La Bible DMARC : Tout ce que vous devez savoir sur le protocole DMARC et la protection des noms de domaine savec dmarc advisor
Cybersécurité

The DMARC Bible: Everything You Need to Know About the DMARC Protocol

mis à jour le 02-04-2025

Here is a comprehensive guide, structured in clear sections, to answer the most frequently asked questions about the DMARC protocol and its importance for email security and domain name protection. This “bible” can be used as a reference resource for companies looking to understand and implement it.

 

Table des matières masquer
1. Introduction to DMARC
What is DMARC?
Why is DMARC important?
How is DMARC different from other protocols like SPF and DKIM?
Why is proper configuration critical for email security?
What are the limitations of DMARC?
How does DMARC protect against spoofing?
2. How DMARC works
How does DMARC work?
What are SPF and DKIM, and how do they relate to DMARC?
What are the alignment principles in DMARC (SPF aligned, DKIM aligned)?
3. DMARC Setup: Basics and Steps to Set Up an Effective Policy
How do I set up DMARC for my domain?
What are the key elements of a DMARC record?
What is a DMARC policy (p=none, p=quarantine, p=reject)?
How do I test my DMARC policy before deploying it?
4. Common Risks, Mistakes, and Troubleshooting
What are the risks of a misconfigured DMARC policy?
Why do some legitimate emails fail DMARC?
What should I do if my legitimate emails are being rejected?
Why is my domain still being spoofed despite a DMARC policy?
What are the challenges of managing hundreds of domain names with DMARC?
How to automate email flow monitoring and analysis?
Examples of DMARC misconfigurations.
How do attackers exploit a DMARC misconfiguration?
How do you fix a misconfiguration?
How do you avoid DMARC vulnerabilities?
5. DMARC Reports
What is a DMARC report?
What is the difference between an aggregate report (rua) and a forensic report (ruf)?
6. Tools and Solutions
Which tools should you use to manage, analyze, and test a DMARC policy?
How can I optimize my DMARC policy with an expert?
What services does Dmarc Advisor offer to monitor and optimize my configuration?
How can a DMARC audit improve the security of my emails?
Where to find more information?

1. Introduction to DMARC

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect domains from abuse such as spoofing and phishing attacks. It is based on two core protocols:

  • SPF (Sender Policy Framework): Verifies that the sending server is authorized to send emails for the specified domain.
  • DKIM (DomainKeys Identified Mail): Ensures that the message has not been tampered with and that it actually comes from the intended sender.
  • DMARC acts as an overlay by adding a verification policy and providing reporting on domain usage. This ensures greater transparency and the ability to detect and block abuse more effectively.

 

Why is DMARC important?

Implementing DMARC is crucial to ensuring the security of electronic communications and protecting a domain’s reputation. Its benefits include:

  • Email security: Prevents cybercriminals from sending fraudulent emails impersonating your domain.
  • Building trust: Your partners, customers, and employees can be confident that emails from your domain are authentic.
  • Improving deliverability: Compliant emails are less likely to be marked as spam or rejected by email providers.

How is DMARC different from other protocols like SPF and DKIM?

What sets it apart is its ability to combine and monitor the features of SPF and DKIM:

  • SPF and DKIM verify the sender’s identity and message integrity, but they don’t take action if both fail.
  • DMARC adds a clear policy (e.g., reject, quarantine, or observe) and allows detailed reporting of check results. This provides increased control and visibility into domain usage.

Why is proper configuration critical for email security?

Proper DMARC configuration protects against spoofing attacks and provides several strategic benefits:

  • Spoofing protection: Prevents fraudulent emails from reaching your customers and partners, preserving your reputation.
  • Improved email deliverability: DMARC-compliant emails are more likely to be accepted by email providers.
  • Increased visibility: DMARC reporting provides a comprehensive view of who is sending emails using your domain, legitimately or not.

What are the limitations of DMARC?

  • Technical complexity: Initial setup can be complex and requires a thorough understanding of DNS, SPF, and DKIM protocols.
  • Potential impact on legitimate emails: Incorrect configuration can cause legitimate emails to be rejected or marked as spam.
  • Does not cover all threats: This configuration cannot prevent spam or phishing sent from other domains (e.g., lookalike or typosquatted domains).

How does DMARC protect against spoofing?

