Email Security

Understanding DMARC

Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol that builds upon Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to prevent email spoofing and phishing attacks.

Published:
Updated:
Reading time:
License:
CC BY-SA 4.0

Introduction #

Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol designed to protect against email spoofing and phishing attacks. It builds on Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to provide domain owners with the ability to enforce email validation policies and receive reports on email authentication activity.

DMARC helps domain owners to control how unauthenticated messages are handled.

How DMARC works #

DMARC operates by specifying policies in a Domain Name System (DNS) record that instruct receiving mail servers on how to handle emails that fail SPF or DKIM authentication. It also enables domain owners to receive reports on email authentication activity.

DMARC record structure #

A full DMARC Record record is a TXT record in the domain’s DNS and may look like this:

_dmarc.example.com. TXT "v=DMARC1; p=reject; sp=quarantine; pct=100; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; aspf=r; adkim=s"
  • Root domain emails failing DMARC are rejected.
  • Subdomains use quarantine.
  • 100% of failing emails are subjected to the policy.
  • Aggregate & forensic reports are sent to specified emails.
  • SPF alignment is relaxed, while DKIM alignment is strict.

Let’s have a detailed look at the options and modifiers available.

DMARC policy options & modifiers #

DMARC policies define how receiving mail servers should treat messages that fail SPF or DKIM authentication.

Policy options #

There are three primary DMARC policy (p) options:

  • p=none:
    No specific action is taken on failing emails; they are delivered as usual. This option is used for monitoring and collecting DMARC reports without affecting email delivery.
  • p=quarantine:
    Emails that fail DMARC checks are marked as suspicious (e.g., sent to spam/junk folder). This option helps reduce risks while still allowing some non-compliant emails through.
  • p=reject:
    Emails that fail DMARC checks are outright rejected by the receiving server. This option provides the strongest protection against risks, e.g. phishing and spoofing.

Additional policy modifiers (optional) #

  • pct (Percentage):
    Specifies what percentage of failing emails should be subjected to the policy (default: 100), e.g.:
    pct=50
  • sp (Subdomain Policy):
    Sets a different policy for subdomains (if not specified, inherits the root domain’s policy), e.g.:
    sp=reject

SPF/DKIM alignment (optional) #

By default, DMARC applies relaxed alignment for both SPF (aspf) and DKIM (adkim).

  • aspf=r (SPF Relaxed Alignment - Default)
    • The SPF-verified return-path domain (also called the “Mail From” or “Envelope From” domain) must match the domain in the “From” header, but it allows subdomain differences.
    • Example: If the “From” header is example.com, SPF passes even if the SPF-authenticated domain is mail.example.com.
  • adkim=r (DKIM Relaxed Alignment - Default)
    • The DKIM-signing domain (d= tag in the DKIM signature) must match the domain in the “From” header, but subdomains are allowed.
    • Example: If the “From” header is example.com, DKIM passes even if the DKIM-signed domain is email.example.com.

If you want strict alignment, you need to explicitly set:

  • aspf=s (SPF Strict Alignment) → The SPF-authenticated domain must exactly match the “From” header domain (no subdomains allowed).
  • adkim=s (DKIM Strict Alignment) → The DKIM-signed domain must exactly match the “From” header domain (no subdomains allowed).

Reporting (optional) #

DMARC provides reporting capabilities that allow domain owners to monitor email authentication results.

There are two types of reports:

  • rua (Reporting URI Aggregate):
    Email address for receiving aggregate XML reports, e.g.:
    rua=mailto:dmarc-reports@example.com
  • ruf (Reporting URI Forensic):
    Email address for receiving forensic (per-message) failure reports, e.g.:
    ruf=mailto:dmarc-forensic@example.com

By analyzing DMARC reports, domain owners can fine-tune their email authentication policies and detect malicious activity.

Setting up DMARC for your domain #

To configure DMARC:

  1. Ensure that SPF and DKIM are correctly implemented for your domain.
  2. Create a DMARC policy that specifies how to handle unauthenticated emails.
  3. Publish the DMARC policy as a TXT record in your domain’s DNS.
  4. Monitor DMARC reports to adjust your policy as needed.

Example of a DMARC record enforcing a strict rejection policy, which sends aggregate XML reports to dmarc-reports@example.com:

_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; pct=100"

DMARC should be used alongside other authentication methods like SPF and DKIM for best email security.

FAQ's #

Most common questions and brief, easy-to-understand answers on the topic:

What is Domain-based Message Authentication, Reporting & Conformance (DMARC)?

Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol that helps domain owners prevent email spoofing and phishing by enforcing policies on SPF and DKIM alignment.

Is it OK to set up a DMARC record with no rua and ruf?

Yes, it is OK to set up a DMARC record without rua (aggregate reports) and ruf (forensic reports), but you will not receive any visibility into authentication failures or spoofing attempts. This limits your ability to monitor and improve email security.

How does DMARC improve email security?

DMARC enhances email security by allowing domain owners to specify how unauthenticated emails should be handled and by providing reports on email authentication results.

What are the possible DMARC policy settings?

DMARC policies include none (monitoring only), quarantine (mark as spam), and reject (block unauthorized emails).

How do I create a DMARC record for my domain?

You need to add a TXT record in your domain's DNS with the appropriate DMARC policy settings, such as v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com.

Can DMARC work without SPF or DKIM?

No, DMARC relies on SPF and DKIM alignment to authenticate emails. At least one of these must be properly configured for DMARC to function effectively.

Further readings #

Sources and recommended, further resources on the topic:

Author

Jonas Jared Jacek • J15k

Jonas Jared Jacek (J15k)

Jonas works as project manager, web designer, and web developer since 2001. On top of that, he is a Linux system administrator with a broad interest in things related to programming, architecture, and design. See: https://www.j15k.com/

License

Understanding DMARC by Jonas Jared Jacek is licensed under CC BY-SA 4.0.

This license requires that reusers give credit to the creator. It allows reusers to distribute, remix, adapt, and build upon the material in any medium or format, for noncommercial purposes only. To give credit, provide a link back to the original source, the author, and the license e.g. like this:

<p xmlns:cc="http://creativecommons.org/ns#" xmlns:dct="http://purl.org/dc/terms/"><a property="dct:title" rel="cc:attributionURL" href="https://www.ditig.com/understanding-dmarc">Understanding DMARC</a> by <a rel="cc:attributionURL dct:creator" property="cc:attributionName" href="https://www.j15k.com/">Jonas Jared Jacek</a> is licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/" target="_blank" rel="license noopener noreferrer">CC BY-SA 4.0</a>.</p>

For more information see the Ditig legal page.

Related Articles

All Topics

Random Quote

“Cool URIs don't change.”

Tim Berners-Lee English computer scientist, inventor of the World Wide WebW3C Style Guide for online hypertext, - IT quotes