Sender Authentication and DMARC – What You Need to Know
If you’ve been working in security for a while, you’ve undoubtedly heard of DMARC. A type of sender authentication, DMARC ensures that emails are both deliverable and legitimate. Without authentication, email accounts will refuse to accept emails, keeping recipients safe from potential spammers.
Why do organizations need it? Because spammers have become very accomplished at spoofing emails – with recipients often unable to differentiate which emails are real or fake. This is further complicated when cyber criminals send a fraudulent email from a legitimate domain. For this reason, email providers have solutions in place to determine which messages are “real” and which are spam. And that’s where DMARC comes in.
What is DMARC?
DMARC is based on SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail), solutions that were created more than a decade ago.
DKIM authentication blocks unauthorized senders by including an encrypted signature on emails that come from authorized senders. When an encrypted DKIM signature is present, the email is pushed through for delivery.
SPF prevents cyber criminals from sending emails on behalf of a domain they do not own. A company can publish their SPF record to communicate to other systems which servers are allowed to send emails from their domain. If the server is not approved, the sender will be blocked.
How is DMARC Related to SPF and DKIM?
DMARC builds on both DKIM and SPF, which aren’t always enough to stop clever cyber criminals. It is an authentication protocol that informs a server what to do with emails that are not easily handled by either SPF or DKIM, specifying how organizations will handle emails that fail authentication.
DMARC policies are published in a DNS (Domain Name System – a naming database where internet domain names are stored and translated into Internet Protocol (IP) addresses) as text (TXT) resource records (RR). DMARC provides a way for recipients to report on emails that fail authentication and gives senders the opportunity to notify recipients that their messages are protected by DKIM and/or SPF authentication.
When are DKIM and SPF Not Enough?
SPF and DKIM alone are often not enough to stop spammers. Here are a few situations in which an organization using only these methods may run into issues:
- When a domain owner sends mixed messages, some of which can be authenticated and some that can’t, it can confuse error-prone algorithms that can’t keep up with the latest spammer tactics.
- Complex email environments with many systems sending emails (including 3rd parties) make large-scale authentication troublesome and troubleshooting difficult. Unless messages bounce back to the sender, it’s impossible to know how many legitimate messages aren’t being authenticated.
- Even when all legitimate emails can be authenticated by senders, recipients may be unwilling to reject unauthenticated messages because they are afraid they might miss legitimate ones that are unsigned.
DMARC solves these issues with information sharing. A receiver supplies a sender with information about their authentication infrastructure, and senders let receivers know what to do when they receive an unauthenticated message. DMARC works because email receivers can determine if the message matches with what they know about the sender. If it doesn’t match, a series of steps is followed to ensure the communication is legitimate.
How to Deploy DMARC
Here are the basic steps organizations should take to deploy DMARC at the simplest level:
- Make sure you have DKIM & SPF deployed first. There are many email security tools you can use to help.
- Ensure that your mailers align properly with the relevant identifiers.
- Your email administrator (sending domain) should configure DMARC and publish the DMARC record.
- Analyze the data and modify your policies and approaches as necessary over time.
DMARC configuration can be confusing. Libraesva LetsDMARC makes it simple to set up and configure DMARC so you can protect your brand, with instant insights into your email flows to help you take control of your domain. How to get started?