DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that works by aligning the results of SPF and DKIM with the domain in the email’s “From” header. This alignment ensures that only authorized senders can send emails on behalf of your domain. DMARC also provides reporting mechanisms, enabling domain owners to monitor email traffic and detect unauthorized use. By implementing DMARC, you mitigate email spoofing, phishing attacks, and enhance email deliverability.

DMARC checks if the email is really sent by your domain and not a fraudster. It does this by verifying two things:

  1. SPF Check: Was the email sent from a server authorized by your domain?
  2. DKIM Check: Does the email’s digital signature match your domain?

If these checks pass and align with the domain in the email’s “From” address, the email is considered legitimate. If not, the DMARC policy (None, Quarantine, or Reject) decides how to handle it. DMARC also sends reports to help you monitor and fix issues.

A DMARC record is a TXT record published in your domain’s DNS. Its key components include:

  1. Policy (p=): Specifies the action (None, Quarantine, or Reject) for unauthenticated emails.
  2. Aggregate Reports (rua=): Email address(es) to receive daily reports about authentication results.
  3. Forensic Reports (ruf=): Email address(es) to receive detailed reports for failed emails (optional).
  4. Alignment Mode (adkim= and aspf=): Defines whether alignment is strict or relaxed for DKIM and SPF.
  5. Subdomain Policy (sp=): Policy for subdomains (defaults to the main domain policy if not set).
  6. Reporting Interval (ri=): Time interval (in seconds) for aggregate report delivery (default is 86,400 seconds or 1 day).

Example:
v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=r;

  • SPF (Sender Policy Framework): Ensures emails are sent from authorized servers by checking the sender’s IP against a list in the DNS.
  • DKIM (DomainKeys Identified Mail): Verifies the authenticity of an email using a cryptographic signature tied to the sending domain.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Combines SPF and DKIM to ensure alignment with the “From” address, specifies a policy for handling unauthorized emails, and provides reporting for domain owners.

In short, SPF and DKIM are authentication methods, while DMARC ensures these methods align with your domain and provides actionable control and visibility.

DMARC policies define how unauthenticated emails should be handled:

  1. None (p=none): Monitors email traffic without affecting delivery. Use this policy when starting with DMARC to gather reports and identify issues.
  2. Quarantine (p=quarantine): Marks unauthenticated emails as suspicious (e.g., moves them to spam). Use this policy after reviewing reports and addressing major issues.
  3. Reject (p=reject): Blocks unauthenticated emails entirely. Use this policy only when confident your legitimate emails are properly authenticated.
  1. Create the DMARC Record: Write a TXT record for your domain’s DNS. A basic DMARC record looks like this:
    v=DMARC1; p=none; rua=mailto:[email protected]
  2. You can use the DMARC Record Generator to avoid human errors.
  3. Log in to Your DNS Provider: Access the DNS settings for your domain.
  4. Add the DMARC Record:
    • Host/Name: _dmarc
    • Type: TXT
    • Value: Paste your DMARC record.
  5. Save Changes: Publish the record and wait for DNS propagation.

Start with p=none to monitor emails, then move to stricter policies (Quarantine or Reject) as you resolve issues.

  • Aggregate Reports: These daily reports provide a summary of how your emails are being authenticated across various receiving mail servers. They include data on SPF, DKIM, and DMARC pass/fail rates, helping you understand email traffic and potential issues. Aggregate reports are sent to the email addresses specified in the rua= tag of your DMARC record.
  • Forensic Reports: These detailed reports are triggered when an email fails DMARC checks. They contain information about the failed message (such as the email headers and IP address of the sending server) and are sent to the email addresses specified in the ruf= tag of your DMARC record. These reports help with deeper analysis and troubleshooting of specific authentication failures.

You can analyze DMARC reports manually or by using specialized tools. Here’s how:

  • Manual Analysis: Open the XML format reports, review the data on SPF, DKIM, and DMARC alignment, and identify any sources of failure (like unauthorized servers or misconfigurations).
  • DMARC Report Analyzer Tools: Use tools like EasyDMARC, DMARCian or Postmark to visualize and simplify the data from your reports. These tools can generate charts, highlight issues, and provide recommendations.

