DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that provides instructions, via a DMARC policy published in DNS, to ISPs and other email receivers about how to handle unauthenticated mail. It was originally designed to detect and prevent email spoofing.
DMARC leverages two existing email authentication protocols (SPF & DKIM) to help email receivers determine the authenticity of a message and whether to deliver the message to the inbox, block the message, or place the message in quarantine or spam based on policy values that have been set by the sender.
Here is an example of a DMARC record one might find in DNS:
- v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@emarsys.com
The main purpose for DMARC is to set a
policy. This policy contains the action that should take place when unauthenticated mail from this domain is received. The options are to do nothing (
p=none), put the mail in a Spam folder (
p=quarantine) or block the message (
p=reject). Only by using the
reject policy, can a domain be fully protected.
By themselves, DKIM and SPF can be vulnerable – anyone can buy a domain and add DKIM/SPF to the headers of an email. DMARC attempts to tie the results of DKIM and SPF checks with the domain which is found in the From: header – so-called alignment.
Alignment helps to avoid spoofing of the From: domain by matching the domain used in From: header with the
d=sender.domain.com tag in the DKIM signature, and matching the sender domain to the “envelope from” domain used in SPF.
To pass DMARC, a message must pass SPF authentication and SPF alignment
and/or DKIM authentication and DKIM alignment.
The second functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in “rua” (aggregated reports) and “ruf” (forensic reports).