DMARC - In Simple Terms

Domain-based Message Authentication, Reporting & Conformance (DMARC) is the latest form of email authentication. It makes sure that legitimate email authenticates against 2 DNS record types: DKIM and/or SPF.  Also, it ensures that fraudulent email that tries to look legitimate gets blocked.

The alignment of these DNS entries, which is the heart of DMARC, prevents spoofing of the return path's "from" address. It matches the return path domain name with the visible From address domain name from the SPF check. Then, it matches the return path domain name with the domain name in the DKIM signature.  An email needs to pass SPF authentication as well as DKIM authentication to be able to pass DMARC.

Senders tell receivers what to do with unauthenticated email via the DMARC policy. This could include quarantining email that fails DMARC by moving it to the spam folder. It could also include rejecting the email and not delivering it at all.

Receiving email servers send DMARC reports back to senders on a regular basis. These reports give system administrators insight into which of their emails are passing DMARC, which are failing and why.

In a nutshell:
  1. DMARC ensures the visible from address in an email is trustworthy.
  2. It protects customers and your brand.
  3. Cybercriminals are less likely to go after a domain that has DMARC in place.
For more information about DMARC, as well as SPF and DKIM, please see our blog post: Understanding SPF, DKIM and DMARC. Here you'll find details of the actual records and an in-depth description of each piece of an SPF, DKIM and DMARC record, as well as resources that can help you create and analyze each record type.