The Soda Pop

What is DMARC and how does it work: protect your reputation in email marketing - Marketing 4 Ecommerce - Your e-commerce online marketing magazine

DMARC offers protection against phishing attacks, but what about privacy?

For many, it's a daily occurrence: suddenly, your inbox is flooded with emails from banks, large online retailers, or logistics companies who want to check your personal data under any pretext.

You have been the victim of a phishing attack, but you are not alone! In 2017 alone, users of Kaspersky Lab's anti-phishing system were alerted 246,231,645 times, an increase of almost 60 percent over the previous year. These attacks not only harm the recipient, who carelessly discloses their personal data, but also damage the reputation and deliverability of the impersonated brand. With DMARC, you can effectively protect yourself against the misuse of your own brand.

How to deal with a phishing attack in 9 steps

What is DMARC

DMARC (or Domain-based Message Authentication, Reporting and Conformance) is a specification that companies can use to handle the misuse of their sender address.

The goal is to be able to intercept phishing emails as early as possible so that they do not reach users. In phishing, there are often links within the emails that lead to websites where attackers try to obtain private data. Very often the sender's address is hidden so that it appears that it is your bank or courier company that is actually contacting you.

DMARC is not a completely new technology. Since 2012, companies have been able to work with DMARC specifications, however, its use is far from becoming a rule. The reason is that even with the development of this new specification, it was not clear to what extent the use of DMARC implied the use of personal data that in Europe fell under the previous data protection legislation.

So, am I processing data illegally when I use DMARC?


DMARC brings together two technologies: SPF (Sender Policy Framework) and DKIM (DomainKey's Identified Mail) acting in the gap between sender and recipient.

The SPF prevents the forgery of a sender's address by verifying that emails come from a host authorised by the domain administrator.

DKIM proves that the mail has not been diverted to the recipient, and that it originated from the specified sender.

How DMARC works

In principle, DMARC works as follows: the sender or domain owner must configure the SPF records and the DKIM public key within its DNS, to be considered by all domains from which it sends. In addition, it is specified which IP addresses and which signatures can execute legitimate outgoing email sending.

With SPF, the sender's IP address is compared to a list of IP addresses registered for that domain. With DKIM, emails are cryptographically signed on exit with a secret code that the recipient's ISP validates against a public key.

DMARC guarantees the integrity of this signature with these two technologies and allows the domain owner to decide what to do with messages that have failed SPF and DKIM checks in whole or in part. The domain owner will have these options:

None: the email is delivered if it has passed DMARC.

Quarantine: email is delivered to the spam folder

Reject: the email is not delivered

If you are new to DMARC, you may want to start using the none policy to begin collecting information on the usage or abuse of your domain from the automatic reports sent by ISPs. This policy is useful for taking inventories of legitimate hosts and for checking the alignment and authentication of those hosts.

If you choose to opt for the quarantine policy, the ISP will be advised to send the email to the spam folder if DMARC  fails. The reject policy is the strictest of the three as the email in question will be directly rejected if it fails DMARC. The recipient will never see these emails. In cases of false-positive, the email will also be rejected, so this option always leads to a small percentage of legitimate emails that will never reach the senders.

In addition, the domain owner uses the Domain Name System (DNS) to specify to which email address the ISPs of recipients participating in DMARC should reply by sending information about the domains that apply this specification, and the results of email authentication. This is done through reports.