Amazon SES Blog

What is DMARC and should you use it?

This past year, the email industry launched a new standard to help senders protect their mail from being spoofed by phishing attempts.  Thus, DMARC was born.  It stands for “Domain-based Message Authentication, Reporting and Conformance.”  It’s a mouthful, but the impact of DMARC is significant.  LinkedIn has a good article describing what exactly DMARC brings to the table.  In a nutshell, DMARC enables you to tell ISPs how to handle email that spoofs your domain (e.g., quarantine, block, etc.).

Here’s how it works:

  1. You, as a sender, authenticate your email using SPF and/or DKIM.  Remember, you can use the Amazon SES Easy DKIM feature to accomplish this.  With authentication, you prove to the ISP that you are in fact the originator of the message.
  2. You publish a DMARC record in your DNS.  Instructions for how to do this can be found here.  For an example record, you can look at the DMARC record for Amazon.com shown below.
    _dmarc.amazon.com. 897 IN TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@bounces.amazon.com; ruf=mailto:dmarc-reports@bounces.amazon.com"

    In English, the Amazon.com record states “For any email failing authentication with a “From” domain of Amazon.com, put in the spam folder 100 percent of the time and send activity reports to dmarc-reports@bounces.amazon.com.”

  3. Once your TXT record is publically published, participating ISPs will look at messages purporting to come from your domain, check whether you have a DMARC record, and if so, perform whatever action you’ve specified in your “p=” field to messages that are not authenticated.
  4. You watch the reports that flow into both the “rua” and “ruf” addresses, where individual and aggregate violation reports are sent. You should verify reports are actually phishing attempts and not your email you didn’t authenticate. If you find a lot of instances of phishing against your domain being reported, you can work with 3rd party vendors to takedown fake domains.
  5. You’re all set!

Please note that DMARC is all or nothing and applies to every email coming into an ISP’s email system in the same way.  This means that if you have any 3rd party email systems sending messages on your behalf (such as a CRM solution or event notification system), you’ll need to set these systems up with authentication or else you risk having that mail treated as phishing attempts.  As noted in step #4 above, watch the incoming reports carefully, especially after you enable DMARC, to ensure you’re not inadvertently telling ISPs to throw away legitimate mail from your domain that just happens to be not be authenticated.  Remember, an ISP will only be able to tell whether email is legitimate if the mail is authenticated from your domain.

As always, let us know if you have any questions.  We believe DMARC is a step in the right direction for curbing phishing email at the ISP level, where you have no visibility into who may be spoofing your domain.