DMARC Explained

Back to Insights
DMARC Explained

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy, and reporting protocol. A DMARC record shows that the sender’s domain is protected by SPF and DKIM policies. When an email is sent from that domain and fails either of these authentication tests, DMARC tells the receiving server how it should handle that email.

SPF, DKIM and DMARC

SPF is responsible for checking that the email sender has the authority to send emails from the domain that the message is coming from. DKIM ensures that the message has not been altered along the way.  DMARC is then the set of rules that determine what happens to emails that fail either of these measures.

Your DMARC record provides a recommendation to the receiving server of how to process an email if it has failed one of these checks. The recommendation could be to quarantine the email, delete it, or to send it anyway. DMARC does not make the decision on its own, it is written into a record by the owner of the domain or, in many cases, IT personnel.

Let’s say a scammer called Rick is sending an email containing a fake invoice to your customer, Mark. Rick is able to make it look as if the email came from your domain and therefore, your organization, and Mark doesn’t know that. Then, you send out an email to Mark, Rick intercepts it and changes the message entirely and adding in his fake invoice, before sending it on to the unsuspecting Mark.

Luckily for you, your organization has SPF and DKIM in place, allowing Mark’s servers to verify the authenticity of these messages. The first message fails the SPF check and the second fails the DKIM check. Your DMARC record is then in place to advise Mark’s email server to delete these emails before they reach his inbox.

The DMARC Record

The image above is an example of a DMARC record. The text ‘p=quarantine’ advises email servers to quarantine any emails from your domain that fail SPF or DKIM checks. Another important element is rua=example@email.com. The rua= tag specifies the email address that DMARC reports should be sent to.

DMARC Reporting 

DMARC analyzes the reasons emails fail SPF and DKIM and sends a report providing details on messages that failed security measures and where they came from. These are sent daily in the form of an API report in an email attachment. As a result, the reports are largely ignored as they arrive so frequently and difficult to digest.

Our free email deliverability tool will process these reports and clearly display where issues were picked up by SPF and DKIM on a dashboard. We unzip the files and store the information in a database, allowing you to login and access the reporting dashboards.

The tool makes it easier for IT departments to access and interpret DMARC reports, enabling them to better configure the email deliverability system.

Benefits of DMARC

Deliverability: By authenticating emails that you send, they are easily identified as being trustworthy and get delivered to the desired inbox. Fraudulent emails sent from your domain don’t get delivered and don’t harm your domain’s reputation.

Security: You can be confident that your brand’s email domain isn’t sending spam, fraudulent or malicious emails.

Reporting: Visibility into who is using your domain to send out emails.