DMARC Explained

Goal of DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a tool for domains owners to prevent email spoofing and phishing. By published a DMARC record in their DNS, domain owners can specify what to do with unauthenticated emails (e.g. quarantine or reject them) and where to send reports about email authentication results.

DMARC Record

DMARC records are published as TXT records on your domain under the record name _dmarc.yourdomain.com. An example DMARC record might look like this:

v=DMARC1; p=none; rua=mailto:example@example.com

TagValueDescription
vDMARC1Version: Identifies the record as a DMARC record. Must always be DMARC1. This is a required tag.
pnonePolicy: Requested handling policy for messages that fail DMARC authentication. This is a required tag.
  • none: Take no specific action, only generate reports (monitoring mode)
  • quarantine: Mark as spam or treat as suspicious
  • reject: Reject the message entirely
ruamailto:example@example.comAggregate Reports (rua): Email addresses to receive daily aggregate DMARC reports. These reports provide statistics about authentication results for your domain. Format: mailto:address@domain.com. Multiple addresses can be comma-separated.
You can check if your domain has a DMARC record here:
Check Domain for DMARC

How DMARC Works

  1. Publish DMARC Record: Domain owners publish a DMARC record in their DNS specifying the desired policy and reporting addresses.
  2. Email Sent: When an email is sent from a domain with DMARC configured, the receiving mail server checks the email against the DMARC policy.
  3. Authenticate Email: The receiving mail server checks the email's SPF and DKIM authentication results to see if they align with the domain's DMARC policy.
  4. Apply DMARC Policy: Based on the DMARC policy (none, quarantine, reject), the receiving server decides how to handle the email.
  5. Send Reports: The receiving server generates aggregate reports detailing the authentication results and sends them to the specified "rua" email address in the DMARC record.

Alignment

Email authentication protocols like SPF and DKIM verify that an email was sent from an authorized source. However, these protocols alone do not ensure that the email's "From:" header (the address visible to users) is aligned with the authenticated domain.
This issue arrises because frustratingly SPF and DKIM can authenticate different domains than the "From:" header.
  • SPF: SPF authenticates the domain in the Return-Path (envelope sender) header, which can differ from the "From:" header.
  • DKIM: DKIM authenticates the domain specified in the d= tag of the DKIM signature, which can also differ from the "From:" header.
DMARC builds on SPF and DKIM by adding the concept of alignment. For an email to pass DMARC, at least one of the following must be true:
  1. SPF Alignment: The domain in the Return-Path header must match (or be a subdomain of) the "From:" header domain.
  2. DKIM Alignment: The domain in the DKIM signature's d= tag must match (or be a subdomain of) the "From:" header domain.

Recommended Articles