Technical setup

Decoding Dmarc - How Does It Actually Work?

March 1, 2024

7 min. read

Noel

LAST UPDATED

April 16, 2024

READING TIME

7 min.

If a criminal sends emails as if they were coming from your domain, it is called spoofing.

Through this spoofing, bad guys can commit cybercrimes like phishing attacks.

To prevent this, you need to set up a DMARC record for your email outreach.

We will briefly explain how DMARC works in simple terms.

With a better understanding of this email authentication protocol, you’re one step closer to the superior security and increased open rates that DMARC brings.

In other words, for optimized sales email outreach, DMARC is essential.

DMARC Stops Criminals 👮

Here’s how it works:

When any email comes in, the receiving mail server performs SPF and DKIM checks.

SPF and DKIM are DNS records just like DMARC but with different functions:

SPF Verifies if the email sender's IP address is authorized to send emails for that domain.
And DKIM verifies if the email content is digitally signed by the domain owner so that the email’s content hasn’t been tampered with.

If SPF and DKIM authenticate an email, it gets a pass and gets delivered to the recipient.

On the other hand, if the email fails authentication, the DMARC record will be the judge and decide what happens to the unauthorized email.

In your DMARC record, you can specify what needs to happen to unauthorized emails.

This is determined in the ‘p’ part of the DMARC record. ‘P’ stands for policy.

You can pick one of either three policy settings:

None: With this setting unauthorized emails get delivered normally. In other words, there’s no protection whatsoever. On the surface, this may seem like a useless setting. However, since DMARC will send you deliverability reports, this setting is the desired starting point. The reports allow you to finetune your DMARC policy without accidentally blocking legitimate emails.
Quarantine: Unauthorized emails get sent to the recipient’s spam folder.
Reject: This is the strictest policy. Every unauthorized email gets rejected and isn’t delivered at all.

Dissecting a DMARC Record

Let’s take a look at a basic DMARC record and how its components work:

v=DMARC1; p=none; rua=mailto:email@yourdomain.com

The “v” part is the DMARC version. Since there’s only one valid DMARC version currently, this should be “V=DMARC1”.

The “p” part, as mentioned above, stands for policy. This setting determines what to do with unauthorized emails.

The “rua” tag is for where to send your DMARC reports. You should add your email here. The reports are important because monitoring them allows you to make necessary adjustments to your policy settings. Sometimes, legitimate emails may fail authorization, and receiving DMARC reports help you identify and address any issues that might affect the delivery of legitimate emails.

Non-essential tags

Other tags you can add to a DMARC are:

Tag	Wat it does	Example
Ruf	If you want more elaborate DMARC reporting, include the ‘ruf’ tag. You get specific information about email messages that failed authentication, including actual samples of the emails.	mailto:ruf=%22mailto:dmarc-failures@example.com";
Pct	Allows you to set what percentage of your domain’s emails need to undergo authentication. A value of 0 means none of the emails will be checked. A value of 100 means all of them will. Obviously, publishing your DMARC with a value of less than 100 will effectively negate DMARC benefits. Only during the initial stages of implementing DMARC should you even consider using this option with a lower setting than 100. We recommend you don’t use it all.	v=DMARC1; p=quarantine; pct=75;
Fo	Determines how reports are created and presented to users.	fo=0:1:s;
Aspf	For SPF alignment. Only when the domains of the mail from and the from address are identical is when alignment (authentication) happens.	aspf=strict;
Adkim	Similar to “aspf” but this time for DKIM.	adkim=r;
Sp	Similar to the “p”(policy) tag but for subdomains.	sp=reject;