Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

What is DMARC?

DMARC is a useful feature in your e-mail software that is good to know about - we'll explain what it is and how it works.

16-12-2022 - 6 minute read. Posted in: awareness.

What is DMARC?

DMARC is an acronym for Domain-based Message Authentication, Reporting, and Conformance. It is an email security standard that prevents fake emails such as phishing emails from reaching the recipient. DMARC also prevents emails that have been tampered with in transit from reaching their destination. In other words, it ensures that emails come from the correct e-mail server.

Before we dive into DMARC, however, we'll look at why some emails end up as spam.

Why emails end up in the spam folder

Answering why some emails end up as spam is quite complicated, and each e-mail provider typically has its own way of determining this, which they do based on various points.

For example:

  • The content of the email, including specific words in the subject field
  • The size of text and images
  • Number of special characters
  • Unsubscribe link and company information if it is a news email.
  • Sender history, i.e. whether the sender has communicated with you in the past

It also checks whether others have reported the sender for spam or phishing. Technical aspects, including whether the sender's IP address is blacklisted, virus/malware scan, correctly set up SPF, DKIM and DMARC record, etc.

Based on these points, the mail is assessed and given a score that places it either in the inbox, the spam folder or rejects it ultimately. However, as mentioned above, this may vary from one provider to another. This is precisely why it is a good idea to add SPF, DKIM and DMARC to your mail server.

What is DMARC?

DMARC is not a product you can buy, but a free technical specification that adds new features to e-mails. DMARC was originally created to protect against phishing and is also called anti-phishing in some circles, as it can simply reduce the number of fake emails that reach your inbox.

DMARC makes it harder for hackers to take advantage of e-mail domains by, for example, sending fake e-mails from someone else's e-mail address, leading recipients to believe they have received a legitimate e-mail.

DMARC is an important addition because developments in cybercrime mean that hackers' methods have become more sophisticated and technical. It also means that critical thinking and heightened awareness simply fall short, and therefore it is necessary to implement technical security measures such as DMARC as protection against cybercrime. In this way, it adds to the overall security of the web.

DMARC is built on top of the DKIM and SPF security standards, which are also important additions to any mail server. You can read more about them in our separate blog posts on the two tools.

How DMARC works

In very basic terms, DMARC takes care of sorting all mail. In this process, the fake mails are blocked before they reach the recipient. DMARC can thus be compared to a postman checking your identity every time you send a letter.

DMARC can provide insight into whether domains are being misused and whether emails are getting through correctly. DMARC thus cross-checks information about the mail - sender, recipient and content - against the above points. The information found through SPF and DKIM thus forms an extra layer of security when it is matched between the two tools.

In order for DMARC to validate an e-mail, it must go through two steps; in the first step, the e-mail must be approved by either SPF or DKIM in order for it to go to DMARC. One of the two tools' validation is enough here. The next step is then that Domain alignment must match the header information with at least one of the two tools that validated the first step.

This means that if DKIM fails the mail and SPF validates it, Domain alignment must be able to match SPF for DMARC to accept and validate it. It is therefore a filtered system that e-mails must go through before it reaches you as the recipient.

DMARC cannot validate an email

It can also happen that DMARC simply cannot validate an email, and thus it fails. Then you may wonder what happens to the failed mail. You have a pre-created DMARC record where you specify a domain name and how emails from that domain name should be handled.

Here you define a "mail policy", i.e. how DMARC, SPF and DKIM should react to the different domains. The mail policy is defined with "p=policy", where you can fill "policy" with three different policies:

  • p=none indicates that no action should be taken with the mails that fail DMARC validation
  • p=quarantine means that the mails that are failed by DMARC should be "quarantined" in another folder, remote from your regular inbox - this is typically in your spam folder
  • p=reject means, very simply, that the mails that fall under this policy should just be rejected and not delivered to you

The last and important feature of DMARC

Another and very important functionion that DMARC also has is reporting. You can receive reports that give you information about your email approvals. You can choose which reports you want to receive and what focus they should have; whether it is the domain name you want to investigate or a specific keyword in an email.

The two types of reports are aggregate reports and forensic reports:

  • Aggregate reports are the most common type of report there is, because it gives a general overview of how effective the whole email authentication process is
  • Forensic reports, on the other hand, go into detail and show exactly where the email has failed

The advantage of reviewing the reports is that you can optimise the authentication even more than it already is. It may be a good idea to optimise authentication because there will be problems with the use of SPF, DKIM and DMARC if you have not set them up correctly. This is why the p=none policy exists.

You should also be careful not to set the DMARC policy to p=reject only, because although spam is annoying, there are also many mails that can be lost. Therefore, p=none is optimal because it works with the reports and separates spam with legitimate emails.

The three tools are the most optimal setup when it comes to optimizing your domain's email authentication and delivery. As you might read, it's a complicated process, but luckily the computer does most of the work.

Even though it's the computer that does the job for you, it's good to know the mechanism behind it, so your awareness training makes even more sense.

Author Emilie Hartmann

Emilie Hartmann

Emilie Hartmann is a student and copywriter at Moxso, where she is a language nerd and always on the lookout for new and exciting topics to write about. She is currently doing her Master's in English, where she is primarily working in the fields of Creative Writing and Digital Humanities.

View all posts by Emilie Hartmann

Similar posts

The difference between types of hackers
hacking

The difference between types of hackers

Hacking is a growing problem both in Denmark and in the rest of the world. Hackers operate behind hacking, but not all hackers are criminals.

01-06-2022 · 6 min.
IoT Security: How to protect your devices
hacking

IoT Security: How to protect your devices

IoT is a collaboration between your devices - it's smart when they work together. But it also increases the attack surface. Read more about IoT security here.

12-06-2023 · 5 min.
The number of vishing cases is rising
case

The number of vishing cases is rising

Vishing is an increasingly widespread phenomenon. It often targets elderly citizens who are particularly vulnerable to this type of attack.

27-01-2023 · 5 min.