Do you ever wonder what happens to the emails that failed the SPF and DKIM verification? That is where DMARC comes in!
DMARC or Domain-Based Message Authentication Reporting and Conformance is a record that enables receiving email servers to decide how to handle emails from your domain that fail SPF and DKIM verification.
What is a DMARC Record?
The foundation of a DMARC system is a DMARC record, which contains the settings for DMARC records. If a domain is subject to DMARC, this DMARC record notifies email recipients. If so, the domain owner’s desired policy is in the DMARC record. A DMARC record is just a DNS (Domain Name Service) entry.
You can add DMARC record to your DNS through DNS manager. It may be an internal position inside your company, you could have access to a dashboard offered by your DNS provider, or you could request that they add such a record.
How Does DMARC Work?
Let’s say we have two organizations, yellow.com and organization green.com. Let’s say yellow.com published SPF, DKIM, and DMARC records on their public DNS.
Now yellow.com will send an email to green.com. Green.com’s email server will check whether emails are valid and legitimate.
The recipient server will extract the domain name from the return path and pull the domain name from the “from” address. Then they will check if they are matching domains. This process is called SPF alignment.
Suppose both domain names match; SPF Will pass. If domain matchings are not matching, SPF will fail, and if SPF alignment fails, the recipient server will now check DKIM validation.
Now, the recipient server will check the domain name within the “d=” (a value found on the DKIM signature, which indicates which domain has signed this particular email) attribute and will match that domain with the domain name extracted from the “FROM” address.
When both domain names match, DKIM will pass. If not, DKIM will fail.
If the email fails the SPF and DKIM checking, the recipient server will treat the email as per the action specified by the sending server within the DMARC records.
How to Add DMARC Record to Your Domain?
You can do it in just seven easy steps!
- Go to your DNS provider.
- Go to Website DNS management settings.
- Add a domain record by entering TXT at the TYPE tab.
- Enter “_dmarc” at the host tab.
- Then put “v=DMARC1” to specify the version used.
- Next, specify the policy “v=DMARC1; p=none; pct=100” Add p= depends on the needs of your domain; for this example, I entered “none.”
- Lastly, save all the changes!
And you’re done; you have now enabled DMARC on your domain!
Standard DMARC Record Format and its Meanings.
v=DMARC1; – This implies the version used for this particular email.
p=Reject; – This indicates the policy on what the recipient server should do. Specify the recipient server’s action in case SPF, DKIM checking, or both fail in your email.
Below policy, there are three available actions.
1. None – The recipient server will do no actions, and the recipient server will give the email to the recipient, which will most likely go to junk mail.
2. Reject – The recipient server will reject the email if SPF or DKIM fails.
3. Quarantine – The recipient server will redirect that email to their quarantine portal for the failed emails and DMARC that indicates the quarantine action.
pct=100; – the percentage that the domain owner wants the policies to be applied. If it’s a hundred, like this example, all emails sent from this domain will have the p= policy used.
rua=mailto:email@example.com – email address of the mailbox to recipient servers should send reports for further analysis if SPF and DKIM fail on your emails.
Does DMARC Need SPF and DKIM to Work?
DMARC needs at least one between SPF and DKIM.
SPF and DKIM Records and DMARC Records work in tandem; hence setting SPF and DKIM Records is a prerequisite before implementing a DMARC record.
DMARC not only requires that SPF or DKIM pass, but it also requires the domains used by either of those protocols to match the part found in the “From” address.
It means that DMARC can not operate without either SPF or DKIM. At least one of these two should be published so that DMARC can work to its full potential.
When an email fails the SPF or DKIM validation, then DMARC enters. So the process involves happening with at least one, either SPF or DKIM, and then DMARC may finally apply. You will not be able to use DMARC if the email does not go through either SPF or DKIM.
If the email passes SPF, it will go directly to the recipient’s inbox, but if it does not, then DMARC will apply. The same goes with DKIM; when the email fails DKIM, that is when DMARC comes in.
Can I Use One Record Instead of Three?
SPF (Sender Policy Framework record) alone will work, but only as a first layer of validating the emails. It will only help email receiving servers specify which IP addresses are allowed to send mail on behalf of your domain using SPF records. Then that’s it; SPF alone will not offer you complete protection. It would help if you used DKIM (DomainKeys Identified Mail) and DMARC with your SPF records. These methods effectively identify security issues such as email spoofing, being added to a server’s denylist, and being marked as spam.
If you have DKIM, there will be a protection to the content of your email, the digital signature that DKIM offers give security and assurance that hackers do not alter the content. There will be clear indications of any changes in the email; this is the ultimate protection.
If you have DMARC, the recipient server will know the exact actions to perform with the emails that failed that SPF and DKIM validation. And that depends on you (the domain owner). If you want to do nothing about it (none), reject or quarantine.
You can use SPF alone, but it is constrained. DKIM alone can not solve spamming and phishing. You can not use DMARC without publishing SPF or DKIM.
It means you can use at least DKIM or SPF with DMARC, but you can not use DMARC alone. You can use SPF and DKIM independently, but they will be limited.
These records are not that hard to publish in your domain; you can do it with simple steps.
It would be best if you have all three of these records working together to help you have a high number of passed emails.
What Record Do I Need The Most?
In summary, SPF enables email senders to specify which IP addresses are permitted to send mail from a specific domain. On the other hand, the encryption key and digital signature offered by DKIM confirm that A hacker did not alter an email message. DMARC determines the actions of recipient servers if the email fails either or both SPF and DKIM validation checkings.
It means that all of them are equally essential. You can choose what’s best for you according to the needs of your domain, but the best choice is to have both to get a good number of sent emails.
SPF, DKIM, and DMARC are the pillars of email authentication. If you have all of them, it will indeed have maximum benefit and give you many sent emails. Passed the spam filter and verified original email content.