DMARC acts as a barrier against spoofing by verifying that:

  • The sender of an email has been authorized by the domain owner (via SPF).
  • The integrity of the message is maintained, proving that it has not been modified (via DKIM).
  • The sender and sending domain match (alignment).

If these conditions are not met, the DMARC policy can request to block or quarantine the fraudulent email, preventing it from reaching the recipient. This not only protects your customers but also your business from targeted reputation attacks.

 

2. How DMARC works

How does DMARC work?

DMARC verifies that the sender of an email is authorized to use a specific domain. It relies on two underlying protocols: SPF and DKIM. Here is the simplified process:

  1. SPF and DKIM validation :
    • SPF verifies that the sending server is authorized to send emails for the specified domain.
    • DKIM verifies that the content of the email has not been modified en route and that the sender’s domain matches the one signed by the DKIM cryptographic key.
  2. Domain alignment :
    DMARC requires that the sender’s domain (in the “From” field) matches the one used for SPF or DKIM. This reinforces the legitimacy of the email.
  3. DMARC policy enforcement :
    If SPF and DKIM checks fail or alignments do not match, DMARC enforces a predefined policy:
    • None (p=none): Observe and report, but do not block emails.
    • Quarantine (p=quarantine): Send suspicious emails to the spam folder.
    • Reject (p=reject): Reject non-compliant emails before they reach the recipient.

What are SPF and DKIM, and how do they relate to DMARC?

SPF (Sender Policy Framework)

SPF is a protocol that validates the authorization of an IP address to send emails for a specific domain.

How it works:

  • The domain owner publishes an SPF DNS record listing authorized servers.
  • When an email is sent, the receiving server compares the sender’s IP address with the SPF list.
  • Limitation: SPF does not guarantee that the email has not been modified after it was sent.

DKIM (DomainKeys Identified Mail)

DKIM adds a unique cryptographic signature to each email, linking the email content to a specific domain.

How it works:

  • A private key is used to sign the email when it is sent.
  • The receiving server uses a public key (in the domain’s DNS) to verify that the signature is valid and that the email is intact.
  • Limitation: DKIM does not always verify that the sender’s domain matches the domain used to sign the email.

Relationship to DMARC:

DMARC builds on both of these protocols but introduces an additional mechanism: It requires that one or the other (or both) succeed and that the domain used in the “From” field aligns with the domain used by SPF or DKIM.

What are the alignment principles in DMARC (SPF aligned, DKIM aligned)?

SPF aligned

An email passes the SPF aligned test if: The domain in the “From” field (visible to the recipient) exactly matches the domain used in the SPF record.

DKIM aligned

An email passes the DKIM aligned test if: The domain in the “From” field exactly matches the domain used to sign the email with DKIM.

Strict vs. relaxed alignment

DMARC allows two types of alignment:

  • Strict alignment: The domain in the “From” field must exactly match the SPF or DKIM domain.
  • Relaxed alignment: The domain in the “From” field can be a subdomain of the SPF or DKIM domain (e.g., email.mydomain.com is aligned with mydomain.com).

By combining these alignment principles, a good configuration ensures robust verification and prevents fraudulent emails from appearing legitimate to recipients.

 

3. DMARC Setup: Basics and Steps to Set Up an Effective Policy

How do I set up DMARC for my domain?

Setting up for a domain involves several technical steps. Here’s a step-by-step guide to help you do it:

  1. Set up SPF on your domain
    • Create or update a DNS TXT record to define which servers are allowed to send emails on your behalf.
    • Example SPF record: v=spf1 include:mail.example.com -all
  2. Set up DKIM on your domain
    • Generate a private key (to sign emails) and a public key (to publish in your DNS).
    • Configure your sending servers to sign emails with DKIM.
    • Example DKIM record: v=DKIM1; k=rsa; p=MIIBIjANBgkqh…
  3. Create a DMARC DNS TXT record
    • Add a DNS record for DMARC to your domain. This file should include your specific settings.
    • Example DMARC record: v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100
  4. Test your configuration
    • Use a verification tool (use our DMARC tester) to validate your configuration.
    • Send test emails from your domain to analyze the results.

What are the key elements of a DMARC record?

