Enforce authentication with a DMARC policy
The Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy directs how your ISP processes email messages that pass or fail email validation checks. DMARC provides the third factor for domain authentication.
To activate DMARC, a domain owner adds a DMARC record as a DNS TXT record on domain that sends email messages. This TXT record contains instructions on how to process email messages that fail authentication checks.
Limitations of DMARC
The scope of DMARC has limits. It doesn't verify content, sender identity, or verify the message integrity. It verifies the message sender, instructs the receiver how to route the message, and reports failed checks.
To add a DMARC policy to your domain, you must understand the follow concepts:
- Domain Name System and DNS records, TXT records in particular
- IP addresses
To convince you that you're interacting with a trusted source, unauthorized senders might impersonate a specific email address. This act of impersonation practice is known as email spoofing. The purpose of spoofing can include getting sensitive data, taking over other online accounts, or stealing funds.
A spoofed email includes a forged From address, but not the From the recipient sees in their inbox. Email messages have their metadata which includes two From addresses:
| Header From | Envelope From | |
|---|---|---|
| Property name | From | MAIL FROM or Return-Path |
| Location | Email message header metadata | STMP envelope |
| Necessity | Required | Required |
| Visible in email client | Yes | No |
| Purpose | Shows who sent the email message | Specifies where to send non-delivery reports (NDRs) |
| Authenticated | No | Yes with DKIM, SPF |
| Physical analog | Address on letterhead | Return address on envelope |
Spoofing works as part of a phishing attack. Phishing seeks to get recipients to open email messages with links to malicious web sites or open damaging attachments.
While you could consider spoofing and phishing as a recipient's problem, an attacker that uses your email domain can damage your email reputation.
Two other standards, DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), authenticate email messages and senders, respectively. DKIM only validates the email address in the Envelope From.
To prevent email spoofing, DMARC policies determine what recipient email servers should do with email messages that pass and fail authentication checks.
The SPF authenticates that the email server that sent the message can send messages on behalf of the domain. When the receiving email server gets the message, it requests the SPF record from the sender's DNS server. If the IP address or IP address range matches the IP address of the sending email server, the receiving email server accepts the incoming email message.
The SPF sets an allowlist that identifies which email servers can send email messages on behalf of a given domain. To implement SPF, you add a TXT record to your DNS server for your domain. The TXT record specifies the IP addresses that can send email for the related domain.
To perform an SPF check, the following steps take place.
- The receiving email server receives a message and checks the Envelope From (
return-path). - The receiving server retrieves the SPF record from the DNS records for the domain in the
return-path. - The receiving server checks the SPF record for all IP addresses approved to send email on behalf of the domain.
- If the SPF check passes, the receiving server considers the message sent from an approved sending server and continues processing the message.
- If the SPF check fails, the receiving server considers the message illegitimate. What happens after a failure depends on your DMARC policy.
To learn more about how SPF works, see Verify sending email servers with SPF.
DKIM authenticates the integrity an email message using public-key encryption. This standard ensures that nothing tampered with the message in transit.
- The sending email server includes a signature in each email message's header. The signature includes an encrypted and hashed version of the email message header and body and instructions on how to decode the signature.
- After receiving the email message, the receiving email server requests the DKIM record from the domain's DNS provider. This includes the public key to decrypt the signature data.
- The receiving server then recreates the signature from the email message and compares it to the decrypted and decoded signature that got sent.
- If the signatures match, the DKIM check passes and the email message gets accepted.
- If the signatures don't match, the DKIM check fails. What happens after a failure depends on your DMARC policy.
To learn more about how DKIM works, see Verify senders with DKIM.
While DKIM authenticates the email message and SPF authenticates the sending email server, neither tells the receiving server how to act on the results of these checks. DMARC provides that function. It tells the receiving email server what to do with email messages that pass or fail authentication.
Info
Twilio SendGrid offers additional DMARC enforcement and monitoring options in partnership with Valimail.
