Glossary
DMARC
Domain-based Message Authentication, Reporting & Conformance
What is DMARC?
DMARC is an email authentication protocol that helps domain owners protect their domain from unauthorized use, commonly known as email spoofing. It builds on two existing authentication methods (SPF and DKIM) to provide a way for domain owners to:
- Specify which servers are authorized to send email for their domain
- Tell receiving servers what to do with unauthorized messages
- Receive reports about email authentication results
Why DMARC Matters
Without DMARC, anyone can send email that appears to come from your domain. This creates several problems:
- Phishing attacks - Criminals can impersonate your organization to trick recipients
- Reputation damage - Spam sent "from" your domain hurts your sender reputation
- Deliverability issues - Poor reputation means legitimate email lands in spam
- No visibility - Without DMARC reports, you don't know who's using your domain
How DMARC Works
DMARC works by checking that incoming email passes SPF and/or DKIM authentication, and that the domains align:
- Sender sends email - The message includes authentication headers
- Receiver checks SPF - Verifies the sending server is authorized
- Receiver checks DKIM - Verifies the message signature is valid
- Receiver checks alignment - Confirms the From: domain matches authenticated domain
- Receiver applies policy - Follows the domain's DMARC policy (none, quarantine, or reject)
- Receiver sends report - Sends aggregate data back to the domain owner
DMARC Policies
Domain owners can specify one of three policies:
- p=none - Monitor only; don't take action on failing messages
- p=quarantine - Send failing messages to spam/junk folder
- p=reject - Block failing messages entirely
Most organizations start with p=none to gather data before progressing to enforcement.