Resources Admin Edit

Blog Post ID

A unique ID for this post. No spaces or special characters.

Title

Blog Post title

Date

Blog Post date

Summary

Blog Post summary

Content

What is DMARC?DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that prevents spammers from using your domain to send email without your permission — also known as spoofing. Spammers can forge the “From” address on messages so the spam appears to come from a user in your domain. A good example of this is PayPal spoofing, where a spammer sends a fraudulent email to you pretending to be PayPal in an effort to obtain your account information. DMARC ensures these fraudulent emails get blocked before you even see them in your inbox. In addition, DMARC gives you great visibility and reports into who is sending email on behalf of your domain, ensuring only legitimate email is received.The good news is that DMARC is open and free for anyone to use, allowing you to secure your domain’s emails and gain control of your email delivery. All you have to do is follow the implementation steps in this guide and choose an ESP who supports DMARC.What are the benefits of implementing DMARC?DMARC is a key component of a brand‘s email security and deliverability strategy as it enables:<ul><li>Visibility - Monitor emails sent using your domain to ensure they are properly authenticated using SPF and/or DKIM.</li><li>Brand Protection - Block spoofed messages that might damage your brand‘s reputation with customers.</li><li>Security - Prevent users from falling victim to phishing scams that could compromise your organization‘s security.</li></ul>Does DMARC improve deliverability?DMARC allows you to see whether emails sent using your domain are properly authenticated using SPF and DKIM. This allows you to identify and fix any authentication issues that can affect the deliverability of your emails.Preventing spoofed emails from reaching users can lower spam complaints and protect your domain‘s reputation with ISPs.How does DMARC work?Before you understand the DMARC protocol, you first need to understand two email authentication standards called DKIM and SPF. DMARC is built on top of these standards, so let’s go over them first. If you already know about DKIM and SPF, skip to the DMARC section.DKIM (Domainkeys Identified Mail) DMARCtDKIM is a method to validate the authenticity of email messages. When each email is sent, it is signed using a private key and then validated on the receiving mail server (or ISP) using a public key that is in DNS. This process verifies that the message was not altered during transit. This lets an ISP (Gmail for instance) inspect the message and make a decision if the message is still in the same state as when it was sent. In other words, it prevents someone from intercepting your email, altering it, then sending it along with new (and possibly fraudulent) information. Another little known benefit of DKIM is that ISPs use this information to build a reputation on your domain. If you have great sending practices (low spam, bounces, high engagement) this can help improve trust and reputation with the ISPs.With DKIM, each email you send is signed with the private key stored on your mail server. Later ISPs can verify the integrity of a message by fetching a corresponding public key from a special DKIM record in your DNS. The cryptography behind this (the same used in SSL) guarantees that only messages signed with your private key will pass the public key check. This is what the public key might look like in your DNS:pm._domainkey.domain.com IN TXT k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOCTHqIIQhGNISLchxDvv2X8NfkW7MEHGmtawoUgVUb8V1vXhGikCwYNqFR5swP6UCxCutX81B3+5SCDJ3rMYcu3tC/E9hd1phV+cjftSFLeJ+xe+3xwK+V18kM46kBPYvcZ/38USzMBa0XqDYw7LuMGmYf3gA/yJhaexYXa/PYwIDAQABThe private key must be kept secret. If a malevolent user ever gets their hands on your secret key they will be able to forge your DKIM signatures.Sender Policy FrameworkSPF is a way for ISPs (like Gmail, Yahoo, etc) to verify that a mail server is authorized to send email for a domain. It is a whitelist for the services who are allowed to send email on your behalf. Like DKIM, SPF also works via DNS. For instance, if you use Campaign Monitor to send marketing email and Gmail to send regular email, you can insert a DNS record that includes their mail servers as trusted sources to send email for your domain.v=spf1 a mx include:spf.mtasv.net include:_spf.google.com include:cmail1.com ~allKeep in mind, a single sending domain should only have one SPF record. Each service you use is appended to the SPF record through “include” directives as in the example above.SPF has become extremely important to verify who can send email on behalf of your domain and directly impacts email delivery. Not only is it needed for email marketing or your corporate email accounts, but you also need it for things like support (Zendesk, Helpscout, etc) or other providers who send email on your behalf.What do DKIM and SPF have to do with DMARC?Well, everything. With SPF and DKIM, it is up to the ISP to decide what to do with the results. DMARC takes it a step further and gives you full control to set a policy to reject or quarantine emails from sources you do not know or trust, all based on the results of DKIM and SPF. For instance, since PayPal is a huge target for email fraud, they publish a DMARC record that says if DKIM or SPF fails, reject the message. Participating ISPs will look at this policy and discard the emails that fail. In the 2013 holiday season, DMARC helped PayPal stop an estimated 25 million attacks according to a report by Agari.

Main blog post content

Resources Manage the contents of this section.