DMARC: Domain-based Message Authentication, Reporting, and Conformance

1. Introduction

Email is one of the most widely exploited attack vectors due to its inherent openness. Traditional email protocols (SMTP) were not designed with strong authentication in mind, making them prone to spoofing and tampering. Over time, standards such as SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) were introduced to mitigate these issues. However, they still left organizations with gaps in visibility and enforcement.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) was developed to solve these challenges by combining SPF and DKIM with a policy and reporting framework.

2. Background Concepts

2.1 How Email Transmission Works

A sender’s mail server connects to the recipient’s mail server using SMTP.
Traditionally, anyone could claim to be another sender (spoofing) because there was no verification mechanism.

2.2 Email Spoofing Problem

Attackers can forge the MAIL FROM field (e.g., pretending to be @gmail.com or @tikaj.com) to trick recipients. This led to the introduction of SPF and later DKIM.

3. SPF and DKIM

3.1 SPF (Sender Policy Framework)

Works by publishing a DNS TXT record listing authorized IP addresses or servers allowed to send on behalf of a domain.
When an email arrives, the recipient’s server checks if the sending IP matches the domain’s SPF record.
Example: xyz.com may publish an SPF record allowing Google, Amazon, and Sparkpost to send emails.
Limitation: If any authorized IP is compromised, attackers can still send malicious emails.\n

3.2 DKIM (Domain Keys Identified Mail)

Adds cryptographic authentication.
Outgoing messages are digitally signed with a private key.
The recipient verifies the signature using the sender’s public key published in DNS.
Ensures that the content was not altered in transit.
Limitation: If DKIM is missing or misconfigured, verification may fail.

\

4. DMARC Overview

4.1 What is DMARC?

DMARC builds on SPF and DKIM to provide:

Policy – Instruct receiving servers what to do if SPF/DKIM checks fail (none, quarantine, or reject).
Visibility – Provides reports on email authentication activity, helping organizations monitor spoofing attempts and misconfigurations.

4.2 How DMARC Works

Domain owners publish a DMARC TXT record in DNS (at _dmarc.domain.com).
The record specifies:
- Policy (p=none, quarantine, reject)
- Alignment rules for SPF and DKIM
- Reporting addresses for aggregate and forensic reports

Example:

_dmarc.thecars.com IN TXT “v=DMARC1; p=quarantine; rua=mailto:[email protected]”

How DMARC works?

Illustration- Imagine your company’s domain tikaj.com , is a secure corporate office building.

SPF and DKIM are like a security guard at the entrance checking a person’s ID badge (SPF) and a unique company key card (DKIM). If a person has a valid ID and a working key card, they are allowed in.

DMARC is the final instruction given to the security guard. It is the “policy” that says-

1. If a person shows up without a valid ID or key card, just make a note of it (“None”).

2. If a person shows up without a valid ID or key card, send them to a waiting room but don’t let them into the main office (“Quarantine”).

3. If a person shows up without a valid ID or key card, immediately turn them away and don’t let them on the property at all (“Reject”).

By using DMARC, you’re not just checking if an email is legitimate; you’re actively controlling what happens to emails that aren’t.

4.3 Benefits of DMARC

Prevents unauthorized use of domains in email headers.
Provides visibility into:
- Authorized third-party senders
- Unauthorized or rogue senders
- Infrastructure misconfigurations
Enables gradual enforcement (monitor → quarantine → reject).\n

5. DMARC Deployment Phases

Monitor (p=none)
- Publish DMARC record with p=none.
- Collect reports and analyze who is sending email using your domain.
- Identify authorized and unauthorized senders.
Quarantine (p=quarantine)
- Start instructing receivers to place failing emails into spam/junk.
- Apply partial enforcement (e.g., 10%, 20%, gradually increasing).
Reject (p=reject)
- Fully block emails that fail both SPF and DKIM checks.
- Achieves DMARC compliance but requires confidence that all legitimate sources are properly configured.\n

6. Real-World Issues DMARC Solves

Misconfigured SPF: Authorized servers not properly listed, causing legitimate mail to fail.
Compromised Third Parties: DMARC reports highlight if a vendor’s system is sending unauthorized emails.
Tampered Messages: DKIM ensures message integrity.
Monitoring Gaps: DMARC reporting provides insight into spoofing attempts that would otherwise go unnoticed.\n

7. Example: Infrastructure Misconfiguration

A domain (blinkstore.in) had SPF and DKIM records published but SPF alignment was failing for Amazon SES.
As a result, OTP emails were delivered to spam folders.
Without DMARC reports, this problem would remain invisible.\n

8. Key Takeaways for Customers

DMARC is not just about compliance - it provides continuous monitoring of your email ecosystem.
Moving directly to reject without analysis may block legitimate emails.
Even with DMARC in place, ongoing monitoring is essential because:
- New senders may be added.
- Third-party providers may change infrastructure.
- Misconfigurations can arise unexpectedly.\n

9. Conclusion

DMARC is a critical layer of modern email security. By combining SPF, DKIM, and policy + reporting, it prevents spoofing, enhances visibility, and strengthens brand protection. However, organizations must not treat DMARC as a one-time setup. Ongoing monitoring, gradual enforcement, and continuous adjustment are key to ensuring that legitimate emails are delivered while malicious ones are blocked.