>

Glossary Home

What will I learn?

  1. What is DMARC?
  2. What is the purpose of DMARC?
  3. How does DMARC work?

Related Content

Glossary Home

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What is a DMARC or DMARC policy?

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol that helps establish the authenticity of an email. It builds on top of existing protocols like SPF and DKIM. A DMARC policy informs the status of SPF and DKIM authentication and what action to take when the authentications fail. It acts as an additional layer of security.

What is the purpose of DMARC?

A DMARC policy's primary purpose is to tell the receiving server what authentication methods are in place for their domain and what actions to take if the expected authentications fail. It also helps the sender stay informed about who is sending emails on their behalf. Here are the benefits of publishing a DMARC policy.

Domain protection

By stating clearly what authentications you have in place for your domain, you can protect recipients from email attacks like spoofing and phishing, where someone pretends to be your domain's owner.

Better deliverability

Having a DMARC policy in place can boost your sender reputation among ESPs, which will give you better deliverability in the long run.

Feedback loop

A DMARC policy also informs the recipient server where to send consolidated and failure reports for your domain. This allows you to stay informed about who is trying to send emails on your behalf and whether the emails pass authentication.

How does DMARC work?

  1. You (the domain owner) will publish a DMARC policy. This is an example of how the DMARC policy will look.

    v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; pct=100; sp=reject; adkim=s; aspf=s;

    Here's what the fields mean:  
    v: The version of the DMARC policy.
    p: The sender's policy on what action to take if the email fails DMARC. It can be none, quarantine, or reject.
    rua: The email address to which a consolidated report needs to be sent. 
    ruf: The email address to which a failure report needs to be sent. 
    pct: The percentage of emails to which DMARC policy should be applied. 
    sp: The recommended action for emails from the subdomain (if the action is different from main domain).
    adkim: The DKIM authentication alignment. It can be “s” for strict or “r” for relaxed. 
    aspf: The SPF authentication alignment. It can be “s” for strict or “r” for relaxed.
  2. Email servers check incoming messages claiming to be from your domain.
    • Is the message authenticated using SPF or DKIM?
    • Does the domain in the header match the authenticated domain (called alignment)?
  3. Servers apply your DMARC policy to unauthenticated emails.
    • None: Take no action, just monitor.
    • Quarantine: Mark the message as suspicious, sending it to the spam folder.
    • Reject: Block the message entirely.

  4. Receivers then send DMARC reports to you so you can analyze who’s sending email on your behalf and whether those messages pass authentication.