Skip to main content navigation

Thoughts & Articles

What is a DMARC and why do I need one?

slab
Jim Infantino

Email is finally tightening up. This is a good thing. Services like Google Workspace, Gmail, Yahoo, and gradually, every email service will require authenticated, validated emails to be set up for all email they receive from and for you.

I keep hearing about DMARC, DKIM, SPF, and SMTP? What do these stand for?

SPF

SPF stands for Sender Policy Framework and is an ani-Spoofing record - tied to the domain - this is the weakest measure against people pretending to send out email disguised as you.

DKIM

DKIM is Domain Keys Identified Mail - tied to the domain, it is a long string of secret random characters like a password. There are two keys, a public key and a private key. These are used to ensure that your email was sent from your outgoing mail server and were authenticated for your domain.

DMARC

DMARC is Domain Based Message Authentication, Reporting, and Conformance - tied to the domain, it is a policy stating that only authenticated verified email sent from your domain is authentic. This policy as you set it up can contain records that say how you want to handle emails that have apparently not been sent by you (via SPF and DKIM misalignment) and where you want a report sent with this information.

Important to note:

The above records are set at the nameserver for your domain. This might be handled by us at Slabmedia if you are a client, or at your domain registrar (Network Solutions, GoDaddy, NameCheap, etc.). They are attached to your domain name (the something.com that appears after the @ sign in your email address). You need only be concerned with email that is coming from your domain, not email that ends in gmail.com or hotmail or yahoo.

SMTP

SMTP stands for Simple Mail Transfer Protocol - it is older than the web itself. So old, in fact, that when it was introduced, the number one song was “Call Me” by Blondie. The important thing about it is that it sends email using your username and password each time. There are some other methods for sending email that don’t require a username and password, such as simple scripts from websites that send out email from the server, unauthenticated. This didn’t used to be a problematic way to send newsletters or other messages, but it is now. Soon, it will be gone for good.

So, does this mean if my email gets hacked, the hacker won’t be able to send out emails from my address?

Sadly, no. If a hacker has your email username and password, they can authenticate your email as they send out spam, the same way you do. What it prevents is a spammer, not a hacker, sending out emails with your address in the From: header, and Reply-To: header of the email. Those emails will not be authenticated, will not pass the SPF test, the DKIM test, and DMARC will either reject, quarantee, and/or notify you, if you have those features set up in your DMARC record.

We are working to get all SPF, DKIM, and DMARC records up and running for our clients, but each client’s email situation is different, and must be dealt with one at a time. Please contact us with any questions about these changes to the world of email.