Introduction
The impersonation of legitimate corporate email addresses to obtain sensitive information or defraud organizations (more commonly known as phishing) costs businesses billions of dollars every year. It’s estimated that 90% of cyberattacks begin with a phishing email, and email fraud costs U.S. businesses an average of $17,700 every minute.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps protect your domain from being used in phishing, spoofing, and other fraudulent email activities.
Why DMARC is important?
- Protects your brand from spoofing
- Improves email deliverability
- Helps prevent phishing attacks on customers
- Gives you visibility into how your domain is being used
How Does DMARC Work?
1. Verifies that emails really come from your domain
DMARC works with SPF and DKIM, two other authentication methods, to confirm that an email claiming to be from your domain is actually authorized.
2. Tells mailbox providers what to do with failed emails
You set a DMARC policy to decide what happens if a message fails authentication:
- none – Monitor only
- quarantine – Send suspicious emails to spam
- reject – Block them completely
3. Sends you reports
DMARC provides detailed reports that show who is sending emails using your domain—legitimate or not. These reports help you catch unauthorized senders.
In order to understand DMARC, we have to understand SPF and DKIM (two widely used authentication methods) and the limitation of those two protocols in addressing FROM Address Domain Spoofing.
What is SPF?
Sender Policy Framework (SPF) is an email authentication protocol that allows the owner of a domain to identify which email servers (IP addresses) are authorized to send an email on behalf of their Envelope Domain. During an SPF protocol check, email providers verify the SPF record by looking up the domain name listed in the Envelope Domain address in the DNS. If the IP address sending emails on behalf of the Envelope Domain is listed in that SPF record, the messages will pass SPF protocol authentication.
In the above example, SPF passing authentication tells the mailbox provider that the Envelope Domain (mail.abc-company) gives permission to the sending IP (18.45.98.225) to send in its name.
So what’s the problem?
Well, while SPF tells us that the sending server has permission to send on behalf of the Envelope Domain (mail.abc-company.com), it tells us nothing about whether this sending server has permission to be sending on the FROM Address Domain ([email protected]). This disconnect leaves brands unprotected against cybercriminals who more frequently spoof the FROM address since it’s more visible to the email recipient.
What is DKIM?
DomainKeys Identified Mail (DKIM) is a protocol that allows the sending server to encrypt and sign an email in a way that declares a specific domain that is responsible for the untampered transmission of that piece of mail – and that does so in a verifiable manner.
DKIM example:
DKIM Signature in the header of an email that tells the mailbox provider what domain (d=) is signing this email:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=55555aoauth; d=mail.abc-company.com; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type: List-Unsubscribe;
The email provider checks to see if the public key can unlock the private key and allow the mailbox provider to decrypt the signature.
The DKIM Passing tells the Mailbox provider two things:
- The DKIM signed domain (d=mail.abc-company.com) really does “take authority” of the email. (Otherwise, the private and public key would not have matched.)
- The elements of the email signed by DKIM were not changed in transit.
Again, though, there’s a problem.
A sender can sign a piece of mail with any domain they own, regardless of which domain is being used in the FROM address, and it will still pass DKIM! Again this means that while passing DKIM tells us that the email has not been tampered with in transit, it does not necessarily tell us whether the sender truly is the owner of the From Address Domain.
Thankfully, the DMARC protocol instructs mailbox providers not only to look at whether an email passes SPF and DKIM – but also whether the SPF-authenticated domain (the Envelope Domain) and the DKIM signed (d=) domain are also aligned with the FROM Address Domain.
The DMARC protocol also then specifies whether that email should be rejected (bounced), quarantined (placed in SPAM or networks quarantine), or left alone entirely based on whether DMARC passes or fails. DMARC also provides a feature that allows major email providers to report back to domain owners, helping them identify weaknesses in their domain authentication at different platforms they use while also alerting them to potentially fraudulent use of their domain.
When implemented correctly, DMARC helps to ensure that forged emails using their company domain will not be accepted by recipient servers.
Act-On is Here to Help With DMARC Implementation
DMARC authentication will apply to any service (corporate servers, marketing automation, CRMs, ESPs) that utilizes your company domain (and even subdomains of your primary domain). This means that successful deployment requires thorough planning, cross-department buy-in, and technical support from your IT department or a third-party specializing in DMARC adoption.
If you’d like to learn more about DMARC and other email deliverability best practices that can be executed through Act-On, please schedule a brief demonstration with one of our marketing automation experts.