Improving DMARC Compliance

In recent months, DMARC has become increasingly mentioned in the news as a way to reduce spam, improve email deliverability and reduce the potential for fraud and phishing.

  • In early 2017, UK National Health Service required DMARC as the default for email services.
  • In July, a US Senator Ron Wyden sent an open letter to the US Department of Homeland Security requesting the agency take steps to protect all Federal agencies with DMARC.
  • In August, the UK’s HMRevenues & Customs announced that it had stopped over 300k phishing emails using DMARC.
  • In October, the US Department of Homeland Security directed Federal agencies to adopt security technologies like DMARC.

With all this attention, businesses are starting to realize that adopting DMARC helps them in two ways:

  • Inbound – using DMARC to screen incoming emails for compliance can limit your company’s exposure to fraud and phishing emails, scams and malware.
  • Outbound – sending email that is DMARC compliant can improve email delivery to your customers and limit the potential negative impacts of 3rd parties that try to use your domain for fraud or phishing.

MxToolbox highly recommends that every company implement DMARC for both inbound email screening and outbound email delivery.  Inbound email screening is dependent on your particular email service.

How does DMARC work for outbound email?

DMARC works in conjunction with two other technologies: SPF and DKIM.  SPF allows you to designate 3rd parties as legitimate senders for your domain.  More on SPF here. DKIM allows you to take responsibility for your email by cryptographically signing your email.  SPF, DKIM and DMARC use DNS records to specify the IP addresses, domains and security keys for your particular configuration.

DMARC requires both SPF and DKIM to function properly.  Once you setup SPF and DKIM you can setup DMARC to get information on how your outbound emails are performing – whether or not emails coming “from” your domain are compliant with the definitions in your SPF and how many of your emails are compliant with DKIM.

With a DMARC record, you specify an email address for aggregate feedback about your SPF and DKIM compliance, an email address for specific forensic feedback related to failed emails and how email that fails compliance should be handled by the recipient – ignored, quarantined or rejected.

How do you improve your DMARC Compliance?

DMARC Compliance is based upon SPF and DKIM compliance rates.  In order to improve your outbound DMARC compliance and therefore your email delivery rates, you must:

Setup DMARC with both RUA and RUF

RUA and RUF designate email addresses where you can receive summaries of authentication and alignment pass/fail and detailed forensic information on failed emails.  As this is the only way to receive feedback, setting up these email addresses is extremely important.

Monitoring your DMARC Feedback

Inbox providers will respond to these RUA and RUF tags by sending summaries.  Unfortunately, the summary digests and forensic details are not quite human readable.  If your outbound email volume is over a few hundred emails a day, you need to consider some way to decode these digests.

MxToolbox provides a service, Delivery Center, that decodes these digests, summarizesthem and gives you granular reports on how your emails are performing.

dc_dashboardWith tools like Delivery Center, you can review the IP addresses and Domains sending on your behalf to determine how your legitimate senders are performing and who is using your brand/domain name to commit fraud and phishing.  It is important to investigate domains and IPs that fail SPF, DKIM and DMARC regularly so that determine if they are legitimate and need to have their configuration updated or illegitimate and need to be blocked. As your investigations progress and you improve your configurations, you will have more confidence when you decide to tell recipients to block failed email.


Act on DMARC Forensic Responses

DMARC forensic reports provide you with detailed information about the emails that have failed SPF, DKIM and DMARC checks.  You can use this information to investigate threats to your brand or problems with your 3rd party emailers.

Tools like MxToolbox Delivery Center give you immediate access to DMARC forensic reports that enable your detailed investigations.


The best way to improve email delivery is to adopt new technologies SPF, DKIM and DMARC and leverage a tool like MxToolbox Delivery Center that gives you insight into how your email is performing.  With the right tool, you can keep tabs on your email configuration, understand the threat to your brand, and improve email delivery.

Source: MXtoolbox