Domain-Based Message Authentication, Reporting, and Conformance (DMARC)

---

The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) is a framework for ensuring proper application of SPF and DKIM, utilizing a policy published as a DNS record.

• DMARC policy is published as a DNS TXT record
  • can use SPF or DKIM or both
  • specifies an alignment mechanism to verify:
    • that the domain identified in the rule header from field matches the domain in the envelope from field (return-path) in an SPF check
    • and/or the domain component in a DKIM signature
• specifies a more robust policy mechanism for senders:
  • to specify how DMARC authentication failures should be treated
    • flag (p=flag)
    • quarantine (p=quarantine)
    • reject (p=reject)
  • plus mechanisms for recipients to report DMARC authentication failures to the sender
    • recipients can submit an aggregate report of failure statistics and a forensic report of specific message failures
• provides reporting capabilities
  • gives owner of a domain visibility into which systems are sending emails on their behalf
    • including unauthorized activity
• DMARC record includes:
  • p – policy indicating the requested action for an email that fails the DMARC check: reject, quarantine or none
  • pct – percentage of received emails to which the policy is to be applied
  • rua – address to which aggregate reports should be sent
  • ruf – address to which failure reports should be sent

How it Works

DMARC

1 – Sender’s organization publishes SPF, DKIM, and DMARC records to DNS server. 
2A – Sender MTA forwards message with SPF/DKIM header. 
2B – Adversary spoofs sender’s domain. 
3 – Recipient MTA processes messages. 
4 – Recipient looks up sender DMARC policy and SPF/DKIM records via DNS. 
5A – Legitimate message placed in recipient’s mailbox on IMAP server. 
5B – Rejected message deleted or quarantined. 
6 – Failure reporting to sender MTA.