What the Heck is DMARC and is it Important?

We also have this information in video format. 

Ok, DMARC, Domain-based Message Authentication, Reporting & Conformance. It’s actually a 4 letter acronym that really takes advantage of a 3 letter and a 4 letter acronym, SPF and DKIM. So together we have an 11 letter acronym. And if you want emails from your company to be safely delivered, better pay attention.

Here’s the bottom line. When you get an email from my organization, you see an email from “@Simplex-IT.com”. But did my organization really send it? That’s what DMARC is all about.

Most companies use tools that, amongst other things, send out emails on their behalf. We use tools that create emails from service tickets, monthly eNewsletters, CRM updates, alerts from various partners. And, of course, being a Microsoft 365 “client”, we send emails from Microsoft.

Each one of these is probably a different company/service than Simplex-IT. So how do you know that I’ve “blessed” those companies, versus somebody pretending to be us? That’s where the next acronym comes into play, namely “SPF” or “Sender Policy Framework”. We publish an SPF entry in our DNS (yeah, I slipped another acronym in, sorry) that “blesses” each of these services.

But is that the only way we can be sure about blessing the folks that are sending your emails? Nope. There’s another way. Now we’re talking about DKIM, “DomainKeys Identified Mail”. This is a service that most email providers (including Microsoft 365) allow that creates a public/private key combination that ensures that the email you receive is exactly what we sent you.

By the way, not all services can be fully configured for both SPF and DKIM. That’s ok. As long as one is configured, you’re good!

A DMARC policy essentially tells the rest of the email world that you take security seriously, uses SPF records for the sources/services that you have “approved”, and should recommend what the receiver should do with emails sent from any other source. That recommendation could be “do what you want” (aka “ignore”), “send it to spam” (aka “c”) or “reject” (aka…um…”reject”).

So when anyone gets an email claiming to be from your domain, using your DMARC policy they can verify that it came from one of those services you blessed. If it passes either the SPF or DKIM test, we’re good! If not, it should get rejected. And if configured properly you’ll get daily summaries about not only delivered emails, but stuff that wasn’t delivered…y’know…from people pretending to be you.

Ok, why the big deal? DMARC was introduced in 2012. DKIM was developed in 2007. SPF was introduced in 2005 (for sunscreen a bit earlier, namely 1938).

Because starting in February of '24, email providers like Google (gmail) are starting to require DMARC to be properly configured and in place or they won’t accept delivery of your email. To start they’re focusing on organizations sending over 5,000 emails per day. But this is just the beginning. Let’s face it, email spoofing and the like are amongst the most favorite strategies of the bad guys. This is a fairly simple way to block a lot of their most effective strategies.

The bottom line is whether you’re sending or receiving emails, you may not have a vote in terms of whether to pay attention to DMARC, SPF, or DKIM.

Want to know if you domains are ready? Click here for a free test.

Here at Simplex-IT we’ve implemented new DMARC configuration and management processes. Pretty easy, and not horribly expensive. Feel free to reach out and ask for details. Email me at BobC@Simplex-IT.com.

And if I don’t respond to your emails, I may not be ignoring you. I may not have received it.