A DMARC record is a DNS TXT file containing specific settings to manage emails from your domain. Here are the essential elements:

  • v=DMARC1: Indicates that this is a DMARC record.
  • p=: Defines the policy to apply to non-compliant emails. The options are:
  • none: Observe and generate reports, without blocking.
  • quarantine: Send suspicious emails to spam.
  • reject: Reject non-compliant emails.
  • rua=mailto:: Specifies the address where aggregate reports should be sent. These reports provide an overview of performance.
  • ruf=mailto:: Specifies the address to receive forensic reports, detailing verification failures.
  • pct=: Sets the percentage of emails subject to the policy (default is 100%).

What is a DMARC policy (p=none, p=quarantine, p=reject)?

p=none (Observation)

This policy allows you to monitor DMARC activity without blocking suspicious emails.
Ideal for the testing phase or when you are starting to use this protocol.

p=quarantine (Quarantine)

Non-compliant emails are placed in the recipients’ spam folder.
Provides an intermediate level of protection while reducing the risk of rejecting legitimate emails.

p=reject (Reject)

Non-compliant emails are rejected by the destination server.
Recommended once your SPF and DKIM configurations are properly aligned and verified.

How do I test my DMARC policy before deploying it?

Before applying a strict policy (such as quarantine or reject), it is essential to test the configuration:

  1. Use a none policy to start
    • Observe DMARC reports to identify anomalies and domains or servers that are sending emails on your behalf.
  2. Analyze aggregated reports (rua)
    • Verify the results of SPF, DKIM, and alignment checks.
  3. Fix any errors detected
    • Add missing servers to your SPF record.
    • Update your DKIM keys or fix any misconfigurations.
  4. Gradually increase the strictness of your policy
    • Move from none to quarantine, then to reject, adjusting as needed.

 

4. Common Risks, Mistakes, and Troubleshooting

What are the risks of a misconfigured DMARC policy?

A misconfiguration can expose your domain to several significant risks:

  • Rejection of legitimate emails: If SPF or DKIM records are not properly configured, authentic emails can be blocked or marked as spam.
  • Ineffective protection: A poorly defined policy (such as p=none) can leave your domain vulnerable to spoofing attacks.
  • Loss of reputation: Undetected abuse of your domain can reduce the trust of partners and customers in your communications.
  • Lack of visibility: Without proper reporting (rua/ruf) configuration, it is difficult to monitor and identify issues or abuse.

Why do some legitimate emails fail DMARC?

Misconfigured SPF or DKIM records

The sender’s IP address may not be on the SPF allowed list.
The public or private DKIM key may be incorrect or expired.

Using a third-party provider not included in your SPF settings

Third-party services (like marketing platforms or CRMs) sending emails on your behalf must be included in your SPF and DKIM records.

Mismatches between the sending domain and the DKIM/From domain

If the domain visible in the “From” field does not match the one used for SPF or DKIM alignments, the email will fail the DMARC test.

What should I do if my legitimate emails are being rejected?

If your legitimate emails are being rejected or marked as spam, here are the steps to resolve this issue:

  1. Check your SPF, DKIM, and DMARC records
    • Make sure all authorized sending IP addresses and servers are included in your SPF.
    • Confirm that the DKIM keys are properly configured and aligned with your domain.
  2. Add IP addresses of authorized third-party providers
    • Identify third-party services used to send emails and add them to your SPF record.
  3. Test your configurations with an audit tool
    • Use tools like Dmarc Advisor to analyze issues and receive detailed recommendations.

Why is my domain still being spoofed despite a DMARC policy?

Even with a strict policy (p=reject), it is possible for fraudulent emails to appear as if they were sent from your domain. This can be due to:

  • Spoofing of lookalike domains (typosquatting): Attackers use variations of your domain (e.g. your-domain.com becomes your-doma1ne.com).
  • Non-adoption of DMARC by some servers: Some providers do not yet comply with DMARC policies.
  • Lack of proactive analysis reports: Without well-configured reports, it can be difficult to detect these attacks.

Solution:

  • Actively monitor for abuse of lookalike domains.
  • Combine this protocol with other protections, such as trusted trademarks (BIMI) or advanced anti-spoofing technologies.

What are the challenges of managing hundreds of domain names with DMARC?

For companies with a large number of domains, the main challenges include:

  • Monitoring complexity: Monitoring SPF, DKIM, and DMARC configurations for each domain can be time-consuming.
  • Limited visibility: Without a consolidated dashboard, it is difficult to spot anomalies.
  • Risk of human error: Manually managing many domains increases the risk of errors in DNS records.

