DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It in fact sits on top of SPF and DKIM. What DMARC brings to the table is the ability control, test and monitor the emails that are received, blocked or quarantined. It also enables the sender to receive feedback as to why their message was blocked.
Why do we need DMARC
Currently, every company handles email differently. Some use SPF, some use DKIM, many use none. This makes it very hard for email senders to know if an email is going to meet the criteria of the receiver as everyone is set-up differently. DMARC provides a standard that email senders can put in place to ensure their email is received, and that standard is created so all email senders and receivers are validating in the same way.
How does it work?
In simple terms, it enables an email sender to indicate that their emails are protected by either SPF, DKIM or both. It also provides instructions on what to do if the message is rejected or quarantined. This takes out the guesswork for email administrators, safe in the knowledge that only genuine verified emails will make it to your inbox.
From the email senders side, each email is sent on with a note declaring their DMARC credentials that prove that the email has, in fact, come from that domain. It also provides the receiver with an email address so that if the email is rejected or quarantined the sender can be notified why.
From the receiver’s side your email server will check each email as it arrives and request their DMARC credentials and depending on how each one is set up will do one of the following:
- Record the DMARC credentials and allow the email to pass
- Record the lack of DMARC credentials and allow the email to pass
- Record the lack of DMARC credentials, quarantine the email and send a notification to the sender
- Record the lack of DMARC credentials, block the email and then send a notification to the sender.
Does this mean I do not need a spam filtering service?
Quite the opposite, DMARC does not stop emails that are infected. It only ensures that they are who they say they are. DMARC will massively reduce the amount of spam you receive but it does not stop infected emails getting through. So, it is still essential that you have a good quality service in place to be protected.
How does this work for services like Gmail and other 3rd party email providers?
You will need to check with your email provider if they are using DMARC. At the time of writing both Gmail and Hotmail including outlook.com are not running DMARC but they are working on enabling this. The following site shows how many popular global email providers are either running or working towards DMARC. Click here to visit this site.
How can I be sure I won’t lose the email I do want to receive?
When setting up DMARC it is best to just start collecting data without blocking anything other than what your email filtering service picks up. Once DMARC is in place and active you will start receiving reports showing details of the activity for each email received. This will enable you to see how it is seeing the typical emails you get into your business before deciding if you want to set the policy to quarantine the emails it believes to be spam or simply block them.
For more information visit https://dmarc.org/