There are several reasons DMARC might fail for your emails:

  1. SPF and DKIM Failures: If your SPF or DKIM records are misconfigured or not aligned with the “From” address, DMARC will fail.
  2. Third-Party Senders: If you use external services (like email marketing platforms), they may not be properly authenticated with your domain’s SPF or DKIM, leading to DMARC failures.
  3. Misalignment: Ensure that the domains used in SPF/DKIM align with the domain in the “From” header. If they don’t, DMARC will fail.
    Check your reports to pinpoint the exact cause of failure.
  • SPF Alignment: SPF checks whether the sender’s IP address is authorized to send emails on behalf of your domain. For DMARC, alignment means that the domain used in the MAIL FROM (envelope sender) matches the domain in the “From” header.
  • DKIM Alignment: DKIM adds a cryptographic signature to the email, which proves that the email content hasn’t been tampered with. For DMARC, alignment means that the domain in the DKIM signature matches the domain in the “From” header.

Both types of alignment ensure that your domain’s email authentication methods are properly linked with the “From” address, which is a key part of DMARC’s security checks. If alignment fails, DMARC will consider the email unauthenticated and apply the policy you’ve set.

Implementing DMARC can take anywhere from a few minutes to several weeks, depending on your setup:

  1. Start with Monitoring (p=none): The process begins by publishing a DMARC record with a p=none policy. This allows you to monitor email activity without affecting delivery and typically takes only a few minutes.

  2. Monitor and Configure Sending Sources: Use the DMARC reports to identify misconfigured systems or unauthorized senders. Align SPF and DKIM for all legitimate email-sending sources. This phase can take a few days to a few weeks, depending on the complexity of your email infrastructure.

  3. Move to Quarantine (p=quarantine): After ensuring most sources are configured correctly, update your DMARC policy to quarantine suspicious emails. This step requires continued monitoring and adjustments as needed.

  4. Enforce Reject (p=reject): Once all legitimate sources are aligned and no issues remain, transition to a reject policy to fully block unauthorized emails. This final phase ensures maximum protection and may take additional time to validate.

Overall, the entire process typically takes 1 to 2.5 months, depending on the complexity of your setup and the number of email sources to configure.

Before setting your DMARC policy to “Reject,” follow these steps:

  • Monitor DMARC Reports: Review aggregate reports to track which sources are sending email on your behalf and ensure they align with SPF and DKIM.
  • Use “None” First: Set your policy to “None” (monitoring email flow) and monitor for a few weeks. This gives you a chance to fix issues before enforcing DMARC policy to “Quarantine”.
  • Third-Party Providers: Ensure any third-party services (e.g., marketing platforms) are configured to pass DMARC checks.
  • Check Alignment: Make sure your SPF and DKIM records are properly aligned with your “From” address. If not, emails may be rejected.
  • Gradual Rollout: Move from “None” to “Quarantine,” then to “Reject” gradually. Start with a low percentage (e.g., 10%) of emails set to “Reject” and increase as you confirm there are no issues.

This approach helps minimize the risk of rejecting legitimate emails.

Yes, DMARC applies to subdomains by default, meaning they inherit the policy of the parent domain unless specified otherwise.

  • Inheriting the Policy: If no separate DMARC record is set for a subdomain, it will follow the main domain’s policy. For example, if your parent domain has p=reject, the subdomain will also reject emails that fail DMARC checks.

  • Using the sp Tag: To set a different policy for subdomains, use the sp (subdomain policy) tag in your main domain’s DMARC record. Example:

    • v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected] This would apply the “Reject” policy to the parent domain but place emails from subdomains into quarantine.
  • Separate DMARC Record: If a subdomain follows completely different email flows (e.g., a third-party service), it should have its own DMARC record to ensure proper protection.