What is DMARC

What is DMARC

11 August, 2020

What is DMARC ?

DMARC, which stands for “Domain-based Message Authentication, Reporting  & Conformance” is an email authentication policy and reporting protocol. DMARC is a protocol that uses Sender Policy Framework SPF  and DomainKeys identified mail  DKIM to determine the authenticity of an email message. DMARC requires both SPF and DKIM to fail in order for it to act on a message. DMARC extends previously established authentication standards for email and is the only way for email senders to tell email receivers that emails they are sending are truly from them. DMARC allows companies that send email to:

  • Authenticate all legitimate email messages and sources for their email-sending domains including messages sent from your own infrastructure as well as those sent by 3rd parties.

  • Gain intelligence on their email streams by letting them know who is sending mail from their domains. This data helps companies to not only identify threats against their customers but also discover legitimate senders that they may not even be aware of.

  • Publish an explicit policy that instructs mailbox providers what to do with email messages that are probably authentic. These messages can either be sent to a junk folder or rejected outright protecting unsuspecting recipients from exposure to attacks.


How Does DMARC Work?

DMARC ensures that legitimate email is properly authenticated against established DKIM and SPF standards.

Senders can either:

  • Monitor all mail to understand their brand’s email ecosystem without impacting the delivery of messages that fail DMARC.

  • Quarantine messages that fail DMARC and redirect them to a spam folder.

  • Reject messages that fail DMARC and divert them entirely from an inbox.


DMARC’s alignment feature prevents spoofing of the “header from” address by:


  • Matching the “header from” domain name with the “envelope from” domain name used during an SPF check

  • Matching the “header from” domain name with the “d=domain name” in the DKIM signature

To pass DMARC a message must pass SPF authentication and SPF alignment and DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.

Mailbox providers send regular DMARC aggregate and forensic reports back to senders, giving them visibility into what messages are authenticating, what messages are not.


What is a DMARC record?

A DMARC record is the core of a DMARC implementation in which the DMARC record rule sets are defined. This DMARC record informs email receivers if a domain is set up for DMARC. If so the DMARC record contains the policy which the domain owner wants to use. In essence a DMARC record a DNS (Domain Name Service) entry. One can start using DMARC by implementing a DMARC DNS record. This DMARC record will be used by email receivers who have adopted DMARC. This will result in keeping track of all the messages which have been sent to your domain taking your DMARC policy into account.

The bottom line is that this will empower the organization publishing the DMARC record to instruct how non-compliance should be handled. The messages can be monitored and delivered moved to the junk folder or rejected.


DMARC policies:

  • P=NONE

Under this policy, the email receiver does not take any action if emails fail DMARC authentication. Emails are simply sent into the receiver’s inbox while the domain owner gets the information of spoofed emails with the DMARC report data. 


Here, email receivers are instructed to inspect emails that have failed the DMARC authorization. The email is delivered into either junk or spam folder. Although the policy entirely depends upon how the user sets it. 


This policy indicates that all the emails that have failed any of the parameters are rejected and restricted from being sent to the receiver. In any case, if a user wishes to change any policy it might take days to regenerate new policies. 


Parts of a DMARC policy

Each part of the policy is defined as follows:

  • dmarc: identifies the TXT record as a DMARC policy.

    • v=DMARC1 indicates the version of DMARC used.

  • p=quarantine: is the policy action.

    • none: Do nothing/reporting only

    • quarantine: Treat the mail as spam

    • reject: Refuse mail that fails DKIM and SPF

  • rua= identifies the destination for the aggregate reports.

  • pct=100 specifies how much traffic should be subject to policy validation.


DMARC Reports:

As we saw in the previous section, the reports can be two different types: aggregated and forensics. Those reports help you ensure that you are properly authenticating your outbound emails. You can check out the difference between both of them below.

  • Aggregate Reports

They are XML documents showing data about the messages received that claimed to be from a particular domain. Those reports are meant to be machine-readable.

  • Forensic reports

These are individual copies of messages which failed authentication, each enclosed in a full email message using a special format called AFRF. Those reports are easily read by a person, too. The information that those reports could contain is:

  • Subject line

  • Time when the message was received

  • IP information

  • Authentication results

    • SPF result

    • DKIM result

    • DMARC result

  • From domain information

    • From address

    • Mail from address

    • DKIM from address

  • Message ID

  • URLs

  • Delivery result

What was the applied policy, the message could be rejected if there’s a reject policy in place, or quarantined, or delivered because of a none policy.

  • ISP information

Now we know how a DMARC works, how it looks, and what information it provides. We’re pretty certain you already know how useful this could be for you. But let’s see all advantages in the next section.

Request Your Complimentary Domain Analysis