What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a security protocol that helps protect email senders and recipients from phishing, spoofing, and other malicious activities. It works by checking if the email you receive is really from the person or organization it claims to be from.
When someone sends you an email, DMARC makes sure the sender is authorized to send emails from that domain. If the email doesn't pass the check, DMARC can either reject it, mark it as spam, or allow it through with a warning.
In simple words, DMARC gives you control over your email domain by allowing you to specify who is allowed to send emails on your behalf and who is not. With DMARC, you can easily reject or quarantine emails from unauthorized users, IP addresses, or mail servers.
How DMARC Works?
DMARC uses two key email authentication methods — SPF (Sender Policy Framework) and DKIM (Domain Keys Identified mails) to ensure that an email comes from the real sender.
What is SPF and DKIM?
SPF (Sender Policy Framework) is a record that tells email servers which IP addresses are allowed to send emails from your domain. This is a TXT record that includes IP addresses that are authorized to send mails from your organization domains.
For example, let’s say you're using company.com for your business communications, marketing, and to receive alerts from various applications running in your environment. To ensure that emails are delivered smoothly and reach your employees' inboxes, you would add a TXT record containing the IP addresses of your authorized email vendors, partners, and your SMTP services.
As an organization, we use Outlook for business communications, Zoho for marketing emails, and other services from our IP address. Therefore, our SPF record might look like this:
aquilai.io IN TXT “v=spf1 include:spf.protection.outlook.com ip4:202.66.175.61 ip4:101.53.144.148 include:zoho.in include:zcsend.in ~all”
This record helps ensure that emails sent from authorized services are delivered successfully.
DKIM (DomainKeys Identified Mail) is like a digital signature for your email. It ensures that the email hasn't been tampered with and verifies that it really came from the domain it claims to be from. A DKIM public key is published in your DNS, and the private key is stored on your email servers. When an email is sent, it gets a special signature using your domain's private key. The recipient's email server then checks your DNS to find the public key and compares it with the signature. Depending on the result and your DMARC policy, the email is either delivered, marked as spam, or rejected.
For DMARC to function effectively, both SPF and DKIM must be properly set up and working. However, DMARC can still pass if either SPF or DKIM authentication succeeds.
Now that you understand the importance of having SPF and DKIM set up for your email domain to ensure DMARC works properly, let’s dive into the different DMARC policies.
Validate Your SPF and DKIM
What are DMARC policies?
DMARC policies are rules set by domain owners to define how email providers should handle emails that fail authentication checks (such as SPF or DKIM). DMARC policies help protect your domain from email spoofing and phishing attacks by ensuring that only authorized senders can send emails using your domain.
p=none
None is typically used for monitoring purposes. It tells email receivers to do nothing with emails that fail DMARC checks, but still send reports about these failures.
It is ideal for domains that are just starting to implement DMARC. The none policy allows you to collect data without affecting email delivery, so you can assess your email authentication setup and make adjustments / corrections before enforcing stricter policies.
Emails that fail DMARC checks will still be delivered to recipients’ inboxes. However, the domain owner will receive reports showing which emails failed authentication and why.
p=quarantine
The quarantine policy instructs email receivers to treat emails that fail DMARC checks as suspicious and send them to the spam or junk folder.
This is typically used after monitoring with none. It’s a more aggressive approach that helps protect recipients from potentially fraudulent emails while still allowing you to assess the impact on email deliverability.
Emails that fail DMARC checks are not delivered to the inbox. Instead, they are marked as spam or quarantined, depending on the email provider’s policy. The domain owner will still receive aggregate reports for monitoring.
p=reject
The reject policy is the strictest DMARC policy. It tells email receivers to reject any emails that fail DMARC checks. These emails will not be delivered at all.
This is the final stage of DMARC implementation, used when you’re confident that all legitimate email traffic for your domain is properly authenticated. It’s recommended only after thoroughly testing and monitoring email traffic under the none and quarantine policies to avoid accidentally rejecting valid emails.
Emails that fail DMARC checks will be completely rejected and not delivered to recipients. This policy provides the strongest protection against email spoofing and phishing attacks.
Summary of DMARC policies
Policy | Description | Impact on Emails |
p=none | Monitor only, collect data. | No impact on email delivery; used for reporting and analysis. |
p=quarantine | Mark suspicious emails as spam or move them to junk. | Emails that fail DMARC are sent to spam. |
p=reject | Reject emails that fail DMARC checks. | Emails that fail DMARC are not delivered. |
How to implement DMARC on your domain?
Start with a "none" policy: Initially, you can set your DMARC policy to "none" to collect data about your email traffic without affecting delivery. This allows you to monitor email authentication without rejecting any messages.
