DMARC defines three policy levels that describe how receivers are supposed to handle email failing authentication. These levels are ‘p=none’, ‘p=quarantine’, and ‘p=reject’.
- none: Receivers are instructed to not change how they deliver email based on email authentication failures. The ‘none’ level is typically used when a domain owner is in the initial process of authenticating their email services; moving beyond this level is key to enable DMARC to stop fraud.
- quarantine: Receivers are asked to mark messages failing authentication as spam.
- reject: Receivers are requested to block messages failing authentication entirely, and not deliver them to their intended recipients.
In all cases the policy is enforced by the system receiving the email, and the receiving system may choose to handle email delivery differently that prescribed by the DMARC policy. For example, Microsoft Office 365 treats ‘quarantine’ and ‘reject’ identically.
- Reporting: DMARC-participating receivers agree to provide email authentication reports to sending domains. This allows the owners of these sending domains to understand the current state of email authentication for their domain, see legitimate services that may not be properly authenticating, and identify sources of domain abuse.
- Policy: With DMARC, sending domains can recommend how a receiver should treat an email that fails authentication, rather than leaving it to the discretion of the receiver. This allows sending domains to authenticate all sources of legitimate email over time, rather than requiring domain owners to fix all authentication issues immediately. A report-only policy of ‘p=none’ can be useful during this investigation phase, but domain owners should strive to reach an enforcement level of ‘p=quarantine’ or ‘p=reject’.
- Identity Alignment: There are multiple sources of identity in an email message (including the From address, DKIM signature identity, and Return-Path address). DMARC prioritizes the human-readable From address as a source of identity, and only considers authentication results for identities that are aligned with this From address. SPF and DKIM use different sources of identity, and so the authentication they provide will only prevent fraud if their source of identity matches the human-readable From address in some way.
Large-scale email receivers, such as Google, Microsoft, and Yahoo!, are increasingly requiring that email messages be properly authenticated in a DMARC-compliant way. So adding a DMARC record for a domain, in conjunction with properly configured SPF and/or DKIM records, will help ensure proper delivery.
Furthermore, the proper use of DMARC ensures that messages sent by spammers using a sender’s domain will not negatively impact the domain’s overall reputation. Such spam will be blocked and the sender’s brand will be protected.
When configured correctly, DMARC can completely stop phishing attacks in which the attacker sends an email with a ‘From’ address that appears to originate from a protected domain. As this is the primary form of phishing attack, DMARC is a very effective tool to defend customers, employees, partners, and others from phishing.
DMARC-Domain-based Message Authentication, Reporting and Conformance is an open email authentication standard that sending domains use to block fraudulent emails. DMARC is built on top of two earlier standards – SPF and DKIM and adds additional features like reporting, policy definition, and the notion of identity alignment.