Cloud Hosting Glossary

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC notifies receiving email servers to reject or quarantine messages if they fail DKIM or SPF checks as long as the sender has published a properly formatted DMARC record in DNS. Prior to DMARC, sending email from and receiving email to official domains (like [email protected]) was relatively uncomplicated, it got troublesome when recipients didn’t know if it came from the legitimate domain, or if it was spoofed.

How DMARC Works?

DMARC notifies domain owners if someone else is using their domain as part of an email attack.

This is why configuring DMARC records is essential for every domain to avoid repercussions from inadequate email authentication practices. If a barrage of emails were sent from an unauthorized domain claiming to be ‘[email protected]’, with a time limit before users notice, do you think your reputation is to blame for the overwhelming increase in spam messages?

By default, DMARC is set for none/policy and reports DMARC activity to the domain administrator, allowing them to decide whether to quarantine or reject other individuals and entities who pretend to be someone, before the domain owner claims it’s not them.

Reject: Block the message altogether – don’t send it at all.

As a bonus, there’s a reporting feature, which is a nice touch. You get regular updates on who is sending emails on behalf of your domain, whether that’s authorized marketing software or a hacker trying to impersonate your brand.

Advantages

Prevents Email Spoofing: Stops cybercriminals from using your domain to send phishing or scams.

Protects Your Brand: Helps your brand maintain its reputation and prevents others from thinking you sent them a malicious email.

Improves Email Deliverability: Verified, authentic emails are much more likely to be delivered to inboxes versus spam.

Provides Visibility: You’ll receive reports showing who is using your domain so you can quickly identify abuse and fix it.

Creates Trust: Customers and partners have a much higher trust factor when they know emails are coming from the authentic source.

Real-World Example

Let’s say it’s an online clothing store you operate. You want to send newsletters to your customers, and you want to send order confirmations. Without DMARC, a hacker can send an email with your brand name in it — as an order update, for example — and trick your customers into clicking dangerous links. This scam email could look exactly like an email from your domain. With DMARC, those phishing emails get blocked (or sent to the spam folder), and your legitimate emails aren’t impacted, they are delivered cleanly and unaffected.

Even better, perhaps you start getting reports that someone tried to send phishing emails from your domain at all, so you can investigate the horrible thing that happened, and you can tighten security even further. You essentially will need some technical understanding to get DMARC setup properly, so you’ll need to have a good SPF record and DKIM in-place first, plus you will need to alter your DNS settings as well. You’ll also want to start with a “none” policy to gather data, but after you understand what DMARC is and it is set up correctly, to move to the “quarantine” and “reject” stages.