DMARC doesn't work as an independent authentication protocol but as a framework for handling SPF and DKIM failures and reporting those failures to domain owners.
- DMARC allows domain owners to specify what should happen if either or both SPF and DKIM checks fail.
- Neither SPF nor DKIM provide this functionality on their own.
- This means that without DMARC a sender can't determine what happens to a failed message.
- A sender receives no feedback about SPF and DKIM failures without DMARC, so senders have little chance to combat or even understand the delivery trends of their domain, often called reputation monitoring.
- SPF and DKIM are independent of each other, but neither provide thorough spoofing protection on their own.
DMARC builds upon SPF and DKIM. SPF and DKIM handle the domain-based message authentication part of DMARC.
DMARC adds reporting and conformance. Like SPF and DKIM, you implement DMARC through a TXT DNS resource record. Using this record, receiving email servers can fetch failure processing instructions from domain owners.
To check if an organization uses DMARC, see the DMARC.org FAQ entry.
To provide access to your DMARC policy, add it into the DNS registry of your domain as a TXT resource record. The policy follows a format of a series of semicolon-separated tags:
1v=DMARC1;2p=(none|quarantine|reject);3rua=mailto:<email address>
The TXT record value must adhere to the following standards:
- It must follow RFC 1035 3.3.14 format for DNS records.
- It can't exceed 512 bytes.
- It must start with
v=DMARC1;. This identifies the policy as using DMARC version 1.
You can write your DMARC policy yourself or use a DMARC policy generator.
The version, v=DMARC1, tells receiving servers that the DNS TXT record is a DMARC version 1 record.
The policy, p, can be one of three values, none, quarantine, or reject. Domain owners provide DMARC policies as instructions to a receiving email server on handling SPF and DKIM failures.
| Policy | Typical action | Email status |
|---|---|---|
p=none | Deliver the message. | Delivered |
p=quarantine | Send message to the spam folder. | Recoverable |
p=reject | Delete the message, bounce to the Envelope From address, or both. | Deleted |
To specify different policies for subdomains, use the sp tag. Like the policy tag, p, the possible values for the sp tag are none, quarantine, and reject.
For example: You can apply a reject policy to your root domain and a quarantine policy for all its subdomains.
The percent tag, pct, specifies how many failing email messages follow your DMARC policy. The possible values are 1 through 100.
For example: If you set your policy to quarantine and your percent to 50, half of all failing email messages get quarantined.
You can adjust this tag value as you learn more about DMARC failures on your domain.
The reporting function of DMARC comes from two reports: an aggregation report and a forensics report.
Every 24 hours, inbox providers generate DMARC aggregate reports as compressed XML documents. It then attaches the reports to an email message as a ZIP archive. The email address you choose to receive reports must accept ZIP attachments. The files use the following filename format:
reporter!policy-domain!begin-timestamp!end-timestamp.zip
Example of a DMARC aggregate report filename
Consider the following parameters:
- The server that generates the DMARC report:
google.com - The domain for which the server generated the report (your domain):
example.com - Start date of the reporting period: Saturday, April 28, 2012 12:00:00 AM GMT
- End date of the reporting period: Saturday, April 28, 2012 11:59:59 PM GMT
google.com!example.com!1335571200!1335657599.zip
The following sample DMARC report includes one record with the results for two email messages. The SPF and DKIM auth_results report tag produce raw results, ignoring the s= alignment.
The XML file contains three main tags inside a feedback tag: record_metadata, policy_published, and record. The record tag repeats for each email source IP address.
