<dmarc> detects fake emails

dmarc logo

dmarc explained

DMARC stands for: Domain-based Message Authentication, Reporting and Conformance.
It is an email authentication standard, developed to combat spoofed domain mail.

Senders:

  • authenticate their emails with spf and dkim
  • publish a “dmarc policy” for how to handle unauthenticated mail

Receivers:

  • take action on unauthenticated mail, based on the sender “dmarc policy”
  • report on the outcome to the sender

With some mailbox providers, it influences deliverability in a meaningful way, see:
How dmarc works with Google Mail and Office 365 in 2020 *
“Office 365 is generally responsive to spf and dkim authentication.
The only way to get consistent results, reaching the inbox, is to associate them with dmarc”

* = external website link, will open in a new page


how to make dmarc work

DMARC uses SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Emails)
to control the situation when email fails authentication tests.

SPF requires that you declare which servers you use to send out email messages.
Check how to configure spf to know more and set it correctly.

RealSender smtp servers sign all outgoing email messages with the DKIM signature.
A setup is needed if you want to sign with the same domain of the sender.
Check how to configure dkim to know more.

RealSender provides you a mailbox that collects the dmarc reports generated by the receivers.


how to configure dmarc

  1. At the beginning you should set the policy tag to “none” (p=none),
    which means that the Mailbox Provider won’t do anything with the spoofed/phished emails.
    You should add a TXT record on your domain (example.com), that should look like this:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc.example@rsbox.com"
  1. Starting from the next day, you will begin to receive the dmarc rua reports online.

    You might discover that you forgot to authenticate an email campaign that’s being deployed from a third party.
    If something like that happens, simply authenticate it and check that the next mailing passes the dmarc tests.

  2. When the reports are correct for a few weeks, tell the Mailbox Providers to reject/block those spoofed/phished emails.

    The _dmarc TXT record of your domain should be changed to look like this:

"v=DMARC1; p=reject; rua=mailto:dmarc.example@rsbox.com"

dmarc downsides

If your organization implements dmarc, you will need to check carefully
before you introduce any new method of sending email.

Dmarc applies strict policies on how spf and dkim are tested
this can cause emails which would otherwise pass those tests
to be rejected by mailbox providers.

Even if everything is set correctly, the verification may fail:

  • the spf check, if the email has been redirected (forwarded) or sent through a mailing list
  • the dkim check, if the message has been altered, breaking the dkim signature

last updated on August 25, 2020


<dmarc> rua reports online