Email Encyclopedia: What is DMARC Record

A DMARC Record (Domain-based Message Authentication, Reporting & Conformance Record) is an email authentication protocol designed to prevent email spoofing. It builds upon the existing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) protocols, providing a unified policy and reporting mechanism that helps mail recipients determine whether an email truly comes from its claimed sender and specifies how to handle forged emails.

DMARC records are stored in a domain’s DNS (Domain Name System) as a text record (TXT record), instructing email receiving servers on how to verify emails from that domain and specifying how to handle emails that fail verification.

Background and Origin #

With the widespread use of email, problems such as spam, phishing emails, and cyber scams have become increasingly serious. Attackers often forge email sources, impersonating well-known organizations or trusted contacts to send malicious emails. To address this issue, the industry has developed several email identity authentication technologies, such as SPF and DKIM.

However, SPF and DKIM each have limitations, for example:

• SPF cannot handle email forwarding issues;
• DKIM signatures can be bypassed;
• Recipients lack a unified processing policy for emails that fail verification.

To solve these problems, in 2012, companies including PayPal, Google, Yahoo, and Microsoft jointly launched the DMARC protocol, which was standardized by IETF (Internet Engineering Task Force) as RFC 7489. This protocol integrates the results of SPF and DKIM, providing a unified verification mechanism and policy enforcement capability.

How DMARC Works #

The DMARC workflow can be divided into the following steps:

1. Email Sender Configures DMARC Record #

The email sender adds a DMARC record to their domain’s DNS, formatted as follows:

v=DMARC1; p=none; rua=mailto:reports@example.com; ruf=mailto:forensics@example.com;

The meaning of each field is as follows:

• v: Protocol version, currently DMARC1;
• p: Policy, indicating how the recipient should handle emails that fail DMARC verification. Options include:
  • none: Monitor only, take no action;
  • quarantine: Quarantine the email (such as placing it in spam);
  • reject: Directly reject the email;
• rua: Aggregated Reports receiving address, for receiving summary reports;
• ruf: Forensic Reports receiving address, for receiving detailed failure reports;
• sp: Subdomain policy (optional);
• adkim and aspf: Specify alignment methods for DKIM and SPF respectively (strict or relaxed);
• pct: Percentage of emails to which the policy applies (default 100%);
• rf: Report format (default is afrf);
• ri: Reporting interval (default is 86400 seconds, or 24 hours).

2. Email Recipient Verifies Email #

When an email receiving server receives an email from that domain, it performs the following operations:

• Checks if the email passes SPF verification;
• Checks if the email passes DKIM verification;
• Checks if it matches the “alignment” requirements in the DMARC policy;
• Decides how to handle the email (reject, quarantine, or allow) according to the policy in the DMARC record;
• Sends a report to the sender (according to the rua/ruf settings).

3. Sender Analyzes Reports and Optimizes Policy #

DMARC supports two types of reports:

• Aggregated Reports: XML format, sent periodically, containing statistical information about sources of emails that passed/failed verification;
• Forensic Reports: Sent immediately when an email fails verification, including header and partial body information of the email.

By analyzing these reports, senders can understand which emails passed verification and which failed, allowing them to adjust SPF, DKIM, or DMARC configurations to improve email deliverability and security.

DMARC Alignment Mechanism #

DMARC’s “alignment” mechanism means that the verification results of SPF or DKIM must be consistent with the domain of the “sender address” (i.e., the From header) in the email. Alignment is divided into two modes:

• Strict alignment: Requires the verification domain to be exactly the same as the From domain;
• Relaxed alignment: Allows subdomains to align with the main domain (for example, marketing.example.com is considered aligned with example.com).

DMARC supports the following two alignment methods:

• adkim: DKIM alignment method;
• aspf: SPF alignment method.

DMARC Deployment Recommendations #

DMARC deployment is typically divided into the following phases:

Phase One: Monitoring Mode (p=none) #

In the initial phase, set the policy to none, collect aggregated reports, and understand whether current email sources pass SPF/DKIM verification. This phase does not block any emails but can identify potential issues.

Phase Two: Quarantine Mode (p=quarantine) #

After confirming that most legitimate emails pass verification, the policy can be changed to quarantine, isolating emails that fail verification and reducing the impact on users.

Phase Three: Rejection Mode (p=reject) #

Once all legitimate emails are verified to pass, set the policy to reject to completely block forged emails.

Benefits of Implementing DMARC #

1. Prevent Email Spoofing: Effectively prevents attackers from forging your domain to send phishing emails;
2. Improve Email Deliverability: Verified emails are more likely to be trusted by recipients;
3. Enhance Brand Protection: Avoid having your brand used for fraudulent activities;
4. Obtain Detailed Email Traffic Reports: Help identify abnormal sending behavior;
5. Comply with Industry Standards: Increasingly, industry regulations and laws require businesses to deploy DMARC.

Common Questions and Misconceptions #

1. Will Deploying DMARC Affect Email Sending? #

If SPF and DKIM are configured correctly, DMARC usually does not affect legitimate email sending. It is recommended to first deploy in p=none mode, observe reports, and then gradually tighten policies.

2. Can DMARC Block 100% of Forged Emails? #

DMARC is a powerful tool, but it cannot completely block all forged emails, especially when attackers use misspelled domains (such as examp1e.com) for deception.

3. Do All Email Service Providers Support DMARC? #

Mainstream email service providers (such as Gmail, Outlook, Yahoo, etc.) all support DMARC. It is recommended that businesses work with their email service providers to ensure correct configuration.

4. Is It Necessary to Deploy Both SPF and DKIM? #

Yes. DMARC relies on the results of SPF and DKIM for verification. It is recommended to deploy both SPF and DKIM for the best results.

Example DMARC Records #

Here are some common DMARC record examples:

Example One: Monitoring Mode Only #

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com;

Example Two: Quarantine Mode with Reporting Enabled #

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com;

Example Three: Strict Policy with Limited Alignment Method #

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc-reports@example.com;

Related Terminology #

• SPF (Sender Policy Framework): Specifies which IP addresses can send emails on behalf of a domain through DNS records;
• DKIM (DomainKeys Identified Mail): Verifies email origin through encrypted signatures;
• DNS (Domain Name System): Domain name resolution system, used to convert domain names to IP addresses;
• From Header: The sender’s address displayed in the email;
• Mailbox Provider: Services such as Gmail, Outlook, etc. that receive emails;
• Email Spoofing: The act of forging an email source address;
• Phishing: Inducing users to disclose sensitive information through forged emails.

How to Check DMARC Records #

You can use the following tools to check a domain’s DMARC record:

• MXToolbox
• DMARC Analyzer
• Google Postmaster Tools
• Microsoft SNDS

Additionally, you can also use the command-line tool dig to query:

dig TXT _dmarc.example.com

Summary #

DMARC is a crucial email security protocol that provides a unified email source verification mechanism by integrating SPF and DKIM verification results. It not only helps prevent email spoofing but also improves email deliverability and brand reputation. Businesses should actively deploy DMARC and continuously optimize configurations based on reports to enhance the security and reliability of their email systems.

As network attack methods continue to evolve, DMARC has become an indispensable part of modern email security systems. Through proper configuration and continuous monitoring, organizations can effectively protect their domain names from abuse and increase user trust in electronic mail.