Move to "quarantine": Once you're confident that your emails are correctly authenticated, you can switch your policy to "quarantine." This means emails that fail DMARC checks will be marked as suspicious and sent to the spam folder.
Enforce a "reject" policy: After monitoring and fine-tuning your configuration, you can set the policy to "reject," which will block emails that fail DMARC checks entirely. This is the most secure setting, ensuring that only authenticated emails from your domain are delivered.
Monitor and Review Reports: Gmail, Yahoo, Outlook and other ESPs reports that help you track the performance of your email authentication. These reports offer insights into how your emails are being handled and if there are any issues with your domain’s authentication.
The Aquila I support team is dedicated to helping you implement the right DMARC policy for your domain and achieve your objectives.
How DMARC Records are Created?
To create a DMARC record, you add a special TXT record to your domain's DNS settings. This record tells the world how to treat emails from your domain that fail authentication checks i.e. SPF or DKIM.
v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:reports@yourdomain.com; ruf=mailto:forensics@yourdomain.com; adkim=s; aspf=s; fo=1; rf=afrf; ri=86400; language=en;
Parameter | Description | Example Value |
v | Specifies the version of DMARC being used. | v=DMARC1 |
p | Defines the policy for emails that fail DMARC checks. This determines what to do with emails that fail SPF or DKIM authentication. | p=reject (other options: none, quarantine) |
sp | Defines the policy for subdomains of the domain. This works the same way as p, but only applies to subdomains. | sp=reject (other options: none, quarantine) |
pct | Specifies the percentage of emails to which the policy applies. This allows you to gradually enforce DMARC. | pct=100 (applying policy to 100% of emails) |
rua | The email address where aggregate DMARC reports are sent. These reports provide feedback on email authentication results. | |
ruf | The email address where forensic (detailed) DMARC reports are sent. These reports contain specific details about emails that failed DMARC checks. | |
adkim | Defines DKIM alignment mode. This determines how strictly the DKIM signature must match the domain. | adkim=s (strict alignment) or adkim=r (relaxed alignment) |
aspf | Defines SPF alignment mode. This determines how strictly the SPF record must match the domain. | aspf=s (strict alignment) or aspf=r (relaxed alignment) |
fo | Forensic reporting options. Determines when to send forensic reports based on specific failure conditions. | fo=0 (no reports), fo=1 (all failures), fo=d (DKIM failures), fo=s (SPF failures) |
rf | The format of forensic reports. This allows you to specify whether the reports should be in AFRF (Authentication Failure Reporting Format) or a different format. | rf=afrf (default format) |
ri | The report interval specifies how often the aggregate reports are sent (in seconds). | ri=86400 (daily reports, in seconds) |
language | The language to be used in DMARC reports. | language=en (optional, defaults to English) |
One of the most common questions we get is about the difference between the RUA and RUF IDs specified in a DMARC record. Let’s break it down:
Parameter | Description | rua (Aggregate Reports) | ruf (Forensic Reports) |
Purpose | Defines where DMARC reports are sent. | Used for aggregate reports that summarize authentication results for all emails. | Used for forensic reports that contain detailed information about individual email failures. |
Content | Provides a summary of email authentication results (overall statistics, pass/fail counts). | Includes aggregate data such as the number of emails that passed/failed DMARC, SPF, and DKIM checks. | Includes detailed failure information (e.g., headers, failed authentication checks). |
Frequency | Aggregate reports are sent periodically (e.g., daily or weekly). | Typically, daily or based on the interval set in the DMARC record (using ri). | Typically generated immediately when an email fails authentication. |
Report Type | These reports give an overview of how your domain’s emails are being handled and whether they pass or fail authentication checks. | High-level reports suitable for monitoring and analyzing trends. | Detailed reports that include information about individual failed emails. |
Recipients | Sent to the email addresses specified in the rua field. | Sent to the email addresses specified in the ruf field. | Sent to the email addresses specified in the rua field. |
Usage | Helps with monitoring and policy adjustments for better email deliverability and security. | Helps with troubleshooting and investigating specific failures in email authentication. | |
Format |
| Reports are typically in XML format, though the data is aggregated and summarized. | Reports are typically in AFRF (Authentication Failure Reporting Format) or XML format with specific failure data. |
How DMARC Helps You Stay Compliant with Gmail, Yahoo, and Industry Standards?
Understanding the Importance of DMARC for Email DeliverabilityEmail security and deliverability are critical aspects of online communication. As cyber threats like phishing and email spoofing become more common, email providers like Yahoo and Google have implemented strict email authentication protocols to protect their users. One of the most important security protocols is DMARC
Why Yahoo and Google Require DMARC?
