Email Security - Part 1: DMARC

In today’s digital world, email is a prime target for phishing, spoofing, and impersonation attacks. That’s where DMARC comes in.

Short for Domain-based Message Authentication, Reporting & Conformance, DMARC is a vital email authentication protocol that helps protect your domain from being used by cybercriminals. If your business sends email from its own domain—whether through Gmail, Mailchimp, Outlook, or another provider—implementing DMARC is one of the smartest security moves you can make. It’s one of the key tools—alongside SPF and DKIM—that helps protect your domain from spoofing, phishing, and fraud.

In a Nutshell:

DMARC is like a bouncer for your email domain.

It checks every email that claims to come from your domain (like info@yourbusiness.com) and asks:

• Did this email really come from someone we trust?
• Does it pass the security checks (SPF and DKIM)?

If the answer is no, DMARC tells receiving email servers what to do—let it through, send it to spam, or block it completely.

This helps stop scammers from sending fake emails that look like they’re from your business. It protects your reputation and keeps your customers safe.

How DMARC Works

DMARC builds on two existing email authentication methods:

• SPF (Sender Policy Framework): Verifies the sending server's IP address is allowed to send mail for the domain.
• DKIM (DomainKeys Identified Mail): Verifies the message was signed by the domain owner and wasn’t altered in transit.

DMARC tells receiving mail servers what to do if an email fails both SPF and DKIM, and whether the domains used in the headers align with the authenticated domains.

Sample DMARC Record

Here’s a basic but effective DMARC record:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=s; fo=1

‍

This record should be placed in your DNS as a TXT record at:

_dmarc.yourdomain.com

DMARC Tag Explanations

v

• The version of the DMARC protocol. Must always be set to DMARC1.

p

• Policy for how receiving mail servers should handle failing messages.
  • none: No action. Just collect data.
  • quarantine: Send failing messages to the spam/junk folder.
  • reject: Block the message outright.

sp

• Policy for subdomains. Used if you want a different policy for subdomains than the main domain.
  • Options: none, quarantine, reject.

rua

• Aggregate report address. Where to send daily XML reports that summarize DMARC activity.
  • Example: mailto:dmarc-reports@yourdomain.com.

ruf

• Forensic report address. Where to send individual failure reports for each failed message.
  • Example: mailto:dmarc-forensics@yourdomain.com.

fo

• Failure reporting options.
  • 0: Send reports only if both SPF and DKIM fail.
  • 1: Send reports if either SPF or DKIM fails.
  • d: DKIM failure only.
  • s: SPF failure only.

adkim

• DKIM alignment mode.
  • r: Relaxed (subdomains allowed to match).
  • s: Strict (must exactly match domain).

aspf

• SPF alignment mode.
  • r: Relaxed.
  • s: Strict.

pct

• Percentage of emails the policy applies to.
  • Example: pct=100 (apply policy to all messages).

ri

• Reporting interval, in seconds (default is 86400 for daily reports).
  • Rarely needed unless you want more frequent reports.

Example Use Cases

‍

Monitoring Mode

DMARC is set to monitoring-only. No mail is blocked; just collect data.

v=DMARC1; p=none; rua=mailto:admin@yourdomain.com

‍

‍Safe Protection (Quarantine)
Messages failing authentication will be sent to recipients’ spam folders.

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com

‍
‍Full Protection (Reject)
Messages failing authentication will be rejected outright at the mail server.

v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com; adkim=s; aspf=s

DMARC Reporting

Once you enable,

• rua
• or ruf

you’ll start receiving XML-formatted reports from major providers like Google, Microsoft, and Yahoo. These reports show you which IPs are sending mail on your behalf, and whether those messages pass SPF, DKIM, and DMARC.

Since the reports are in XML, they’re difficult to interpret manually. Consider using DMARC report visualization tools like:

• Postmark’s DMARC Digests
• DMARCian
• Agari
• Valimail

Final Thoughts

DMARC is your first line of defense against domain spoofing and phishing attacks. By enforcing authentication and alignment checks on every email sent from your domain, you gain:

• Better email deliverability
• Improved trust and brand protection
• Insight into who is sending email on your behalf

The best approach is to start with p=none, monitor your reports, and then move to quarantine or reject once you're confident all your email sources are configured correctly.

If you're unsure how to set this up or want to lock down your domain properly, contact us at Gaslamp Village Media—we'll get your SPF, DKIM, and DMARC working the way they should.

‍