Solution: Use platforms like Dmarc Advisor to centralize monitoring and automate analysis.

How to automate email flow monitoring and analysis?

Automation is essential to effectively manage DMARC policies at scale. Here’s how to do it:

  • Dedicated platforms: Use tools like Dmarc Advisor to monitor all your domains from a single dashboard.
  • Automated reporting: Set up aggregate (rua) and forensic (ruf) reporting to receive automatic alerts when issues arise.
  • APIs and integrations: Connect your DMARC management tools to your existing monitoring systems for real-time analysis.

Examples of DMARC misconfigurations.

  1. Policy in observation mode too long (p=none): No action is taken against fraudulent emails, leaving the domain vulnerable.
  2. SPF too restrictive: Legitimate IP addresses of third-party providers are not included, causing legitimate emails to be rejected.
  3. No valid DKIM keys: Without correct DKIM signatures, emails fail integrity tests.

How do attackers exploit a DMARC misconfiguration?

  • Exploiting lax policies: If the policy is set to p=none, fraudulent emails are not blocked.
  • Using unprotected domains: Attackers send emails from subdomains or variants not covered by DMARC.
  • Bypassing alignments: By configuring “From” headers to look like legitimate domains without checking SPF or DKIM alignments.

How do you fix a misconfiguration?

  • Analyze your aggregate reports: Identify misconfigured domains or servers.
  • Fix your SPF and DKIM records: Make sure all authorized IPs are included and that DKIM keys are valid.
  • Roll out a strict policy gradually: Move from none to quarantine, then to reject once all issues are resolved.

How do you avoid DMARC vulnerabilities?

  • Regular Audit: Periodically check your SPF, DKIM, and DMARC records.
  • Proactive Monitoring: Set up alerts to quickly detect anomalies.
  • Use Specialized Tools: Centralize management with a solution like Dmarc Advisor to avoid human errors and automate adjustments.

 

5. DMARC Reports

What is a DMARC report?

A DMARC report is a file generated by recipients’ mail servers to inform the owner of a domain about the status of emails sent on their behalf. These reports are essential for monitoring the effectiveness of your DMARC policy and detecting potential abuse or configuration issues.

The reports contain information such as:

  • Sender IP addresses: Identifies the servers that send emails on behalf of your domain.
  • SPF and DKIM verification results: Indicates whether each email passed or failed authentication tests.
  • DMARC Policy Compliance Status: Shows whether the email was accepted, quarantined, or rejected based on your policy.

These reports allow domain owners to:

  • Identify legitimate and illegitimate sources of email sending.
  • Spot incorrect or incomplete configurations.
  • Adjust their policies to improve email security and deliverability.

What is the difference between an aggregate report (rua) and a forensic report (ruf)?

1. Aggregate Report (rua)

  • Definition: The aggregate report is a summary of DMARC activity on your domain.
  • Data included:
    • The number of emails sent.
    • The results of SPF and DKIM tests for each IP address.
    • The overall policy compliance.
  • Purpose: To provide an overview of your DMARC policy performance to analyze trends and identify global issues.
  • Format: Typically sent in XML format.
  • Frequency: Delivered daily by email providers (like Gmail, Yahoo, etc.).

Example of use: An aggregate report may reveal that a rogue server is regularly sending emails on behalf of your domain, requiring an update to your SPF configuration.

2. Forensic Report (ruf)

  • Definition: The forensic report, also known as a detailed report, provides specific information about emails that fail DMARC checks.
  • Data included:
    • The full email header (including the “From” field, SPF and DKIM information).
    • Details of the failure (e.g., incorrect SPF alignment).
  • Purpose: To help diagnose and resolve specific issues by providing a granular level of detail.
  • Format: Typically sent as plain text or a JSON file.
  • Frequency: Sent in real-time or whenever a DMARC failure is detected.

Example of use: A forensic report may indicate that an email fails because the DKIM key used is not aligned with the sending domain.

Summary of differences between rua and ruf

Feature Aggregate Report (rua) Forensic Report (ruf)
Purpose Performance overview Detailed failure diagnostics
Content Summary data Data specific to each failure
Format XML Plain text or JSON
Frequency Daily Real-time or upon failure detection
Level of detail Moderate High

These two types of reports complement each other. Aggregate reports provide a macro view to monitor trends and compliance, while forensic reports provide micro analysis to troubleshoot specific issues. By using them together, you can optimize the security and deliverability of your emails.

