DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect domains from unauthorized use, such as phishing and email spoofing. It builds on two other authentication mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to ensure that emails claiming to come from a specific domain are genuinely sent from authorized sources.
What Is DMARC?
Domain-based message authentication, reporting, and conformance (DMARC) operates as an overarching layer on top of SPF and DKIM. SPF checks whether a message originates from an IP address authorized by the domain owner, while DKIM confirms the presence of a valid cryptographic signature linked to the sending domain.
DMARC requires that at least one of these checks pass and that the domain involved in the check aligns with the domain in the visible From field. Strict alignment dictates an exact match between the domain in the From header and the authenticating domain, whereas relaxed alignment permits subdomain matches as well.
SPF is evaluated by examining the Return-Path domain against a list of permissible IP addresses, and DKIM is validated by confirming that the signature in the email headers has been signed by the legitimate sending domain. DMARCโs alignment rule ensures that a message is considered authentic only if the From address matches or is a subdomain of the domain verified by SPF or DKIM. When a message fails alignment, even if it technically passes SPF or DKIM under a different domain, DMARC treats that message as failing the protocolโs requirements.
Domain owners publish a DMARC policy record in their DNS under the label _dmarc.<domain>. This record includes parameters such as the DMARC version (v=DMARC1), the policy directive (p=none, quarantine, or reject), and reporting addresses (rua for aggregate reports, ruf for forensic reports). When an incoming message fails DMARC checks, receiving mail servers are instructed to apply the policy specified by the domain owner. DMARCโs reporting feature also provides domain owners with valuable feedback about unauthorized use of their domains, authentication success rates, and potential misconfigurations.
How Does DMARC Work?
DMARC works by bridging SPF and DKIM checks with domain alignment requirements. The authentication process occurs when a receiving mail server inspects an incoming email.
The server performs the following checks:
- SPF check. The server checks if the domain owner authorizes the sending IP address.
- DKIM check. The server verifies if the email has a valid cryptographic signature that matches the domain specified in the โd=โ tag of the DKIM signature header.
- Alignment verification. The server confirms that the domains used in the From header align with either the domain used in the SPF check or the DKIM signing domain.
If the message fails one or both of the SPF and DKIM checks, or if the domain alignment requirement is not satisfied, DMARC instructs the receiving server to handle the message according to the domain ownerโs specified policy.
DMARC also enables the sending of reports back to the domain owner, which fosters improved monitoring and analysis of fraudulent email activities.
What Is DMARC Domain Alignment?
DMARC domain alignment refers to the requirement that the domain in the From header matches (or aligns with) the domain specified in SPF and DKIM.
Two forms of alignment exist:
- Strict alignment. The domain in the From header must exactly match the domain in the Return-Path header (for SPF) or the โd=โ tag in the DKIM signature.
- Relaxed alignment. The domain in the From header and the domain in the Return-Path or DKIM โd=โ tag share the same parent domain.
Domain alignment ensures that the perceived sender domain in the email header is the same as, or is a subdomain of, the domain used by the authenticating mechanisms. Alignment is crucial because it prevents cybercriminals from claiming a domain in the visible From field that differs from the authenticating domain.
What Is A DMARC Record?
A DMARC record is a DNS TXT record that the domain owner publishes. This record specifies the domainโs DMARC policy and includes key details needed by mail receivers when they conduct DMARC checks.
A standard DMARC record includes:
- v. The DMARC version (DMARC1).
- p. The DMARC policy (None, Quarantine, or Reject).
- rua. The address or addresses to which aggregate reports are sent.
- ruf. The address or addresses to which forensic reports are sent (if used).
- adkim and aspf. Indicators for strict or relaxed alignment for DKIM and SPF.
- pct. The percentage of failing messages to which the policy applies.
The DMARC record lives in the domainโs DNS under the label _dmarc.<domain>. For example, _dmarc.example.com. A valid DMARC record is necessary to instruct mail receivers how to handle email that fails authentication and how to provide feedback to the domain owner.
What Are DMARC p=policies?
DMARC leverages a โp=โ tag in the DNS TXT record to determine how receiving mail servers treat messages that fail both SPF (or fail SPF alignment) and DKIM (or fail DKIM alignment).
None
A p=none policy instructs the receiving mail server to apply no special handling to failing messages. Messages that fail DMARC checks are delivered normally unless local server rules override this behavior. Domain owners use this policy when they want to monitor DMARC results without affecting mail flow.
Quarantine
A p=quarantine policy instructs the receiving mail server to mark failing messages as suspicious. This approach often places the messages in the recipientโs spam or junk folder. Quarantine allows domain owners to protect their recipients from potential phishing or spoofing attempts, while still permitting delivery to a spam folder rather than outright rejection.
Reject
A p=reject policy instructs the receiving mail server to reject messages at the SMTP level if they fail DMARC authentication. This practice drops the messages entirely, preventing them from reaching any recipient mailbox. Domain owners frequently deploy a reject policy after thoroughly analyzing DMARC reports and ensuring that all legitimate emails are already passing authentication checks.
What Is a DMARC Report?
A DMARC report is an email-generated summary or detailed notification that receiving mail servers send to the domain owner in accordance with the addresses specified in the DMARC record. Reports provide insights into email sending sources, authentication results, and domain usage patterns. Two main types of DMARC reports exist.
Aggregate Reports
Aggregate reports encapsulate statistical data on DMARC authentication results for a domain. These reports include:
- Information on sending IP addresses that used the domain.
- The total number of messages processed.
- The count of messages passing or failing SPF and DKIM checks.
- Policy actions (such as None, Quarantine, or Reject) applied by receivers.
Aggregate reports usually arrive daily (or at another interval determined by the receiving system) in an extensible markup language (XML) format. Domain owners analyze these reports to identify unauthorized IPs sending emails using their domain, monitor legitimate traffic sources, and adjust their email authentication configurations accordingly.
Forensic Reports
Forensic reports, also called failure reports, contain detailed information about individual email messages that fail DMARC evaluation. These reports are sent immediately when a failure occurs.
Forensic reports typically include samples of original message headers and other potentially sensitive details, which helps domain owners investigate specific incidents of failed authentication. Some organizations choose to minimize or disable forensic reports due to privacy or data handling concerns.
DMARC Benefits
Here are the benefits of implementing DMARC:
- Protection against spoofing. DMARC prevents malicious actors from using a legitimate domain in the visible From header of fraudulent emails.
- Enhanced deliverability. Properly configured DMARC enhances email deliverability by indicating that the domain fully complies with authentication standards, which builds trust with ISPs and receiving mail services.
- Visibility and accountability. DMARC reports provide actionable insights into email traffic, sending IP addresses, and authentication failures. These insights allow domain owners to track suspicious sources and enforce accountability.
- Consistency with industry standards. DMARC aligns with widely recognized frameworks such as SPF and DKIM, which promotes consistent practices for email authentication and reduces the prevalence of phishing attacks.
- Stronger brand reputation. Adoption of DMARC showcases a commitment to email security and protects a brandโs identity by mitigating phishing attempts that exploit legitimate domains.
