Cyber Security. 21.05.21

A closer look at how DMARC works

This blog is Part 2 in our 3-part series on DMARC email security.

In Part 1, we explored the foundations of DMARC and how it builds on SPF and DKIM to secure your email domain. 

Now that you know the basics of Domain-Based Message Authentification Reporting and Conformance (DMARC), it's time to take a closer look at its workflow in email security, and the various components involved. The main goal of DMARC is to prevent your company's email domain from being used for email spoofing, phishing scams and other cybercrimes. 

Understanding the DMARC Email Validation Workflow

The workflow of DMARC involves the receiving email gateway validating the SPF record of the sending domain and validating the DKIM signature of the sending domain.

The below figure shows standard DMARC architecture and email workflow. Every email sent will be associated with the email server IP Address and DKIM signature of the organisation.

DMARC Prcoess

How DMARC Validates Email

  • The receiving email server would decrypt the email and figure out the sender domain, senders email server address and senders DKIM signature in the Header.
  • The receiving email server would look for the SPF record of the sending email server domain and match the IP Address of the email server.
  • Once the IP address of the sending email server matches the SPF record, it would be tagged as SPF Complaint.
  • The email server then looks for the DKIM signature record of the sending email server domain.
  • The private key associated with the email is matched with the public key of the sending email server.
  • If the keys match, the receiving email server will tag the email as DKIM compliant.
  • The receiving email server would look into the DMARC complaint policy and take action accordingly.
  • If the DMARC complaint policy is rejected and the SPF/DKIM is not compliant, then the email would be rejected by the receiving email server.
  • If the DMARC compliant policy is quarantine and the SPF/DKIM is not compliant with the receiving email, it would be quarantined by the receiving email gateway.
  • If the DMARC compliant policy is none, no action is taken by the receiving email gateway and the email is delivered to the recipient.

DMARC is a powerful tool when implemented correctly and plays a crucial role in mitigating most of the cybercrime happening in the email security world. Read the final part in our series to learn how to master email security with DMARC.


If you liked this article, you may also like:

Red Teaming: getting down to basics

Red Teaming and the origins of anonymous hacking

What do you do after a data breach

Author

David Bingham

David Bingham is Security Sales Manager for The Missing Link’s Southern Region, where he leads with energy, empathy and a love of complex problem-solving. Known for blending strategic thinking with a passion for people, David creates space for his team—and clients—to thrive. He’s all about building trust, tackling cyber security challenges head-on, and keeping the conversation real (and fun). Whether he’s in a high-rise talking strategy or behind the decks as Melbourne techno DJ Obsessive Behaviour, David brings the same sharp focus, infectious energy and creative spark to everything he does.