 

6. Tools and Solutions

 

Which tools should you use to manage, analyze, and test a DMARC policy?

To ensure the security and compliance of your emails on a large scale, several specialized platforms and tools exist. Rather than listing the tools individually, here are the essential features you should look for, accompanied by the appropriate solutions.

 

1. Domain Name Management with DMARC

For companies with many domains to secure and monitor simultaneously.
Key Features:
  • Centralized management: Control multiple domains from a single dashboard.
  • Report automation: Automatic generation of DMARC reports (aggregate and forensic).
  • Multi-domain monitoring: Proactive detection of abuse across all domains.
  • Problem alerts: Real-time notifications of anomalies.
Recommended Tools:
  • Dmarc Advisor: Ideal for large companies with hundreds of domains.
  • Valimail: Specialist in managing large domain parks, with a focus on automation.

2. DMARC, SPF, and DKIM Configuration Analysis

To verify that your settings are correctly configured and compliant with DMARC standards.
Key Features:
  • DNS record analysis: Verification of DMARC, SPF, and DKIM configurations.
  • Error detection: Identification of syntax or configuration errors.
  • Improvement recommendations: Suggestions for correcting and optimizing configurations.
  • Detailed analysis reports: Complete view of email flows and test results.
Recommended Tools:

3. DMARC Pre-deployment Testing and Simulation

To validate your configurations before switching to a strict policy (p=reject).
Key Features:
  • Sending test emails: Test email compliance before deployment.
  • DMARC policy simulation: Visualize the impact of a p=none, quarantine, or reject policy.
  • Results preview: Anticipate the consequences on the deliverability of legitimate emails.
Recommended Tools:
  • Dmarc Advisor: Real-time testing and impact simulations before deployment.
  • Mail Tester: Simple and effective for testing SPF, DKIM, and DMARC with an overall score.
  • DMARC Analyzer: Advanced policy simulation and real-world testing.

4. Abuse Monitoring and Management (Typosquatting and Advanced Spoofing)

To monitor domain abuse and protect against indirect spoofing.
Key Features:
  • Similar Domain Detection (typosquatting): Identify fraudulent variants of your domain.
  • Proactive Monitoring: Alerts on detected abuse.
  • Brand Protection: Prevent attacks targeting domain names close to yours.
Recommended Tools:
  • Valimail: Recognized for advanced typosquatting management.
  • Dmarc Advisor: Integrates brand protection features.

5. DMARC Audit and Professional Support

For companies seeking expert support on DMARC compliance.

Key Features:

  • Comprehensive Compliance Audit: Analysis of the current configuration and recommendations.
  • Customized Support: Technical expertise for large infrastructures.
  • Configuration Optimization: Assistance to improve deliverability and security.
  • Ongoing support: Post-implementation monitoring and maintenance.
Recommended Tools and Services:
  • Dmarc Advisor: Advanced audit services and support for large companies.
  • Dmarcian: Also offers consulting and advanced configuration services.

Summary: Which Tool Should You Choose According to Your Needs?

As a reminder, Castelis is a Dmarc Advisor partner and supports you in securing your domain names.

 

How can I optimize my DMARC policy with an expert?

  • Analysis of current configurations: An expert examines your SPF, DKIM, and DMARC records to identify gaps.
  • Personalized recommendations: Suggests specific adjustments to improve security and deliverability.
  • Training and support: Helps your internal teams better understand and manage DMARC policies.

 

What services does Dmarc Advisor offer to monitor and optimize my configuration?

  • Centralized monitoring: Real-time monitoring of all your domains and email flows.
  • Advanced reporting: Detailed analysis of results, with alerts in case of problems.
  • Automation of adjustments: Automated recommendations to optimize SPF, DKIM, and DMARC configurations.

 

How can a DMARC audit improve the security of my emails?

  • Abuse detection: An audit helps identify attempts to spoof or unauthorized use of your domain.
  • Regulatory compliance: Ensure your policy meets legal requirements, especially in regulated sectors (finance, healthcare, etc.).
  • Improve deliverability: Correct errors to maximize the chances that your legitimate emails reach their recipient.

 

Where to find more information?

To deepen your knowledge of DMARC and access reliable resources:

Voir plus de Actualités