About DMARC and Email Authentication

“Email Authentication Simplified”

Google made a big announcement on 30th January 2012. Well, it wasn’t just Google, the announcement actually came from fifteen leading email service and technology providers, that they are all fighting spam and phishing together, in a big way, by forming a new email authentication standard. If you are in any way connected with digital marketing, or email marketing here is a short post on what how and why of this important development.


Who has formed this new standard?
It is formed by DMARC.org. DMARC stands for Domain-based Message Authentication, Reporting & Conformance.

The founding contributors include:
Receivers: AOL, Comcast, GMail, Hotmail, Yahoo! Mail
Senders: American Greetings, Bank of America, Facebook, Fidelity, LinkedIn, Paypal
Intermediaries & Vendors: Agari, Cloudmark, eCert, ReturnPath, Trusted Domain Project

Why is this needed?
To combat email fraud. Its easy to fake an email. How can readers know if the email was really sent by their bank? How will Gmail know if the bank really sent the email? Email fraud is a big concern for everyone. Unfortunately India is right on top of email spam. This is a very important and good development for us.

Aren’t there some standards already?
Yes. SPF and DKIM are two popular standards amongst others. I wrote a simple guide about how SPF functions here.

What is SPF?
In short, there is a sender of email and there is a website that is claiming to send the email. Its possible that the sender is faking an email. So email providers like Gmail will look at the email, see who the sender is, go to the website and “ask” the website if the sender is authorized to send. If Gmail gets a “yes” reply all is well.

What is DKIM?
Domain-Keys-Identified-Mail system goes a step above. Here is a simple 5 step process of DKIM.

  1. The sender does some additions and subtractions on the binary ones and zeroes of the email contents and creates a code called as “hash”.
  2. This “hash” is then encrypted with a secret key. This encrypted code is sent with the email.
  3. The email providers like Gmail, look at the email and also create a “hash” or code.
  4. Gmail then see who the website/domain is and ask the website/domain for a “key” (hence the word “domain-keys”). The encrypted code sent in the email is unlocked with this key.
  5. If the unlocked code which is also the original “hash” and the “hash” computed by Gmail is same then Gmail can be sure that all is well. If not, then there is a possibility that someone has either tampered with the email or the email is not really sent by the website.

If SPF and DKIM fail, why not just junk the email?
Well, email systems are complex. Say you run a website called save the tiger. You would like your office emails on mycompany.com email address but want the world to see save-the-tiger.com emails. You used Juvlon.com service to send out a nice HTML email to your readers. So the sender now became Juvlon.com. Also imagine that you came across a good deal from a prominent newspaper and they decide to send email about save-the-tiger to their readers. The email From name comes as save-the-tiger but the sender is the newspaper. And what if you wanted to run a campaign in the USA for generating funds to save the tiger? You get the drift, that there could be many senders. How would you know that someone was actually using your from name to collect donations on a separate website from unsuspecting people? How will Gmail know which email to trust and which to junk?

So what is this new thing called DMARC?
It is one more step above DKIM. Lets say both SPF and DKIM fail for an email then what is Gmail to do? Junk it? And how to inform the concerned website? DMARC solves this step.

With DMARC a website can declare that it is using SPF and/or DKIM. The website can now tell Gmail what to do if neither of those authentication methods passes – such as junk or reject the email. With DMARC Gmail can now send an email to the website owner every time the email authentication fails. Ah! Thats good news, isn’t it?

So what does one have to do for all this?
Just like SPF and DKIM, with DMARC you have to publish a record in your (website) DNS entry. They are all text records.

How do they look?

SPF record looks like this:
“v=spf1 mx include:juvlon.com ~all”

What Gmail reads from this: if the email sender is save-the-tiger.com accept the email (obviously) and if its from juvlon.com accept it as well. Everything else please treat with suspicion.

DKIM record looks like this:


What Gmail reads from this: I have to get the “keys” from save-the-tiger.com and the unlock the secret code in b= field.

DMARC record looks like this:

What Gmail reads from this: If you don’t find SPF and DKIM then reject 100% of the emails and if rejected send a mail to postmaster@save-the-tiger.com

Hope this post was helpful.