DMARC

What is DMARC?

DMARC stands for "Domain-based Message Authentication, Reporting, and Conformance" which may sound a little scary...

Everyone wants to maximise the chances of their emails getting delivered, and DMARC is a term that comes up frequently in email deliverability conversations.

It's an email authentication policy that builds upon SPF and DKIM to provide domain owners with control over how their domain is used in email.

DMARC allows domain owners to publish a policy in their DNS that tells receiving mail servers (like Gmail or Outlook) what to do when they receive emails that fail SPF or DKIM authentication.

The policy can specify actions like:

• None: Monitor only (take no action but report).
• Quarantine: Treat suspiciously (send to spam folder).
• Reject: Reject the email entirely.

DMARC also provides detailed reporting on email authentication results, allowing domain owners to see:

• How many emails are being sent from their domain.
• Which servers are sending emails on their behalf.
• How many emails pass or fail authentication.
• Where authentication failures are occurring.

This helps domain owners identify legitimate email sources and detect potential abuse of their domain.

Example

A company might implement DMARC with a policy like this in their DNS as a TXT record on their domain:

v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; pct=100

This policy tells receiving servers to:

• Quarantine (send to spam) emails that fail authentication.
• Send aggregate reports to dmarc@company.com.
• Send forensic reports for failed emails.
• Apply the policy to 100% of emails.

As the domain owner builds trust and identifies all legitimate email sources, they can gradually move from "none" to "quarantine" to "reject" policies.