Preventing Phishing and Spoofing:
Both Yahoo and Google have taken strong measures to combat malicious actors who use spoofed email addresses to impersonate legitimate companies or individuals. DMARC helps ensure that only authorized senders can send emails on behalf of a domain, making it much harder for cybercriminals to abuse it.
Protecting Brand Reputation:
With DMARC in place, organizations can better protect their brand and reputation by reducing the risk of their domain being used for fraudulent or malicious purposes. Yahoo and Google are requiring DMARC to ensure that only legitimate messages are coming from their users’ inboxes.
Enhanced User Experience:
By enforcing DMARC, Yahoo and Google are providing a safer experience for their users. Emails that fail DMARC authentication (such as phishing emails) are either rejected outright or sent to spam folders, keeping malicious content out of the inbox.
Adopting Industry Standards:
Many organizations and email service providers (ESPs) have already adopted DMARC, and Google and Yahoo are no exception. By requiring DMARC compliance, they are aligning with industry standards to ensure better email security across the board.
What Happens if You Don't Implement DMARC?
If your domain doesn’t have a DMARC policy in place, your emails might be marked as spam or even rejected by these providers. This can lead to:
Lower email deliverability: Your legitimate emails may not reach your recipients.
Increased risk of email spoofing: Attackers can easily send fraudulent emails from your domain without authorization.
Loss of customer trust: Users may become wary of emails coming from your domain, damaging your reputation.
DMARC Tools – XML to Human Converter
What is BIMI?
BIMI (Brand Indicators for Message Identification) is a relatively new email standard designed to help brands improve email security and enhance their visibility in the inbox. By implementing BIMI, businesses can display their brand logo alongside their authenticated emails in the recipient's inbox. This increases brand recognition, boosts trust, and combats phishing by confirming the authenticity of the email sender.
BIMI works in conjunction with other email authentication protocols like DMARC, SPF, and DKIM. Essentially, BIMI leverages these technologies to ensure that emails come from a trusted source, allowing the recipient’s email client to display the brand’s logo only when the email passes authentication checks.
How Does BIMI Work?
BIMI is built upon DMARC policy. In order to use BIMI, your domain needs to have DMARC in place with a policy of "quarantine" or "reject". Once you’ve ensured that your emails are properly authenticated, you can add a BIMI record in your DNS, which points to the image file of your logo.
The process works like this:
Your emails are sent with SPF and DKIM authentication.
These emails are checked against your DMARC policy.
If the email passes all authentication checks, the recipient’s email service (such as Gmail or Yahoo) will retrieve your BIMI record from your DNS and display your brand logo next to the email.
The Benefits of BIMI
Brand Recognition and Trust: Seeing your logo in the inbox helps recipients immediately recognize your brand, building trust and reducing the likelihood of your emails being marked as spam.
Enhanced Email Security: BIMI works alongside DMARC, ensuring that only authenticated emails with your domain’s logo can be shown. This significantly reduces the chances of phishing attacks where malicious actors impersonate your brand.
Improved Engagement: Emails with logos are visually more appealing and stand out in a crowded inbox, increasing the chances that your recipients will open and engage with your messages.
BIMI Implementation Requirements
To implement BIMI, there are a few prerequisites:
DMARC Compliance: Your domain must have a DMARC record in place with a "reject" or "quarantine" policy to ensure that unauthorized emails are blocked.
SPF and DKIM Authentication: Your domain must also have SPF and DKIM set up to authenticate your outgoing messages.
Logo File: Your logo must be in the SVG (Scalable Vector Graphics) format and meet specific size and quality standards. This logo file must be uploaded to a publicly accessible location in your DNS.
VMC (Verified Mark Certificate): To display your logo with BIMI, you need a Verified Mark Certificate (VMC) from a trusted certificate authority. The VMC confirms that your logo is indeed owned and controlled by the organization sending the emails. The VMC helps establish the authenticity of your brand’s logo and ensures it is displayed correctly.
Check Your BIMI Record
Assess Your Email Infrastructure with Aquila I.
To assess and improve your email security as well as email deliverability, consider using Aquila I, an email security platform that helps you:
Check your email authentication: Get a report on the status of your DMARC, SPF, and DKIM records.
Identify risks: See which email servers might be impersonating your domain.
Strengthen your infrastructure: Aquila I provides actionable insights to improve your email security and meet compliance requirements.
Aquila I is a great tool for both small businesses and large enterprises to keep their email systems secure and efficient.