The record_metadata tag contains the following tags:
| Tag | Content | Purpose |
|---|---|---|
org_name | Organization generating the report | Confirms which inbox provider observed the email traffic |
email | Contact address for the reporting organization | Identifies contact point in the observing inbox provider |
report_id | Unique identifier for the report | Serves as reference point for later identification |
date_range | Time period covered by the report | Sets the timeframe for the results |
The policy_published tag contains the following tags:
| Tag | Content | Purpose |
|---|---|---|
domain | Domain identified in the DMARC TXT record | Identifies which domain set the DMARC policy |
adkim | Alignment mode for DKIM signatures | Same as the adkim= DMARC tag. |
aspf | Alignment mode for SPF | Same as the aspf= DMARC tag. |
p | Policy for DMARC check failures | Same as the p= DMARC tag. |
sp | Policy for subdomains | Same as the sp= DMARC tag. |
pct | Percentage of failing emails | Same as the pct= DMARC tag. |
Each record tag contains the following tags:
| Tag | Content | Purpose |
|---|---|---|
row | ||
.source_ip | IP address that sent the email | Identifies email servers that sent the email messages |
.count | Number of emails from that source | Prioritize investigations by volume |
row.policy_evaluated | ||
.disposition | Action taken under DMARC | Shows how inbox provider handled the email message |
.spf | SPF authentication result | Result of SPF check for that source |
.dkim | DKIM authentication result | Result of DKIM check for that source |
identifiers | ||
.header_from | Domain in the visible From header | Domain against which DMARC evaluates alignment |
auth_results.dkim | ||
.domain | Domain identified in the DKIM TXT record | Domain against which DKIM evaluates alignment |
.result | DKIM authentication result | Result of DKIM check for that source |
.selector | DKIM selector used | Identifies which DKIM key has issues |
auth_results.spf | ||
.domain | Domain identified in the SPF TXT record | Domain against which SPF evaluates alignment |
.result | SPF authentication result | Result of SPF check for that source |
When sending email with a service provider such as Twilio SendGrid, you must authenticate a domain or verify a Single Sender.
What happens if you verify a sender identity using a gmail.com, yahoo.com, or a similar address?
Major mail providers, like Google, Microsoft, and others, protect their customers and prevent abuse using DMARC.
- If you send a message from a Yahoo email address to a Gmail email address, Gmail checks Yahoo's SPF and DKIM records. These records verify the server and the integrity of the email.
- Yahoo has SPF, DKIM, and DMARC policies. Yahoo's DNS records approve domains such as
yahoo.comand the IP addresses Yahoo controls. Yahoo's approved domains and IP addresses don't include Twilio SendGrid domains and IP addresses. - When you send a message from a Yahoo email address to a Gmail email address using Twilio SendGrid, a Gmail server receives the message. As the
return-pathmessage header listsyahoo.com, Gmail looks up Yahoo's SPF and DKIM records. - The Gmail receiving server determines that a Twilio SendGrid IP address sent the message. Yahoo didn't sign the DKIM-Signature for the Twilio SendGrid message. Both SPF and DKIM checks fail. Gmail then follows Yahoo's DMARC failure policy.
No receiving email server can find out whether you used Twilio SendGrid for legitimate email marketing or you spoofed Yahoo's domain.
Twilio recommends authenticating a domain that you do control. The Twilio SendGrid domain authentication process provides CNAME records that you place on your own domain to approve the Twilio SendGrid IP addresses. To protect your domain's reputation, Twilio manages your SPF and DKIM records.
Many inbox providers implement DMARC, including:
- AOL
- Gmail
- Microsoft (Hotmail, MSN)
- Outlook
- Yahoo
Providers with DMARC policies might reject email with messages like:
521 5.2.1 : (DMARC) This message failed DMARC Evaluation and is being refused due to provided DMARC Policy
If bounce with one of these failure messages appears, Twilio SendGrid discarded and tracked it as a Block. Adjust your From address field settings, and then try resending.
Gaining insight from these XML documents can be difficult.
To collect the reports and present not the data but actionable insights, Twilio recommends using a DMARC report monitoring service.
Twilio SendGrid partners with Valimail. To leverage their DMARC monitoring and inbox provider alignment support, perform the following tasks:
- Set up an account through Valimail.
- Add
rua=mailto:dmarc_agg@vali.emailin your DMARC record.