Domain-based Message Authentication, Reporting and Conformance (DMARC)

Security Glossary - Email Authentication

Definition: DMARC is an email authentication protocol that builds on SPF and DKIM by adding a policy layer and reporting mechanism. The DMARC record (a TXT record at _dmarc.yourdomain.com) tells receiving servers what to do with emails that fail SPF and DKIM alignment checks: monitor (none), quarantine, or reject them.

Why DMARC Is Important

DMARC is the enforcement mechanism that makes SPF and DKIM actionable. Without DMARC, receiving servers may accept emails that fail SPF or DKIM without any consequences. DMARC gives domain owners the power to instruct receivers to quarantine or reject unauthorized emails.

The alignment requirement is key to DMARC's effectiveness. DMARC checks that the domain in the From header (what the user sees) matches either the SPF-authenticated domain or the DKIM-signing domain. This prevents attackers from passing SPF with their own domain while spoofing yours in the From header.

DMARC also provides valuable reporting. Aggregate reports (rua) show which servers are sending email using your domain, including both legitimate services and unauthorized senders. This visibility is essential for identifying all your legitimate email sources before moving to an enforcing policy (quarantine or reject). Start with p=none to collect data, then gradually move to p=quarantine and eventually p=reject.

Configuration Reference

DMARC Tag	Purpose	Example
v	Version (required)	v=DMARC1
p	Policy (required)	p=reject
rua	Aggregate report URI	rua=mailto:dmarc@example.com
ruf	Forensic report URI	ruf=mailto:forensic@example.com
pct	Percentage to apply policy	pct=100
adkim	DKIM alignment mode	adkim=s (strict)
aspf	SPF alignment mode	aspf=r (relaxed)

Checking Your Setup

A DNS health checker validates your DMARC record syntax and policy. It checks alignment with your SPF and DKIM records. Start monitoring with p=none and an rua address to collect reports before enforcing. Move to p=reject once you are confident all legitimate senders are authenticated.

Check DNS Health

In Practice

The UK government mandated DMARC for all gov.uk domains starting in 2016. After implementing p=reject across government domains, they blocked over 500 million spoofed emails in the first year. The success led to DMARC becoming a requirement for U.S. federal agencies under BOD 18-01.

Common Questions About DMARC

What DMARC policy should I start with?

Start with v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com to collect data without affecting email delivery. Analyze the aggregate reports to identify all legitimate senders, then move to p=quarantine (25%, then 50%, then 100%), and finally p=reject.

Will DMARC reject affect legitimate email?

It can, if legitimate email services are not properly authenticated with SPF and DKIM. This is why you must start with p=none and analyze reports. Only move to reject after confirming all legitimate sources pass DMARC alignment checks.