DMARC Explained
Goal of DMARC
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a tool for domains owners to prevent email spoofing and phishing. By published a DMARC record in their DNS, domain owners can specify what to do with unauthenticated emails (e.g. quarantine or reject them) and where to send reports about email authentication results.
DMARC Record
DMARC records are published as TXT records on your domain under the record name
_dmarc.yourdomain.com. An example DMARC record might look like this:v=DMARC1; p=none; rua=mailto:example@example.com
| Tag | Value | Description |
|---|---|---|
| v | DMARC1 | Version: Identifies the record as a DMARC record. Must always be DMARC1. This is a required tag. |
| p | none | Policy: Requested handling policy for messages that fail DMARC authentication. This is a required tag.
|
| rua | mailto:example@example.com | Aggregate Reports (rua): Email addresses to receive daily aggregate DMARC reports. These reports provide statistics about authentication results for your domain. Format: mailto:address@domain.com. Multiple addresses can be comma-separated. |
You can check if your domain has a DMARC record here:
Check Domain for DMARC
Check Domain for DMARC
How DMARC Works
- Publish DMARC Record: Domain owners publish a DMARC record in their DNS specifying the desired policy and reporting addresses.
- Email Sent: When an email is sent from a domain with DMARC configured, the receiving mail server checks the email against the DMARC policy.
- Authenticate Email: The receiving mail server checks the email's SPF and DKIM authentication results to see if they align with the domain's DMARC policy.
- Apply DMARC Policy: Based on the DMARC policy (none, quarantine, reject), the receiving server decides how to handle the email.
- Send Reports: The receiving server generates aggregate reports detailing the authentication results and sends them to the specified "rua" email address in the DMARC record.