DMARC - the third building block to higher e-mail security
Cybercrime is on the rise and e-mails are considered a major gateway for attackers. Accordingly, it is important to provide special protection for one's own e-mail domains. A practical procedure for this is described under the term DMARC. This stands for Domain-based Message Authentication, Reporting and Conformance.
Alongside Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), DMARC is a further building block for greater e-mail security to prevent online criminals from exploiting weaknesses in the Simple Mail Transfer Protocol (SMTP) and forging sender addresses at will and distributing spam and malware in the name of other e-mail domains. While SPF defines a list of authorized server names and IP addresses that are allowed to send messages on behalf of an email domain, DKIM goes one step further and adds digital signatures based on public and private keys. Only mail servers that have the matching private key can generate a signature matching a domain to verify the sender address as genuine and the message as unaltered.
What is DMARC?
SPF and DKIM thus indirectly help email providers and their spam filters to assess the reputation of a sender address and thus decide how likely a message is to be spam. However, it is up to the discretion of a receiving e-mail system how to deal with a message in case of failed SPF and DKIM checks, whether it rejects the message completely or marks it as potential spam and delivers it anyway.
This is where DMARC comes into play. This is not actually an independent technology, but a supplement to SPF and DKIM. With the help of a DMARC record, the administrators of an e-mail domain, i.e. a sending server, describe how a receiving mail server should proceed with a message in the event of faulty SPF and DKIM checks and who is to be informed in the event of an error. This additional DMARC check is done automatically by Gmail in the background and without end-user intervention.
Create DMARC Entry
Analogous to SPF and DKIM, DMARC also relies on TXT records in the Domain Name System (DNS). A DMARC record uses the subdomain "_dmarc" and describes the desired policy with its value. If the result of a check is "DMARC Record not found", then no policy has yet been defined for the corresponding domain. This can be easily remedied, for example with an online service such as "DMARC-Record". The tool helps to generate a suitable policy and to check whether a policy already exists for a domain and which settings it contains. For a very simple policy, the value
v=DMARC1; p=reject;
The mandatory parameter "v" defines the protocol version and "p" describes how the recipient of a message should handle the main domain as the sender. In this case, "reject" ensures that messages are rejected if SPF or DKIM checks fail. Alternative values are "quarantine" and "none". The former requires a message to be marked as potential spam, the latter value makes no explicit specifications. Subdomains automatically inherit the settings of the main domain.
A slightly more complex policy with the value
v=DMARC1; p=reject; rua=mailto:postmaster@example.com; ruf=mailto:soc@example.com; aspf=r; adkim=s;
initiates the delivery of aggregated ("rua") and detailed forensic ("ruf") DMARC reports to the specified e-mail addresses. The last two parameters control separately for SPF and DKIM how precise the checks should be. "s" for "strict" requires that the sender domain of a message exactly matches the main domain stored in the DNS, "r" for "relaxed" also allows subdomains.
Evaluate DMARC Report
A DMARC report provides insights into the usage of your email domains as well as failures. In essence, a report is a compressed XML file, i.e. a text format that you can open with any editor. A special DMARC reporting tool, such as the online service "Dmarc Report Analyzer", makes the evaluation easier for you. If you upload a DMARC report there, the service provides you with a tabular evaluation with successful and failed checks according to the categories SPF, DKIM and DMARC.
Conclusion: With SPF, DKIM and DMARC, three important building blocks are available to protect your e-mail communication. Google supports all of these methods out of the box with Gmail. They can be used at no additional cost and set up in just a few steps. However, special features must be taken into account if you want to use additional services such as newsletter providers, mailing lists or special software for automated message forwarding. Therefore, you should rely on specialists for the configuration! We will be happy to support you - as we do in other questions of e-mail security and in the migration to Gmail.
Cybercrime is on the rise and e-mails are considered a major gateway for attackers. Accordingly, it is important to provide special protection for one's own e-mail domains. A practical procedure for this is described under the term DMARC. This stands for Domain-based Message Authentication, Reporting and Conformance.
Alongside Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), DMARC is a further building block for greater e-mail security to prevent online criminals from exploiting weaknesses in the Simple Mail Transfer Protocol (SMTP) and forging sender addresses at will and distributing spam and malware in the name of other e-mail domains. While SPF defines a list of authorized server names and IP addresses that are allowed to send messages on behalf of an email domain, DKIM goes one step further and adds digital signatures based on public and private keys. Only mail servers that have the matching private key can generate a signature matching a domain to verify the sender address as genuine and the message as unaltered.
What is DMARC?
SPF and DKIM thus indirectly help email providers and their spam filters to assess the reputation of a sender address and thus decide how likely a message is to be spam. However, it is up to the discretion of a receiving e-mail system how to deal with a message in case of failed SPF and DKIM checks, whether it rejects the message completely or marks it as potential spam and delivers it anyway.
This is where DMARC comes into play. This is not actually an independent technology, but a supplement to SPF and DKIM. With the help of a DMARC record, the administrators of an e-mail domain, i.e. a sending server, describe how a receiving mail server should proceed with a message in the event of faulty SPF and DKIM checks and who is to be informed in the event of an error. This additional DMARC check is done automatically by Gmail in the background and without end-user intervention.
Create DMARC Entry
Analogous to SPF and DKIM, DMARC also relies on TXT records in the Domain Name System (DNS). A DMARC record uses the subdomain "_dmarc" and describes the desired policy with its value. If the result of a check is "DMARC Record not found", then no policy has yet been defined for the corresponding domain. This can be easily remedied, for example with an online service such as "DMARC-Record". The tool helps to generate a suitable policy and to check whether a policy already exists for a domain and which settings it contains. For a very simple policy, the value
v=DMARC1; p=reject;
The mandatory parameter "v" defines the protocol version and "p" describes how the recipient of a message should handle the main domain as the sender. In this case, "reject" ensures that messages are rejected if SPF or DKIM checks fail. Alternative values are "quarantine" and "none". The former requires a message to be marked as potential spam, the latter value makes no explicit specifications. Subdomains automatically inherit the settings of the main domain.
A slightly more complex policy with the value
v=DMARC1; p=reject; rua=mailto:postmaster@example.com; ruf=mailto:soc@example.com; aspf=r; adkim=s;
initiates the delivery of aggregated ("rua") and detailed forensic ("ruf") DMARC reports to the specified e-mail addresses. The last two parameters control separately for SPF and DKIM how precise the checks should be. "s" for "strict" requires that the sender domain of a message exactly matches the main domain stored in the DNS, "r" for "relaxed" also allows subdomains.
Evaluate DMARC Report
A DMARC report provides insights into the usage of your email domains as well as failures. In essence, a report is a compressed XML file, i.e. a text format that you can open with any editor. A special DMARC reporting tool, such as the online service "Dmarc Report Analyzer", makes the evaluation easier for you. If you upload a DMARC report there, the service provides you with a tabular evaluation with successful and failed checks according to the categories SPF, DKIM and DMARC.
Conclusion: With SPF, DKIM and DMARC, three important building blocks are available to protect your e-mail communication. Google supports all of these methods out of the box with Gmail. They can be used at no additional cost and set up in just a few steps. However, special features must be taken into account if you want to use additional services such as newsletter providers, mailing lists or special software for automated message forwarding. Therefore, you should rely on specialists for the configuration! We will be happy to support you - as we do in other questions of e-mail security and in the migration to Gmail.
Stay up to date!
We will inform you about all new blog posts automatically.
Register nowRegister now for the newsletter
%202.webp)
