What exactly is DMARC, and how will it help protect me?
Backed by some very large corporations, including Google, American Greetings, PayPal,
Microsoft and FaceBook, just to name a few -DMARC, or Domain-based Message Authentication,
Reporting & Conformance, is an approach at stopping or reducing
email spam and phishing attacks.
The DMARC specification is based around existing email authentication using
SPF or
DKIM. This will effectively allow email senders, when sending email
to receivers implementing DMARC, to experience more uniform authentication.
The domain owner publishes the policy and the server that receives the email can
check to make sure its valid based on the receiving server policies -just as it
would with
SPF, however now
it is instructed with what to do with any messages that fail to pass authentication.
This takes the burden off the receiver from deciding whether the message is legitimate
or not and what to do with the message; quarantine, reject, nothing. DMARC also
adds a provision for AFRF, or Authentication Failure Reporting Format (
RFC 5965)
-which allows reports to be passed back to the sender containing information about
any successes or failures that the receiver may have encountered.
DMARC-ING on...
Here's an example of a DMARC record we use at www.unlocktheinbox.com
"
v=DMARC1;p=none;pct=100;rua=mailto:emailaddress@yourdomain.com;ruf=mailto:emailaddress@yourdomain.com;"
You can verify your DNS record exists by simply going to
Unlock The Inbox SPF/TXT Records Lookup.
The above record means:
|
Syntax
|
Definition
|
Example
|
|
v
|
Protocol Version
|
v=DMARC1
|
|
pct
|
Percentage of messages subjected to filtering
|
pct=100
|
|
ruf
|
Reporting URI for forensic reports
|
ruf=authfail@unlocktheinbox.com
|
|
rua
|
Reporting URI for aggregate reports
|
rua=aggrep@unlocktheinbox.com
|
|
p
|
Policy for organizational domain
|
p=quarantine
|
|
sp
|
Policy for subdomains of the OD
|
sp=reject
|
|
adkim
|
Identifier Alignment mode for DKIM
|
adkim=strict
|
|
aspf
|
Identifier Alignment mode for SPF
|
aspf=relaxed
|
Click this link to learn more about
Email Authentication Identifier Alignments.
Now you're most likely asking How Do I Set Mine Up? That's the easy part.
You can just utilize our free DMARC record creation tool!
Generating Your DMARC Record
The easiest way to do this is to use the
Unlock the Inbox DMARC Wizard and fill out the questionaire. On the bottom
of the DMARC Wizard page, after it generates your DMARC Record, there will be instructions
on how to add the records to your DNS.
Once the DMARC record is added to your DNS you can send an email to
"mailtest@unlocktheinbox.com"
and it will return the results letting you know the status of DMARC, SPF, DKIM,
Sender ID, and Spam Assassin checks.
Draft Standard:
Domain-based Message Authentication, Reporting and Conformance
Source: Unlock The Inbox &
DMARC