Index

DMARC

TL;DR

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication and security policy protocol.

DMARC extends SPF and DKIM validation by adding a third validation known as alignment. It is intended to mitigate the weaknesses that exist in both DKIM and SPF. DMARC allows domain owners to specify a policy on how the receiver should treat email from the domain.

DMARC is formally defined in RFC7489.

DMARC also makes monitoring of email traffic for an entire domain possible. Mailhardener leverages DMARC to provide the email monitoring feature.

An email has more than one sender address

To understand DMARC, you must first know that an email can contain multiple email addresses. See our article email address types explained to learn more about that.

For this article, you need to know these email addresses:

It is important to understand that these two addresses can be different. They can even be from different domains.

A simple analogy with paper mail would be to treat the RFC5321.MailFrom address as the address written on an envelope, and the RFC5322.From as the sender address written on the letter itself.

How DMARC works

A domain owner (that's you) publishes a DMARC policy in a DNS TXT type record placed at subdomain _dmarc, for example: _dmarc.mailhardener.com. We'll call this DNS TXT record the DMARC record.

When a DMARC capable email server receives an email, it will check the domain used in the RFC5322.From address for the existence of a DMARC record. If a DMARC record is found the email server will check the email for alignment.

If the email fails alignment, the server will apply the policy that was found in the DMARC record. In the policy you can instruct the receiver to reject or quarantine emails that fail alignment.

Even without a DMARC record, a receiving email server may still use alignment validation as one of the factors in spam detection.

DMARC alignment

A DMARC capable email receiver will not only use SPF and DKIM validation, but also check received emails for alignment.

As we explained in our SPF and DKIM articles, an unauthorized sender can work around SPF and DKIM validation by using a domain they control in the RFC5321.MailFrom address or DKIM signature. DMARC closes this security hole by requiring that the domain name used in the various email addresses and DKIM signatures are equal.

In DMARC terms, an email is aligned when at least one of the following requirements is met:

An email can pass both SPF and DKIM validation, but still fail alignment. If both SPF and DKIM validation fail, the message will not be aligned.

If the email fails alignment, the policy defined in the DMARC record is applied by the receiver.

In the DMARC policy a relaxed mode or strict mode can be specified for both SPF and DKIM alignment. In strict mode the domain must match exactly to pass alignment, in relaxed mode the receiver will treat subdomains as equal.

Example: an email where the RFC5321.MailFrom domain is mail.domain.com and the RFC5322.From domain is domain.com will pass relaxed alignment but fail strict alignment.

DMARC policy

The DMARC policy instructs the receiver on how to treat received emails that fail alignment. There are 3 possible values:

None

When the none policy is instructed, the receiver will not take any additional measures against these emails. There is no guarantee that the email will be delivered to the recipient's inbox though, the server may still decide to reject the email or mark is as spam based on various other factors. The none policy is also the default policy that will be applied if no policy is specified in the DMARC record.

Quarantine

The quarantine policy is used if the domain owner is not willing to give a strong statement about emails that fail DMARC alignment. Most email servers use the alignment result as one of the factors for spam detection. A quarantined email may still be delivered to the recipient's inbox, but has a higher possibility to be marked as spam.

Some organisations do actually quarantine the emails, requiring human inspection do decide if the email should be delivered to the recipient's inbox.

Reject

A reject policy is the strongest level of advise a domain owner can give to the receiver. It advices the receiving server to reject email that fail DMARC alignment. If the email it rejected, it will not be delivered to the inbox of the recipient.

DMARC reporting

Besides alignment validation, DMARC can also be used to request reporting from receiving email systems.

The reports contain aggregated data over a certain period (usually 24 hours) on how the receiver processed the email it received from various senders that (attempt to) send email using your domain. Per sender the report will specify the number of processed emails, the applied policy, the authentication results (SPF and DKIM) and the alignment result. Finally, the report will specify the disposition the receiver applied to the emails (none, rejected or quarantined).

The reports itself are not human friendly to read, and the number of reports received on a daily basis can get quite high (one per receiver). To make the reports usable a service like Mailhardener is often used to combine, enrich, analyse and visualise the various reports that are received on a daily basis.

To enable reporting, the rua value is set in the DMARC record. The receiving server sends the report to the URL specified in the rua value. Currently, the only supported protocol to be used in the URL is mailto:, meaning that the reports are always sent via email.

