There are a lot of actions that you can take to reduce your email bouncing rate. One great solution is to apply domain-level authentication. You can do it by simultaneously using SPF and DKIM with the help of a DMARC record, but how? 🤷
Let’s find out!
📚 Table of contents:
- DMARC meaning
- What is a DMARC record?
- How does DMARC work?
- Benefits of DMARC record
- Outcome of DMARC check
DMARC meaning 💁
DMARC stands for Domain-based Message Authentication Reporting and Conformance. It is a sophisticated mechanism that uses DNS records to provide a secure email exchange. The goal of the DMARC is to have an uninterrupted and secure email exchange, based on the results of the authentication of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records of the sender’s domain.
What is a DMARC record? 💻
A DMARC record is a type of TXT DNS record responsible for the authentication of domain (email servers). It includes all the policies that will guide the receiving email server. Thanks to this DNS record, the receiver can use the results of the SPF and the DKIM checks and take action about incoming emails from a particular sender.
👉 Before we dive into the specifics of a DMARC record, we need to define two related terms: SPF and DKIM.
What is SPF?
SPF records set the IP addresses that are allowed to send emails on behalf of the domain. They are regular TXT DNS records that act whitelists that the incoming server uses to determine if the email is coming from the right domain. This helps reduce phishing attacks and serves as a part of the more complicated DMARC mechanism.
What is DKIM?
The DKIM record is another simple TXT record with an authentication purpose. It associates a domain name with an email using cryptography. The software sending the email uses DKIM to sign the email before it sends it. Later the receiver performs a DNS query and gets the public key from the domain. Only with this key can the receiver authenticate the email’s origin. This process adds additional trust and prevents phishing and spoofing attacks.
Now that we understand SPF and DKIM, let’s take a closer look at DMARC records.
An example of a DMARC record
In this example, we have a typical DMARC record, with a reject policy that defines 20% of the emails as subject to filtering and has the email of the domain administrator for forensic and aggregate reports. The last number is the TTL, the Time To Live of the DNS record that indicates how long the record is valid.
DMARC tags explained
Here you can see all the tags that the DMARC record uses and what they mean:
- Adkim – This is the action based on the DKIM record.
- Aspf – This is the action based on the SPF record.
- Fo – Fail option. This is the action that the incoming mail server should take in case of a failure.
- P – Policy. The particular policy that the receiver should use.
- Pct – Percentage. It defines the percentage of emails that the policy applies to.
- Rf – Report format. It sets the format for the report.
- Ri – Report interval. It sets the report interval.
- Rua – Return feedback (aggregate). Here you can see to which email the aggregate report should be sent.
- Ruf – Return feedback (forensic). Here you can see to which email the forensic report should be sent.
- Sp – Subdomain policies. This sets the policies for the subdomains. If it is not defined, the policies of the domain will apply to all subdomains.
- V – A simple version indicator. Currently, it should be DMARC1 because there is no DMARC2.
How does DMARC work? ⚙️
Let’s explore the whole process of DMARC. Note that in this context, “sender” and “receiver” refer to the software sending or receiving emails, not the individuals.
- First, the domain administrator creates SPF and DKIM records. Then the administrator uses these records to create DMARC policies and DMARC records. These policies will be used by the receiver of the emails to verify the sender and check if the emails are coming from the right domain name.
- The sender will send an email to a receiver. When emails arrive in the email server of the receiver, the receiver will first check the domain. It will do multiple DNS queries to get all the information that it needs to see if criminals have spoofed the email or if the message is legitimate.
- The DNS checks the DKIM record and the receiver server will see if it is valid. If the signature is the correct one for the domain of the sender.
- Then it will check the SPF record and compare it to the IP address of the sender. They must match. If they don’t, this could be a signal that criminals spoofed the communication. The SPF records serve to list the IP address that the sender uses for sending emails.
- Now that the results of the SPF and the DKIM are in, the receiver will use the policies set in the DMARC record and take action to allow the email, put it in spam, or quarantine it.
- Thanks to the reporting feature, the receiver will provide feedback to the sender about emails that supposedly came from the sender domain. That way, the administrator of the appropriate domain can check if somebody is trying to send emails on its behalf and take additional actions.
Benefits of DMARC record 👍
Email authentication in a simple manner
It takes just a few minutes to set up the right DMARC policies and add SPF and/or DKIM records if they are missing. Everything is done on a domain level.
Lowers the number of spam messages
Many incoming email servers use DMARC to determine what actions they should take with all the incoming emails. Many times, the lack of a DMARC record will mean all the emails will go directly to the spam folder.
Reduces risk of phishing attacks
The incoming email servers can authenticate the domain of the sender. That way, they can be sure that the emails are coming from the right domain name and email server. This action can significantly reduce the server’s receipt of spoofed emails. Big companies like Google, Yahoo, and Microsoft use DMARC to mark emails as dangerous and potential risks for phishing attacks.
Better email security
It will increase the credibility of the sender and it will protect from email spoofing. Criminals won’t be able to impersonate your domain and send fake emails with dangerous content. This will be beneficial to you in many ways, including protecting your reputation and preventing your email domain from being blacklisted.
Thanks to the DMARC record, the domain administrator can provide a simple and automatic way for the receivers to verify the origin of the emails. That way your emails won’t be considered phishing attacks and won’t go directly to the spam inbox.
It will also show a report about the misuse of the domain name for sending emails that can be used for further security improvement.
Boosts email deliverability
Having DMARC records will provide better deliverability thanks to the fact that fewer emails will be discarded by the incoming email servers. That is a huge plus for any company. We are sure that you want each of your emails to get into the inbox of the receiver, without any trouble. DMARC will help with that.
Outcome of DMARC check ✅
If the email can’t pass the DMARC it gets sent to the spam folder. That way, the receiver gets it, but he or she is warned that the email might not be coming from the correct sender.
In case of email rejection, the email didn’t pass the DMARC record check and the incoming email server directly rejected it. The receiver won’t be able to see it inside the spam folder.
This means that the receiver won’t take any action, no matter if the email fails the DMARC check or not. In any case, the receiving email server will generate a report that it will send back to the domain administrator of the sender. Administrators mostly use it for monitoring purposes.
What we can see is that clearly, DMARC adds an additional verification layer on top of DKIM and SPF.
It lowers the number of not received emails and fraud emails, by preventing domain spoofing.
An additional plus is the reporting functionality that can inform the domain administrator about misuse of the domain. For these reasons, we strongly recommend adding a DMARC record to improve your email security. It will be beneficial both for you and your clients and it will only take you a few minutes to set it up.
If you’re concerned about domain security in general, then be sure to also take a look at our article on domain name protection.