DMARC, or Domain-based Message Authentication, Reporting and Conformance, is an email authentication protocol that builds on SPF and DKIM to provide domain level protection against spoofing and phishing. It allows domain owners to define how receiving mail servers should handle emails that fail authentication checks and provides visibility through reporting.
DMARC works by aligning the visible “From” domain with the domains used in SPF and DKIM authentication. If alignment passes and at least one authentication method succeeds, the message is considered valid. If both fail or are misaligned, the receiving server follows the policy defined by the domain owner, which can be none, quarantine, or reject.
In addition to enforcement, DMARC enables reporting through aggregate and forensic reports. These reports provide insight into how a domain is being used across email systems, including legitimate sources and unauthorised activity. This visibility is critical for managing sender reputation and securing email infrastructure.
Advanced
DMARC introduces the concept of identifier alignment, which ensures that the domain used in SPF or DKIM matches the domain visible to the recipient. Alignment can be strict or relaxed depending on configuration. This prevents attackers from passing authentication using unrelated domains.
Policies are defined in DNS using a TXT record at _dmarc.domain.com. The policy tag (p) determines enforcement behaviour, while additional tags such as rua and ruf define reporting endpoints. Advanced configurations may include percentage based enforcement (pct), subdomain policies (sp), and failure options (fo).
Successful DMARC deployment requires coordination across all sending services, including internal mail servers, marketing platforms, and third party systems. Any misconfiguration can lead to legitimate emails being rejected. Gradual rollout from none to quarantine and eventually reject is a common approach to minimise disruption.
Relevance
- Prevents domain spoofing and phishing attacks
- Provides visibility into email authentication activity
- Improves email deliverability and sender reputation
- Enables policy based control over message handling
Applications
- Enforcing email authentication across all outbound systems
- Monitoring domain usage through aggregate reports
- Blocking unauthorised email sources
- Aligning SPF and DKIM with visible sender domains
Metrics
- DMARC pass and fail rates
- Percentage of aligned versus non aligned messages
- Volume of unauthorised sending attempts
- Email deliverability and rejection rates
Issues
- Misalignment causing legitimate email rejection
- Incomplete SPF or DKIM configuration impacting compliance
- Lack of monitoring leading to undetected abuse
- Staying on a none policy providing no enforcement
Example
A company publishes a DMARC record with a reject policy after validating all legitimate sending sources. When attackers attempt to send spoofed emails using the company’s domain, receiving servers reject the messages. At the same time, DMARC reports provide visibility into attempted abuse and confirm that legitimate systems are correctly aligned.