Guidance

Domain-based Message Authentication, Reporting and Conformance (DMARC)

Published 19 February 2016

What is DMARC?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email standard that:

  • checks inbound emails came from where they say they came from using a combination of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)
  • tells the recipient’s email service what to do with emails that fail the check
  • asks recipient email services to send back reports of where email is coming from

This diagram shows how it works.

""
Domain-based Message Authentication, Reporting and Conformance (DMARC)

Why is DMARC important?

Cyber criminals target individuals, small businesses and large organisations. They compromise user accounts, acquire personal information, and steal passwords, bank account details and credit card numbers. Phishing and malware distribution attacks are common internet security threats, costing organisations and individuals billions of pounds per year globally.

By using DMARC, organisations can:

  • help protect their customers, employees and reputation from cybercrime
  • reduce customer support costs relating to email fraud
  • improve trust in the emails they send
  • see the legitimate and fraudulent use of their domains via DMARC reports

Setting up DMARC

You publish a text (TXT) record in your DNS like this one:

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@mydomain.gov.uk

This tells anyone receiving email from you that:

  • you have a DMARC policy (v=DMARC1)
  • any messages that fail DMARC checks should be treated as spam (p=quarantine)
  • they should treat 100% of your messages this way (pct=100)
  • they should send reports of email received back to you (rua=mailto:dmarc@mydomain.gov.uk)

In support of this you need to publish an SPF record and a DKIM record. You also need to make sure the emails you send (including those from third party services that send on your behalf) have a DKIM signature that matches the one in the DKIM record.

Checking incoming email

Your email service will check if incoming messages come from a valid server (this is the SPF check) and are signed correctly (the DKIM digital signature). Depending on the service this may happen automatically, or there may be a checkbox to enable it. Confirm with your service provider.

Reporting back

Most email services will check your DMARC record and send you aggregated reports (if you include an email address in your DMARC record). The reports tell you about all the email the service received from you, and where it came from. This tells you if someone in your organisation is sending email inappropriately, or if your domain is being spoofed, which you may not otherwise know.

An example DMARC report:

<record>
 <row>
 <source_ip>123.456.78.9</source_ip>
 <count>1</count>
 <policy_evaluated>
 <disposition>none</disposition>
 </policy_evaluated>
 </row>
 <identities>
 <header_from>mydomain.gov.uk</header_from>
 </identities>
 <auth_results>
 <dkim>
 <domain>mydomain.gov.uk</domain>
 <result>pass</result>
 <human_result></human_result>
 </dkim>
 <spf>
 <domain>mydomain.gov.uk</domain>
 <result>pass</result>
 </spf>
 </auth_results>
</record>

The reports are in Extensible Markup Language (XML) so aren’t easy to read. However, there are many services (including some cheap or free ones) that import your reports and display the information in a meaningful dashboard. You’ll get reports from email providers like Gmail, Yahoo! and Outlook. The intention is to help you understand how your domain is being used, rather than to track specific messages (although you can include a ruf tag in your DNS record to receive more detailed failure reports).

Read more about DMARC

Find more information on DMARC at dmarc.org.

You can also read this guide to creating a DMARC record and implementation guides for popular cloud-based email services like Google Apps and Office 365.

Google uses DMARC to show when email is authenticated in Gmail.

Authenticated Receive Chain (ARC) is a related standard that supports email authentication in indirect email flow.