How does DMARC work?
DMARC combines two existing technologies to authenticate emails coming from your domain, which are SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail),both of which have been introduced and discussed in previous chapters.
Given below is a diagram to illustrate the DMARC authentication process:
To Recap
When you implement SPF for your domain, you publish an SPF record to your DNS. When a receiver gets an email from your domain, it will compare the sender's IP address with the list of authorized IPs stored in your SPF record. If the receiving server encounters an email from an IP not in this list, the message will fail SPF.
Meanwhile, DKIM attaches a digital signature to authorized emails. When an unauthorized sender tries to send an email from your domain or tampers with your emails, the receiving server can detect this and stop the email from being delivered.
In order for a message to pass DMARC, it has to pass either SPF or DKIM, and the domain validated by that check must be aligned with the domain in the email's From header (the Author Domain). Alignment can be relaxed, where the two domains share the same organizational domain, or strict, where they must be identical. This alignment requirement is what ties SPF and DKIM results to the domain your recipients actually see, and it is why a message can pass SPF or DKIM on its own yet still fail DMARC.
DMARC Authentication Process
Email without DMARC:
- An email is sent from business.com to receiver.com
- receiver.com's Mail Transfer Agent (MTA) has no mechanism to authenticate the email sender (business.com)
- All emails sent from business.com are delivered to the recipient's inbox without being validated.
- If any of the emails from business.com were sent by an attacker impersonating them, these fraudulent emails have also been delivered to receiver.com.
Email with DMARC:
- An email is sent from business.com to receiver.com
- receiver.com's Mail Transfer Agent (MTA) looks up the SPF, DKIM, and DMARC records of business.com (on their DNS) to authenticate the sender
- The MTA checks that the email passes SPF or DKIM and that the authenticated domain aligns with business.com
- If the sender is authenticated and aligned, the email is delivered to the recipient
- If authentication or alignment fails, the MTA applies the policy business.com has published in its DMARC record (none, quarantine, or reject)
What is SPF? Free2 m
Video Introduction to SPF Free1 m 41 s- A Brief History of SPF Free1 m
- How does SPF work? Free2 m
- SPF Tags: Syntax of an SPF Record Free3 m
- SPF Null Value Explained Free3 m
- SPF Neutral Mechanism Explained Free4 m
- How to create and publish SPF records? Free2 m
- SPF Authentication Failures Free3 m
- Video Explanation: SPF PermError Free1 m 39 s
Quiz 430 m
- What is DMARC? Free1 m
- Video Introduction to DMARC Free1 m 15 s
- A Brief History of DMARC Free1 m
- How does DMARC work? Free2 m
- What is DMARC Policy? : None, Quarantine & Reject Free2 m
- Video Explanation: DMARC Policy Free1 m 40 s
- DMARC Tags Free4 m
- DMARC Aggregate (RUA) Reports Free3 m
- DMARC Failure (RUF) Reports Free2 m
- How to Create and Publish a DMARC Record? Free3 m
- DMARC Authentication Failures Free3 m
- Video Explanation: Why does DMARC Fail? Free1 m 37 s
- Quiz 630 m