Here is an example DMARC record that has reporting enabled:

v=DMARC1; rua=mailto:dmarc-reports@mailhardener.com

Implementation

In a typical situation, a domain owner will enable DMARC with a none policy first. This will not affect the way receiving servers are processing email from the domain, but it will allow for monitoring. A service like Mailhardener is then used to process the various DMARC reports to gather insight in all senders that use the domain name.

After some time (usually a month or so, depending on the various services used) there will be a reasonably complete overview of all services that are sending email in name of the domain, and whether these servers are passing SPF, DKIM and DMARC alignment. If needed, the domain and/or sender configurations are adjusted to make sure all legitimate senders pass alignment. Then the DMARC policy is changed to quarantine, to start blocking unauthorized senders.

Depending on the amount of unauthorized senders that are encountered, and the nature of the business, a domain owner may go one step further and deploy a reject policy.

From that point on, the monitoring system is used to keep an eye on all senders (both authorized and unauthorized). Based on the monitoring results the DKIM, SPF and DMARC settings may be adjusted accordingly.

When transitioning from none to quarantine or reject, a percentage can be specified in the DMARC record using the pct property. If the percentage is set the receiver will only apply the policy to that percentage of emails that fail alignment. This way the domain can make a more controlled transition, minimizing the risk of accidentally blocking legitimate senders.

The DMARC record

The DMARC record is a DNS record of type TXT with subdomain label _dmarc, such as _dmarc.mailhardener.com.

A DMARC record consists of key-value pairs separated by a semicolon (;), any whitespace is ignored. The key and value is separated by an equal sign (=).

Example:

v=DMARC1; p=reject; rua=mailto:cb10ab46@in.mailhardener.com

To inspect the DMARC DNS record of your own domain, you can use our DMARC validator tool.

In this example, the DMARC record is set up with a reject policy (in the p field) and receivers are instructed to send aggregate reports to Mailhardener for processing. The v=DMARC1; version indicator is required, the DMARC record must start with the version indicator. A DNS query on _dmarc.[domain] may only result in 1 TXT record that begins with v=DMARC1.

Apart from the version (v=DMARC1) field, all other fields are optional. If the value is not set in the DMARC record, a default value is used.

Field Default value Description
v Required, must be set to DKIM1. Must be the first value in a DMARC record.
p none The policy the receiver should apply to emails that fail SPF and DKIM authentication, or fail alignment.
sp Same as p The policy the receiver should use for any subdomain of this domain. If not set, the same policy is used as found in p
pct 100 The percentage of emails the fail SPF and DKIM or fail to align that the policy p must be applied to. Can be used to transition slowly from none to quarantine to reject.
rua The URL where to send aggregate reports to. Currently only reporting via email (using the mailto: scheme) is supported. If not set, no reports are gathered by the receivers.
ruf The URL where to send failure (forensic) reports to, uses same format as rua. Very few receivers implement this feature.
ri 86400 The interval at which the receivers should send a rua aggregate report, in seconds. Defaults to 86400 (24 hours). DMARC capable receivers may choose to ignore this value.
aspf r Instruct the receiver to use strict (s) or relaxed (r) SPF alignment validation. With strict alignment the RFC5321.MailFrom and RFC5322.From domains must match exactly, with relaxed alignment any subdomain is also accepted.
adkim r Instruct the receiver to use strict (s) or relaxed (r) DKIM alignment validation. With strict alignment the location of the DKIM record must match exactly with the RFC5322.From domain, with relaxed alignment any subdomain is also accepted.
fo 0 Instruct the receiver when to send a ruf failure report. See the segment failure reporting below for supported values
rf afrf The format to send the ruf failure/forensic reporting in. Only afrf is currently supported.

Reporting address format

The ruf and rua settings specify where DMARC capable receivers should send the reports to. For v=DMARC1 (currently the only version) this must always be a mailto URL. Reporting to HTTP or other protocols may be implemented in the future, but is currently not supported.

Failure reporting

DMARC failure reporting (previously known as forensic reporting) is a DMARC feature that would allow for real-time reporting of emails that fail alignment. In practice this feature is rarely supported by DMARC capable email servers. Mostly due to the potential high volume of reports and privacy concerns as the report may contain information about the email content.

Failure reporting is set up using the ruf, fo and rf values in the DMARC record. When a DMARC capable receiver receives an email that fails alignment matching the fo value, a forensics report in format rf is sent to the email address defined in ruf.

The fo setting in the DMARC record can be a list of colon-separated values. The accepted values are:

Currently, the only supported report format that can be specified in the rf field is afrf.

As explained earlier, the failure reporting feature is rarely supported and is expected to be deprecated.

Tools