Domain-based Message Authentication, Reporting and Conformance (DMARC) is the third of three key Internet standards that enable email authentication (the others are SPF and DKIM). DMARC builds on the earlier standards by requiring alignment between the visible ‘From’ header and the usually invisible ‘Return-Path or ‘DKIM’ signature in the headers of each message.
DMARC also enables domain name owners to provide handling instructions — such as pass, quarantine, or reject — for unauthenticated messages. And it adds a reporting mechanism for receivers to provide domain name owners with information about emails sent on their behalf.
How it Works
- Domain name owners publish DMARC records to the Domain Name System (DNS).
- An email receiver receiving an email message searches DNS for published DMARC, DKIM, and SPF records to verify the sender is authorized to use the domain address in the ‘From’ field.
- If a DMARC record exists but the message fails the tests, the receiving mail server follows the instructions in the DMARC policy to deliver, quarantine, or reject the message.
- The receiver sends regular aggregate reports to domain owners, usually daily, detailing information about the number of emails sent using their domain, their authentication status, whether the messages were delivered or not, and which IP addresses those messages originated from.
DMARC leverages and significantly adds to the two prior authentication standards, SPF and DKIM. As a result, virtually every major email service provider has implemented the standard, including 100 percent of major North American mailbox providers including Gmail, Microsoft, and Yahoo!/AOL, and also including a large and growing majority of companies across the globe. Advantages include:
DMARC Eliminates Same-Domain Name Phishing — When fully enforced, DMARC ensures that only authorized senders can transmit messages on the domain owner’s behalf, and guarantees a match between the visible ‘From’ and the hidden ‘Return-Path’ or ‘DKIM’ field addresses in each message. This eliminates same-domain phishing attacks, and protects the brand by ensuring a domain name is only used by authorized senders.
DMARC Increases Email Deliverability — With DMARC at enforcement, a domain name’s reputation is improved and domain owners realize substantially increased email deliverability. DMARC reduces unwanted emails sent by impostors hijacking your domain name. Such emails damage a company’s reputation among customers and spam filters, hurting deliverability. DMARC puts a stop to that, and when set to a policy of enforcement, domain owners see a substantial improvement in email deliverability.
DMARC Provides Global Visibility — DMARC’s reporting mechanisms provide information about, and control over, services sending email on your behalf, and can give you full visibility over your email ecosystem.
DMARC Can Be Automated — DMARC success requires strong knowledge of internet standards, constant report monitoring, and frequent configuration updates. As a result, successful adoption requires automation that eliminates the need for in-house specialists. Fortunately, cloud-based, automated email authentication services are available to replace manual effort and guesswork.