What is DMARC?

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol designed to protect domains from unauthorized use, such as email spoofing and phishing attacks. It builds on two existing technologies—SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail)—to verify the authenticity of emails and provides domain owners with a way to specify how unauthenticated emails should be handled. In short, DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email security protocol that builds on SPF and DKIM to protect your domain from email spoofing, phishing, and unauthorized use.

What DMARC Does:

1. Authenticates: It checks if an email passes SPF or DKIM (or both).

2. Aligns: It verifies that the email’s "From" address aligns with the domain used in SPF/DKIM.

3. Instructions: It tells receiving servers what to do if the email fails authentication (allow, quarantine, or reject).

4. Reports: It sends reports to you about who’s sending emails using your domain.

Example DMARC Record (DNS TXT Record):

_dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; sp=none; adkim=s; aspf=s"

Breakdown:

• v=DMARC1: Version.

• p=reject: Policy for failed emails (none, quarantine, or reject).

• rua=mailto:...: Address to receive aggregate reports.

• sp=none: Subdomain policy.

• adkim=s: DKIM alignment (strict).

• aspf=s: SPF alignment (strict).

How DMARC Works

DMARC integrates with:

• SPF: Allows domain owners to define which mail servers are authorized to send emails on their behalf.

• DKIM: Attaches a digital signature to emails, enabling recipients to confirm the email’s content hasn’t been altered.

Using these, DMARC enables domain owners to publish a policy in their DNS records. This policy instructs receiving mail servers on what to do if an email fails SPF or DKIM checks. The policy options are:

• None: Monitor the email without taking action (used for reporting only).

• Quarantine: Treat the email as suspicious (e.g., send it to the spam folder).

• Reject: Block the email entirely.

Key Features of DMARC

• Email Security: Prevents phishing and spoofing by ensuring only authenticated emails are trusted.

• Policy Enforcement: Gives domain owners control over how unauthenticated emails are handled.

• Reporting: Provides feedback to domain owners about email authentication results, helping them monitor and improve their email setup.

Why DMARC Matters

By leveraging SPF and DKIM, DMARC enhances email security, protects a domain’s reputation, and ensures emails reach their intended recipients safely. It’s a vital tool for organizations looking to combat email-based threats and maintain trust with their audience.

Why DMARC Is Important:

• Protects your brand from spoofed emails.

• Improves deliverability by proving you're a legitimate sender.

• Gives visibility into who's using your domain to send email.

DMARC Policy:

A DMARC policy is the part of your DMARC DNS record that tells email receivers what to do with messages that fail SPF and/or DKIM checks.

The 3 DMARC Policy Options:

You set the policy using the p= tag in your DMARC record:

1. p=none

   • Do nothing — just monitor.

   • Good for testing and collecting reports.

   • Emails that fail still get delivered.

2. p=quarantine

   • Treat failing emails as suspicious.

   • Usually sent to the recipient’s spam/junk folder.

3. p=reject

   • Reject emails that fail DMARC.

   • The receiving server won’t deliver them at all.

Example DMARC Record with p=quarantine:

_dmarc.example.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

TL;DR:

• none = monitor only

• quarantine = send to spam

• reject = block entirely

Start with none, monitor the reports, then move to quarantine or reject as you gain confidence.

Want help writing a safe starting DMARC policy?

Schedule a call with us, and we will help you with that.