What is DMARC? | EasyDMARC

What is DMARC?

6 Min Read

If you are here, means you know about DMARC or want to learn more about what is DMARC email protection.

So, let’s travel to DMARC email protected world.

What Is DMARC?

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols. It adds linkage to the author (“From ”), domain name, by the help of published policies which helps the recipient handle the authentication failures, and reporting from receivers to senders to improve and monitor the protection of the domain from fraudulent email.

Email authentication technologies (SPF and DKIM) were developed over a decade ago in order to provide advanced privacy on the identity of the sender of a message. The use of these technologies is going to increase day by day, but the problem of fraudulent and fake emails still exists. This means that if a sender uses these technologies, it will be simple for email receivers to differentiate the fraudulent messages from the real and legal ones. Unfortunately, it has not worked that way for a number of reasons.

Why is email protection important?

  • Email senders usually have a complex email environment. They often us systems of sending an email, including 3rd party service providers.
  • Making sure that every message passes the SPF or DKIM authentication is a complex task.
  • By nature, spam algorithms are error-prone and need to constantly evolve to respond to the changing tactics of spammers.
  • Some of the messages can be authenticated and others not, then email receivers will differentiate between real and fake messages.
  • Senders get very poor feedback of their mail authentication deployments. Unless messages return back to the sender, there is no way to determine how many legitimate messages there are. The scope of the fraudulent emails that are spoofing the sender’s domain is also unknown. This makes troubleshooting of mail authentication issues very hard, particularly in complex mail environments.
  • Even if you are sending legitim messages, moreover, You have authenticated mail infrastructure, again email receivers will be aware to reject unauthenticated messages because they are not sure whether there is some stream of legitimate messages which are going to be unsigned.

Have you ever thought about how much personal data you have shared online?


What are the advantages of DMARC?

The only way these problems can be addressed is when senders and receivers share information with each other. Receivers inform senders about their mail authentication infrastructure when senders tell receivers what to do if a message is not legitimate.

In 2007, PayPal pioneered this approach and worked out a system with Yahoo! Mail and later Gmail to collaborate in this fashion. The results were extremely effective, leading to a significant decrease in suspected fraudulent email purported to be from PayPal being accepted by these receivers.

The goal of knowing what is DMARC is to know that DMARC builds senders’ and receivers’ collaboration and improves mail authentication practices of senders and enable receivers to reject unauthenticated messages.

DMARC  fits into an organization’s existing inbound email authentication process. The way it works is to help email receivers determine the purported message “aligns” with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle the “non-aligned” messages. For example, assuming that a receiver deploys SPF and DKIM, plus its own spam filters, the flow may look something like this:

DMARC deployment

The example above, testing for alignment with DMARC,  is applied at the same point where ADSP would be applied in the flow. All other tests remain unaffected.

At a high level, DMARC satisfies the following requirements:

  • Minimize false positives.
  • Provide robust authentication reporting.
  • Assert sender policy at receivers.
  • Reduce successful phishing delivery.
  • Work at Internet scale.
  • Minimize complexity.

It is important to know that DMARC builds upon the two protocols. One of which is DomainKeys Identified Mail (DKIM) and another one is a Sender Policy Framework (SPF). DMARC  replaces the ADSP by adding support for:

  • wildcarding or subdomain policies,
  • non-existent subdomains,
  • slow rollout (e.g. percent experiments)
  • SPF
  • quarantining mail

Do You know? 85% of consumers will not do businesses with a company if they have concerns about its security practices.

What are DMARC Records and Policies?

In the DNS TXT records, there are DMARC policies (RR) and announce what an email receiver should do with non-aligned mail it receives.

Consider an example DMARC TXT RR for the domain “sender.dmarcdomain.com” that reads:

"v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]"
In this example, the sender requests the receiver to reject all non-aligned messages and send a report. This is a  specified aggregate format, about the rejections to a specified address. If the sender is testing its configuration, he/she can replace “reject” with “quarantine”.
Quarantine policy doesn’t reject the message with a strict policy but, can make it go to the spam box.

s follow the extensible “tag-value” syntax for DNS-based key records defined in DKIM. The following chart illustrates some of the available tags:

Tag Name Purpose Sample
v Protocol version v=DMARC1
pct Percentage of messages subjected to filtering pct=20
ruf Reporting URI for forensic reports ruf=mailto:[email protected]
rua Reporting URI of aggregate reports rua=mailto:[email protected]
p Policy for organizational domain p=quarantine
sp Policy for subdomains of the OD sp=reject
adkim Alignment mode for DKIM adkim=s
aspf Alignment mode for SPF aspf=r

Note: The examples in this chart are illustrative only and aren’t relied upon in lieu of specification. Please refer to the specification page for the most up-to-date and accurate version.

How Senders Deploy DMARC in 5-Easy Steps

DMARC is based on real-world experience by some of the world’s largest email senders and receivers deploying SPF and DKIM. The specification takes into account the fact that it is impossible for an organization to flip a switch to production. There are a number of built-in methods for “throttling” the DMARC processing. After this, all parties can ease into full deployment over time.

    1. Deploy DKIM & SPF. You have to cover the basics
    2. Ensure that your mailers are correctly aligning the appropriate identifiers.
    3. Publish a DMARC record with the “none” flag set for the policies, which requests data reports.
    4. Analyze the data and modify your mail streams as appropriate.
    5. Modify your DMARC policy flags from “none” to “quarantine” to “reject” as you gain experience.

Are you protected?

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us