What is DMARC?

DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”. It’s an email authentication, policy, and reporting protocol. It builds on the widely used SPF and DKIM protocols to improve and monitor the protection of a domain from fraudulent email, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders.

It also allows a domain owner to request notifications about mail that looks like it’s sent from their domain, but which isn’t correctly authenticated. This is critical if you want to be able to check that you really are authenticating (most of) your email, and to do so before you ask recipients to discard potentially legitimate mail that’s not authenticated.

Using DMARC in “reporting only” mode, either ‘p=none’ or ‘p=quarantine pct=0’ is an extremely useful tool for mapping out your mail flows and finding sources of legitimate emails that aren’t correctly authenticated. This is useful in itself, and an essential step towards DMARC enforcement.

Deploying DMARC in enforcing mode requires deploying SPF and DMARC everywhere first. While DMARC only requires that either SPF or DKIM passes, the two authentication approaches are fragile and will occasionally break, so you want to have them both in place to minimize the risk of DMARC failing.

Some ISP seem to be assessing favorably domains with published DMARC records, but it’s always a good idea to be properly authenticated with both DKIM and SPF – DMARC is a great addition for brand/domain protection.