What are DMARC records and can they improve email security?

The U.S. federal government last year mandated that all agencies implement DMARC policies by October 2018. But according to research by cybersecurity vendor Agari, barely more than half of the agencies have fully enforced DMARC policies as of mid-October. How hard is DMARC to implement and what are its benefits for email security?

The implementation of Domain-based Message Authentication, Reporting and Conformance (DMARC) policies relies on two related standards: the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) protocol, both of which defend against spam by authenticating the domains of inbound email.

While DMARC enables the administrative owner of a domain to publish a policy based on either or both standards, implementation presents a challenge, as both protocols can be prone to error when sending emails from a domain and handling email failures.

An organization creating DMARC records for the first time -- as many government agencies are now doing -- will likely encounter both syntax and content issues. Instructions for setting up DMARC records can be confusing, and one of the most common mistakes is the improper use of wildcard domain name system entries. These entries can return both DMARC and non-DMARC records -- such as SPF records and DKIM keys.

Problems can also arise when implementers leave default configurations unchanged. For example, the default DMARC configuration includes the policy p=none, which specifies that no action should be taken if a DMARC check fails. If the default configuration is not updated, DMARC verification may be happening, but any email that fails the tests will not trigger any action.

When configuring DMARC, administrators should review all the suggested solutions at least twice to avoid the confusion caused by visually ambiguous characters. For example, semicolons must be distinguished from colons and commas because the intelligent parser checker isn't available when the administrator enters text incorrectly. Other common problems with DMARC records can be found on the DMARC website.

When DMARC records are properly set up, email security sees benefits, as unauthorized use of the owner's email domain is prevented, email delivery is simplified and domain owners gain visibility into the use of the email domain.

Furthermore, owners should ensure that the server's IP address doesn't change without a mechanism to update all the DMARC and related system configurations.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)