DMARC Explained

Domain-based Message Authentication, Reporting, and Conformance helps domain owners prevent email spoofing on their domains.

v=DMARC1; p=reject; rua=mailto:example@example.com

Example of a DMARC record with a "reject" policy and an email address for receiving reports.

The above is a typical DMARC record. It specifies that the domain owner wants to reject unauthenticated email and uses the rua tag to collect aggregate reports about what is passing or failing.
DMARC records are published in DNS as TXT records under the name _dmarc.yourdomain.com.
When no DMARC record is published, email receivers accept unauthenticated (spoofed) emails claiming to be from your domain. Without authentication it's not possible for a receiving mail server to know whether an email is legitimately from your organization or not.

Email Authentication

For an email to be authenticated, it must pass either SPF or DKIM and be aligned.
  • Sender Policy Framework: The email must be sent from an IP address authorized in the domain's SPF record.
  • DomainKeys Identified Mail: The email must be cryptographically signed with the key in the domain's DKIM record.
If one of those checks passes, and the domain used in the checks is equal (aligned) with the from domain, then the email is considered DMARC authenticated.

Recommended Articles