Views:

Understanding DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as email messages with forged sender addresses that appear to originate from legitimate organizations.

It also provides a way to authenticate email messages for specific domains, send feedback to senders, and conform to a published policy.

DMARC is designed to fit into the existing email authentication process of IMSVA. It helps email recipients to determine if the purported message aligns with what the recipient knows about the sender. If not, DMARC includes guidance on how to handle the non-aligned messages.

DMARC requires the following:

  • A message that passes the SPF checking
  • A message that passes the DKIM authentication checking
  • Alignment of identifier domains (Identifier alignment requires that a domain authenticated by SPF and DKIM is the same as the message header domain or parent domain.)

By defining DMARC settings, IMSVA allows you to add domain names for DMARC verification, set IP addresses to bypass DMARC verification, and specify actions to take on messages that fail DMARC verification. Wildcard domain is also supported. For example, *.example.com.

There is no need to insert your own domain because DMARC is used to verify if a receiving email is genuine or not so you should insert those domains that more often get spoofed (especially if you have seen in the past attacks towards your organization related to domains that you trust)

DMARC Authentication Policy
SPF
Validation
Result
SPF
Alignment
Result
DKIM
Validation
Result
DKIM
Alignment
Result
DMARC
Result
Default Action
for DMARC Policy
PassPassAnyAnyPassBypass
AnyAnyPassPassPassBypass
Any other situationsFailCheck actions based on DMARC result
  • None: Bypass
  • Quarantine: Quarantine
  • Reject: Reject
  • No DMARC record: Bypass
 

DMARC Settings

By default, DMARC is disabled. You can enable this feature in the IMSVA web console, under Sender Filtering > DMARC.

Below are the possible configuration in DMARC:

  • Enable or disable the DMARC authentication.
  • Enable or disable adding X-Header in the verification result. X-Header is added to indicate whether DMARC authentication is successful or not.
  • Enable or disable delivery of DMARC reports.
  • Select all domains or specify some domains to do DMARC checking.
  • If specified sender domains are added, they will be compared to the "From" value in email header to determine whether messages need DMARC authentication or not.
  • Specify an IP address for the DMARC exception list.
  • Set the any of the following actions based on the DMARC authentication result.
    • Do not intercept messages
    • Quarantine
    • Reject

DMARC Settings

For more information on how to set up DMARC, refer to this document: Specifying DMARC Settings.