DMARC is an open email authentication protocol designed to protect email senders and recipients from malicious activities, such as phishing, spoofing, and email impersonation. It enables domain owners to specify how email messages that claim to be sent from their domain should be handled if they fail authentication checks.
How Does DMARC Work?
DMARC record tells the receiving mail servers how to handle the incoming emails that claim to be from a specific domain but fail SPF and/or DKIM authentication checks. The sender domain owners publish a DMARC record in their domain’s DNS.
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. It consists of tag-value pairs that define the DMARC policy and reporting options. Here are the most common parameters.
v: Version of DMARC protocol (must be DMARC1) [Mandatory]
p: Policy for receiving domain: what to do with emails that fail DMARC (none, quarantine, reject) [Mandatory]
rua: Address to send aggregate (summary) reports
ruf: Address to send forensic (detailed failure) reports
pct: Percentage of messages to which the policy applies (0-100, default 100)
sp: Policy for subdomains (if different from main domain policy)
adkim: DKIM alignment mode: strict (s) or relaxed (r, default)
aspf: SPF alignment mode: strict (s) or relaxed (r, default)
fo: forensic options (determines when forensic reports will be sent.
0: Generate a forensic report if both SPF and DKIM fail.
1: Generate a forensic report if either SPF or DKIM fails.
d: Generate a forensic report if DKIM fails.
s: Generate a forensic report if SPF fails.)
Example of DMARC record: v=DMARC1; p=reject; rua=mailto:dmarc-aggregate@yourdomain.com; ruf=mailto:dmarc-afrf@yourdomain.com; pct=100
DMARC is a critical protocol for modern email security, enabling domain owners to specify how unauthenticated emails should be handled, receive detailed reports, and protect their domain from abuse. By leveraging SPF and DKIM and publishing a DMARC policy in DNS, organizations can significantly reduce the risk of email-based attacks, improve deliverability, and gain valuable visibility into their email ecosystem. Major Email Service Providers (ESPs) like Google, Yahoo, and Microsoft have made it mandatory for domain owners to implement email authentication protocols like DMARC, SPF, and DKIM to improve email security and prevent fraudulent activities.
How Does DMARC Work?
DMARC record tells the receiving mail servers how to handle the incoming emails that claim to be from a specific domain but fail SPF and/or DKIM authentication checks. The sender domain owners publish a DMARC record in their domain’s DNS.
- When an email is received, the receiving server checks the DNS for a DMARC record on the sender’s domain
- The server then performs SPF and DKIM authentication:
- SPF checks if the sending server’s IP is authorized to send emails for the domain.
- DKIM verifies the cryptographic signature in the email header against a public key published in DNS.
- DMARC introduces the concept of alignment:
- For SPF, the domain in the “envelope from” address must match the domain in the “header from” address (either strictly or in a relaxed way).
- For DKIM, the domain in the DKIM signature (“d=” tag) must match the “header from” domain.
- If either SPF or DKIM passes (and aligns), the message passes DMARC.
- If both fail or are misaligned, the DMARC policy is applied:
- The message can be delivered, quarantined (sent to spam), or rejected (not delivered at all), depending on the DMARC policy set by the domain owner
- The receiving server sends reports (aggregate and/or forensic) to the addresses specified in the DMARC record, providing visibility into email activity and authentication results
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. It consists of tag-value pairs that define the DMARC policy and reporting options. Here are the most common parameters.
v: Version of DMARC protocol (must be DMARC1) [Mandatory]
p: Policy for receiving domain: what to do with emails that fail DMARC (none, quarantine, reject) [Mandatory]
rua: Address to send aggregate (summary) reports
ruf: Address to send forensic (detailed failure) reports
pct: Percentage of messages to which the policy applies (0-100, default 100)
sp: Policy for subdomains (if different from main domain policy)
adkim: DKIM alignment mode: strict (s) or relaxed (r, default)
aspf: SPF alignment mode: strict (s) or relaxed (r, default)
fo: forensic options (determines when forensic reports will be sent.
0: Generate a forensic report if both SPF and DKIM fail.
1: Generate a forensic report if either SPF or DKIM fails.
d: Generate a forensic report if DKIM fails.
s: Generate a forensic report if SPF fails.)
Example of DMARC record: v=DMARC1; p=reject; rua=mailto:dmarc-aggregate@yourdomain.com; ruf=mailto:dmarc-afrf@yourdomain.com; pct=100
- This record tells receivers to reject emails that fail DMARC, send aggregate and forensic reports to the specified addresses, and apply the policy to all (100%) emails.
DMARC is a critical protocol for modern email security, enabling domain owners to specify how unauthenticated emails should be handled, receive detailed reports, and protect their domain from abuse. By leveraging SPF and DKIM and publishing a DMARC policy in DNS, organizations can significantly reduce the risk of email-based attacks, improve deliverability, and gain valuable visibility into their email ecosystem. Major Email Service Providers (ESPs) like Google, Yahoo, and Microsoft have made it mandatory for domain owners to implement email authentication protocols like DMARC, SPF, and DKIM to improve email security and prevent fraudulent activities.