Chat +1-888-563-5277 [email protected]

What is DMARC?

If you are here, means you know about DMARC or want to learn more about what is DMARC email protection.

So, let’s travel to DMARC email protected world.

What Is DMARC?

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols. It adds linkage to the author (“From ”), domain name, by the help of published policies which helps the recipient handle the authentication failures, and reporting from receivers to senders to improve and monitor the protection of the domain from fraudulent email.

Email authentication technologies (SPF and DKIM) were developed over a decade ago in order to provide advanced privacy on the identity of the sender of a message. The use of these technologies is going to increase day by day, but the problem of fraudulent and fake emails still exists. I can say,  that if a sender uses these technologies, it will be easy for email receivers to easily differentiate the fraudulent messages from the real and legal emails. Unfortunately, it has not worked that way for a number of reasons:


Why is email protection important?

  • Many senders have a complex email environment with many systems of sending an email, often including 3rd party service providers. It`s a complex task to make sure that every message passes the SPF or DKIM authentication.
  • Some of the messages can be authenticated and others not, then email receivers will differentiate between real and fake messages. By nature, spam algorithms are error-prone and need to constantly evolve to respond to the changing tactics of spammers.
  • Senders get very poor feedback of their mail authentication deployments. Unless messages return back to the sender, there is no way to determine how many legitimate messages there are. The scope of the fraudulent emails that are spoofing the sender’s domain is also unknown. This makes troubleshooting of mail authentication issues very hard, particularly in complex mail environments.
  • Even if you are sending legitim messages, moreover, You have authenticated mail infrastructure, again email receivers will be aware to reject unauthenticated messages because they are not sure whether there is some stream of legitimate messages which are going to be unsigned.

Have you ever think about how much personal data you have shared online?



DMARC advantages

The only way these problems can be addressed is when senders and receivers share information with each other. Receivers inform senders about their mail authentication infrastructure when senders tell receivers what to do if a message is not legitim.

In 2007, PayPal pioneered this approach and worked out a system with Yahoo! Mail and later Gmail to collaborate in this fashion. The results were extremely effective, leading to a significant decrease in suspected fraudulent email purported to be from PayPal being accepted by these receivers.

The goal of knowing what is DMARC is to know that DMARC builds senders’ and receivers’ collaboration and improves mail authentication practices of senders and enable receivers to reject unauthenticated messages.

DMARC  fits into an organization’s existing inbound email authentication process. The way it works is to help email receivers determine the purported message “aligns” with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle the “non-aligned” messages. For example, assuming that a receiver deploys SPF and DKIM, plus its own spam filters, the flow may look something like this:



The example above, testing for alignment with DMARC,  is applied at the same point where ADSP would be applied in the flow. All other tests remain unaffected.

At a high level, DMARC satisfies the following requirements:

  • Minimize false positives.
  • Provide robust authentication reporting.
  • Assert sender policy at receivers.
  • Reduce successful phishing delivery.
  • Work at Internet scale.
  • Minimize complexity.

It is important to know that DMARC builds upon the two protocols. One of which is DomainKeys Identified Mail (DKIM) and another one is a Sender Policy Framework (SPF). DMARC  replaces the ADSP by adding support for:

  • wildcarding or subdomain policies,
  • non-existent subdomains,
  • slow rollout (e.g. percent experiments)
  • SPF
  • quarantining mail

Do You know? 85% of consumers will not do businesses with a company if they have concerns about its security practices.

Anatomy of  DMARC resource record in the DNS

In the DNS TXT records, there are DMARC policies (RR) and announce what an email receiver should do with non-aligned mail it receives.

Consider an example DMARC TXT RR for the domain “” that reads:

"v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]"
In this example, the sender requests the receiver to reject all non-aligned messages and send a report. This is a  specified aggregate format, about the rejections to a specified address. If the sender is testing its configuration, he/she can replace “reject” with “quarantine”.
Quarantine policy doesn’t reject the message with a strict policy but, can make it go to the spam box.

DMARC records follow the extensible “tag-value” syntax for DNS-based key records defined in DKIM. The following chart illustrates some of the available tags:

Tag Name Purpose Sample
v Protocol version v=DMARC1
pct Percentage of messages subjected to filtering pct=20
ruf Reporting URI for forensic reports ruf=mailto:[email protected]
rua Reporting URI of aggregate reports rua=mailto:[email protected]
p Policy for organizational domain p=quarantine
sp Policy for subdomains of the OD sp=reject
adkim Alignment mode for DKIM adkim=s
aspf Alignment mode for SPF aspf=r


Note: The examples in this chart are illustrative only and aren’t relied upon in lieu of specification. Please refer to the specification page for the most up-to-date and accurate version.


How Senders Deploy DMARC in 5-Easy Steps

DMARC is based on real-world experience by some of the world’s largest email senders and receivers deploying SPF and DKIM. The specification takes into account the fact that it is impossible for an organization to flip a switch to production. There are a number of built-in methods for “throttling” the DMARC processing. After this, all parties can ease into full deployment over time.

  1. Deploy DKIM & SPF. You have to cover the basics
  2. Ensure that your mailers are correctly aligning the appropriate identifiers.
  3. Publish a DMARC record with the “none” flag set for the policies, which requests data reports.
  4. Analyze the data and modify your mail streams as appropriate.
  5. Modify your DMARC policy flags from “none” to “quarantine” to “reject” as you gain experience.

If You already know what is DMARC with details it’s easy for You to protect Your email from phishing.


Are you protected?

Check Your Domain


Business email compromise (BEC) - 2021 Cybersecurity Problem

Security analysis and predictions for 2021 show that there will be dramatic increases in the number of phishing attacks against cloud-based email. Risk management and security leaders must ensure their solutions stay up-to-date for this changing landscape to protect against cyber attacks. EasyDMARC stays...

Read More

How to explain DKIM in plain English?

DKIM allows the recipient server to make sure (or to verify) that the received message was sent by the genuine sender of the associated domain and that content of the original message was not altered on its way. So let's figure out how to...

Read More

No SPF Record Found: how to fix SPF record issues?

What is an SPF Record? This is a special DNS TXT Record. It lists the IP addresses from which you can send emails on behalf of the domain. How to set up an SPF Record and what happens if there is “No SPF Record...

Read More