients of illegitimate emails, before progressing further to stop those emails from being received at all. Many organisations may be on this journey of understanding & monitoring their emails with minimal settings, which is why they are currently spoofable. They'll be aware of any attempts to do so, and in time will be able to refine their settings to become more and more resilient.
It is recommended that a DMARC policy is implemented gradually and with a phased approach:
Phase 1: Implement a DMARC policy of 'none'
Phase 2: Move to a DMARC policy of 'quarantine'
Phase 3: Move to a DMARC policy of 'reject'
In Phase 1, you would update your TXT DNS record on _dmarc.example.com It should look something like this: v=DMARC1; p=none; rua=mailto:user@example.com
The p=none part of the above record means that none of your outbound emails will be affected in this phase, the rua part specifies an email address for you to aggregate reports for all of your outbound emails, including whether they passed or failed the SPF authentication check. For the rua address you would probably want to use a generic email inbox (e.g. emails@example.com or dmarc@example.com).
Phase 1 is essentially a monitoring phase, none of your outbound emails will be affected but you will be collecting reports of all outbound emails (both, legitimate internal and marketing email - but also from sources which are spoofing your domain).