DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that works by aligning the results of SPF and DKIM with the domain in the email’s “From” header. This alignment ensures that only authorized senders can send emails on behalf of your domain. DMARC also provides reporting mechanisms, enabling domain owners to monitor email traffic and detect unauthorized use. By implementing DMARC, you mitigate email spoofing, phishing attacks, and enhance email deliverability.
DMARC checks if the email is really sent by your domain and not a fraudster. It does this by verifying two things:
If these checks pass and align with the domain in the email’s “From” address, the email is considered legitimate. If not, the DMARC policy (None, Quarantine, or Reject) decides how to handle it. DMARC also sends reports to help you monitor and fix issues.
A DMARC record is a TXT record published in your domain’s DNS. Its key components include:
p=
): Specifies the action (None, Quarantine, or Reject) for unauthenticated emails.rua=
): Email address(es) to receive daily reports about authentication results.ruf=
): Email address(es) to receive detailed reports for failed emails (optional).adkim=
and aspf=
): Defines whether alignment is strict or relaxed for DKIM and SPF.sp=
): Policy for subdomains (defaults to the main domain policy if not set).ri=
): Time interval (in seconds) for aggregate report delivery (default is 86,400 seconds or 1 day).Example:v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=r;
In short, SPF and DKIM are authentication methods, while DMARC ensures these methods align with your domain and provides actionable control and visibility.
DMARC policies define how unauthenticated emails should be handled:
p=none
): Monitors email traffic without affecting delivery. Use this policy when starting with DMARC to gather reports and identify issues.p=quarantine
): Marks unauthenticated emails as suspicious (e.g., moves them to spam). Use this policy after reviewing reports and addressing major issues.p=reject
): Blocks unauthenticated emails entirely. Use this policy only when confident your legitimate emails are properly authenticated.v=DMARC1; p=none; rua=mailto:[email protected]
[email protected]
with your email to receive reports._dmarc
Start with p=none
to monitor emails, then move to stricter policies (Quarantine or Reject) as you resolve issues.
rua=
tag of your DMARC record.ruf=
tag of your DMARC record. These reports help with deeper analysis and troubleshooting of specific authentication failures.You can analyze DMARC reports manually or by using specialized tools. Here’s how:
There are several reasons DMARC might fail for your emails:
MAIL FROM
(envelope sender) matches the domain in the “From” header.Both types of alignment ensure that your domain’s email authentication methods are properly linked with the “From” address, which is a key part of DMARC’s security checks. If alignment fails, DMARC will consider the email unauthenticated and apply the policy you’ve set.
Implementing DMARC can take anywhere from a few minutes to several weeks, depending on your setup:
Start with Monitoring (p=none
): The process begins by publishing a DMARC record with a p=none
policy. This allows you to monitor email activity without affecting delivery and typically takes only a few minutes.
Monitor and Configure Sending Sources: Use the DMARC reports to identify misconfigured systems or unauthorized senders. Align SPF and DKIM for all legitimate email-sending sources. This phase can take a few days to a few weeks, depending on the complexity of your email infrastructure.
Move to Quarantine (p=quarantine
): After ensuring most sources are configured correctly, update your DMARC policy to quarantine suspicious emails. This step requires continued monitoring and adjustments as needed.
Enforce Reject (p=reject
): Once all legitimate sources are aligned and no issues remain, transition to a reject policy to fully block unauthorized emails. This final phase ensures maximum protection and may take additional time to validate.
Overall, the entire process typically takes 1 to 2.5 months, depending on the complexity of your setup and the number of email sources to configure.
Before setting your DMARC policy to “Reject,” follow these steps:
This approach helps minimize the risk of rejecting legitimate emails.
Yes, DMARC applies to subdomains by default, meaning they inherit the policy of the parent domain unless specified otherwise.
Inheriting the Policy: If no separate DMARC record is set for a subdomain, it will follow the main domain’s policy. For example, if your parent domain has p=reject
, the subdomain will also reject emails that fail DMARC checks.
Using the sp
Tag: To set a different policy for subdomains, use the sp
(subdomain policy) tag in your main domain’s DMARC record. Example:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected]
This would apply the “Reject” policy to the parent domain but place emails from subdomains into quarantine.Separate DMARC Record: If a subdomain follows completely different email flows (e.g., a third-party service), it should have its own DMARC record to ensure proper protection.