Domain-based Message Authentication, Reporting and Conformance (DMARC) is a technical specification designed to reduce the potential for email-based abuse by solving operational, deployment and reporting issues related to email authentication protocols. DMARC ensures that legitimate email is properly authenticated against established DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) standards, and that fraudulent activity appearing to come from domains under your organization's control (active sending domains, non-sending domains and defensively registered domains) is blocked.
DMARC is the first widely deployed technology that can make the Header From (which is visible in email clients) trustworthy. Two key values of it are domain alignment and reporting.
DMARC's alignment feature prevents spoofing of the header From address by:
- Matching the header From domain name with the envelope From domain name used during an SPF check
- Matching the header From domain name with the d= domain name in the DKIM signature
To pass DMARC, your email must pass either or both of the following:
- SPF authentication and SPF alignment
- DKIM authentication and DKIM alignment
A message will fail DMARC if it fails both SPF and SPF alignment and DKIM and DKIM alignment.
DMARC allows you to instruct mailbox providers on how to handle unauthenticated email through a DMARC policy, which removes any guesswork on how mailbox providers should handle messages that fail DMARC authentication. Through your DMARC policy, you can require mailbox providers to:
- Monitor all mail, to understand your brand's email authentication ecosystem, and to ensure that legitimate mail is authenticating properly without interfering with the delivery of messages that fail DMARC.
- Quarantine messages that fail DMARC (for example, move them to the spam folder).
- Reject messages that fail DMARC (for example, do not deliver the mail at all).
Mailbox providers send regular DMARC aggregate and forensic reports back to senders, giving you visibility into what messages are authenticating, what messages are not and why.
