What is DMARC and how to set it up¶
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a security protocol in email communication that helps protect against fraudulent emails and phishing. It mainly serves to:
- Verification of authenticity of email senders
- Protection against forgery of email addresses
- Setting rules for handling suspicious messages
It works by extending the two previous authentication protocols ( SPF and DKIM) and allowing the domain owner to:
- Define how emails that fail authentication should be processed
- Set whether such emails should be rejected, placed in spam or accepted
- Get reports on domain abuse attempts
DMARC thus significantly increases the security of electronic communications by preventing fraudsters from abusing corporate or organizational domains.
The structure of a DMARC record consists of several key parameters:¶
Protocol version:
- Always starts with
v=DMARC1
Policy for domains (p):
p=none- no actionp=quarantine- quarantine suspicious emailsp=reject- complete rejection of suspicious emails
Subdomain Policy (sp):
- Allows you to set a specific policy for subdomains
- Values same as for parameter
p
Reporting (rua):
- Defines the email address for sending summary reports about authentication
- Example:
rua=mailto:dmarc-reports@domain.tld
Evaluation percentage (pct):
- Specifies the percentage of messages to which DMARC rules are applied
- Range 0-100
Example of a complete DMARC DNS record:
| Name | Type | Content |
|---|---|---|
_dmarc.domain.tld |
TXT |
v=DMARC1; p=reject; rua=mailto:dmarc-reports@domain.tld; pct=100 |
The recommended procedure for deploying DMARC:¶
Initial phase - monitoring:
- Set policy
p=none - Turn on reporting
- Analyze incoming reports
- Identify legitimate senders
Transition phase - quarantine:
- Change to
p=quarantine - Gradually limit suspicious emails
- Verify that legitimate senders are not blocked
Final phase - strict protection:
- Set
p=reject - Completely reject fake emails
Key recommendations:
- Proceed slowly
- Evaluate reports carefully
- Regularly verify the settings of all email services
It is ideal to first set the policy to none and monitor reports for at least 30-60 days before taking further steps.