The Freename Forum

Authentication using DMARC can make communication via email even more secure and trustworthy. Now that Google and Yahoo 2024 have tightened the requirements for email senders, the so-called DMARC settings of domains are increasingly coming into focus.

In addition to Google and Yahoo, Microsoft, AOL, PayPal and others were also involved in the development of the DMARC specification. DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance”. This is a public protocol for email authentication which, in combination with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), checks whether an email actually originates from a legitimate source. SPF determines which IP addresses are authorized to send e-mails via a domain; DKIM adds a digital signature to each outgoing e-mail, which can be verified by the recipient. As a result, this security mechanism ensures that only authenticated systems can send e-mails on behalf of a domain, thereby protecting against fraud attempts such as phishing or e-mail spoofing and at the same time improving its own deliverability and reducing classification as spam.

The owner of a domain specifies a DMARC policy for a sender domain based on given rules (RFC 7489). This policy describes how recipient servers handle the sender's emails if DKIM or SPF authentication is successful or fails. To enable recipient servers to read the sender server's DMARC policy, it is entered in the domain name system of the web host used as a TXT resource record in the form of a freely defined text. The DKIM key and the SPF record are also entered there, alternatively or - ideally - together. If an email is now sent via the DNS, the recipient can perform a DKIM check and an SPF check by retrieving the TXT resource record from the sender domain. As part of the decryption process, the DKIM check checks whether the email originates in unchanged form from the displayed sender. If the result is positive, the email is delivered. If the result is negative, an SPF check takes place. The SPF check, which can also take place independently if both procedures are used, checks whether the IP address used to send the email from a specific domain is authorized to send the email. If the result is positive, the email is delivered. If this check fails, a DKIM check can be carried out if this has not already been done. If the second check (SPF to DKIM or DKIM to SPF) is also negative, the DMARC policy comes into effect, which regulates how the email is to be handled. In the DMARC policy, there are three “guidelines” that can be executed: “none” (approve): the e-mail is delivered; “quarantine”: the e-mail is delivered but declared as spam; “reject”: the e-mail is rejected, delivery does not take place.

The RFC 7489, which describes the DMARC in more detail, can be found at:
https://datatracker.ietf.org/doc/html/rfc7489