What is DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email security protocol that allows domain owners to specify how unauthenticated emails should be handled—and provides visibility into who is sending mail on behalf of their domain.
Understanding DMARC
DMARC helps protect your domain from email spoofing, phishing attacks, and other forms of abuse. It works by building on two established authentication technologies:
- SPF (Sender Policy Framework)
- DKIM (DomainKeys Identified Mail)
Together, these tools help verify that an email actually comes from the domain it claims to be from. DMARC adds an extra layer by allowing domain owners to define policies for handling unauthenticated emails, and receive reports on authentication results.
How Does DMARC Work?
To enable DMARC, domain owners add a TXT record to their DNS settings. This record outlines the domain’s DMARC policy using a set of tags and values that define:
- What to do with emails that fail SPF/DKIM checks (e.g., reject, quarantine, or allow them through)
- Where to send authentication reports
- How strictly to enforce the policy
When an email is received, the recipient’s mail server checks for a DMARC record on the sender’s domain. It then verifies:
- Does the message pass SPF and/or DKIM checks?
- Do the domains used in those checks “align” with the domain in the From: header?
If alignment is achieved, the message passes DMARC. If not, the receiver acts based on the policy—either rejecting, quarantining, or delivering the message.
Why is DMARC Important?
DMARC boosts email security by:
- Preventing attackers from sending fraudulent emails using your domain
- Improving deliverability of legitimate messages
- Giving insight into how your domain is being used or misused
For domain owners, DMARC reports provide valuable data about email traffic and help identify spoofing or misconfigurations. For receivers, DMARC helps filter suspicious emails before they reach inboxes.
Limitations of DMARC
While powerful, DMARC has a few key limitations:
- Mutual adoption required: Both sender and receiver must support DMARC for it to work.
- Depends on SPF and DKIM: These technologies have their own issues (e.g., problems with email forwarding or complex key management).
- No content protection: DMARC verifies sender identity, not the message content—it does not encrypt emails or prevent them from being intercepted.
- Domain misuse still possible: A sender could use a different (but legitimate) domain that passes SPF/DKIM—even if it’s not under your control.
DMARC Syntax
DMARC syntax is the format and structure of the DMARC record that is added to the DNS of the email domain. The DMARC record is a TXT record that starts with the prefix “v=DMARC1;”, followed by a series of tags and values separated by semicolons. Each tag represents a different aspect of the DMARC policy, and each value defines the setting or option for that tag. The tags and values are case-insensitive, but the order of the tags does not matter. The following table summarizes the main tags and values that can be used in a DMARC record, along with their meanings and examples.
DMARC Syntax Example
v=dmarc1 p=none sp=none rua=mailto:dmarc@domain.com pct=100
P= Tag
| Meaning | Values | Examples |
| Required. The policy for the domain. | none: No action, only monitor and report. quarantine: Move the message to the spam or junk folder. reject: Reject the message and do not deliver. | p=quarantine |
SP= Tag
| Meaning | Values | Examples |
| Optional. The policy for the subdomains of the domain. If not specified, the same policy as the parent domain is applied. | none: No action, only monitor and report. quarantine: Move the message to the spam or junk folder. reject: Reject the message and do not deliver. | sp=quarantine |
PCT= Tag
| Meaning | Values | Examples |
| Optional. The percentage of messages that the policy applies to. If not specified, the default is 100%. | A number between 0 and 100. | pct=50 |
RUA= Tag
| Meaning | Values | Examples |
| Optional. The email addresses to send aggregate reports to. Multiple addresses can be specified, separated by commas. | A list of mailto: URIs. | rua=mailto:admin@example.com,mailto:dmarc@example.com |
RUF= Tag
| Meaning | Values | Examples |
| Optional. The email addresses to send forensic or failure reports to. Multiple addresses can be specified, separated by commas. | A list of mailto: URIs. | ruf=mailto:admin@example.com |
ADKIM= Tag
| Meaning | Values | Examples |
| Optional. The alignment mode for DKIM. If not specified, the default is r (relaxed). | r: Relaxed. The domains are considered to align if the organizational domains match. s: Strict. The domains are considered to align if they are exactly the same. | adkim=s |
ASPF= Tag
| Meaning | Values | Examples |
| Optional. The alignment mode for SPF. If not specified, the default is r (relaxed). | r or s | aspf=r |
FO= Tag
| Meaning | Values | Examples |
| Optional. The conditions for generating failure reports. If not specified, the default is 0 (all). | 0: Generate a report if all the authentication methods fail. 1: Generate a report if any of the authentication methods fail. d: Generate a report if DKIM fails. s: Generate a report if SPF fails. | fo=1 |
RF= Tag
| Meaning | Values | Examples |
| Optional. The format of the failure reports. If not specified, the default is afrf (Authentication Failure Reporting Format). | afrf or iodef (Incident Object Description Exchange Format). | rf=iodef |
RI= Tag
| Meaning | Values | Examples |
| Optional. The interval for sending aggregate reports, in seconds. If not specified, the default is 86400 (24 hours). | A positive integer | ri=43200 |
What Are DMARC Reports?
DMARC provides two types of reports to help domain owners monitor email activity:
- Aggregate Reports (RUA)
These are daily summaries showing how many messages passed or failed DMARC, along with IP addresses and sending sources. They help you understand your domain’s overall authentication landscape.
- Forensic (Failure) Reports (RUF)
These are more detailed reports sent when a specific message fails DMARC. They include message headers, sending sources, and sometimes content. They’re useful for investigating individual failures or potential threats.
Enabling DMARC Reporting
To receive reports, you need to include rua (for aggregate) and ruf (for forensic) tags in your DMARC DNS record. Use email addresses where these reports should be delivered.
Example:
ini
CopyEdit
v=DMARC1; p=reject; rua=mailto:aggregate@example.com; ruf=mailto:forensic@example.com;
How Often Are DMARC Reports Sent?
- Aggregate reports are usually sent once per day. You can specify this using the ri tag (in seconds). For example, ri=86400 means daily.
- Failure reports may be sent in real-time or in batches, depending on the policies and resources of the receiving server.
Limitations of DMARC Reporting
- Not all receiving servers send reports, even if you’ve requested them.
- Privacy concerns may limit the detail or frequency of forensic reports.
- Some reports may be delayed or lost due to technical or policy reasons.
Bottom line: Use DMARC reports as a helpful tool, but not the sole method for monitoring domain abuse.
Conclusion
DMARC is a critical tool in the fight against phishing and email spoofing. It allows domain owners to protect their brand, improve deliverability, and gain visibility into how their domain is being used. While it’s not a complete solution to all email security challenges, it’s a strong foundation—and a must-have for any organization serious about email protection.
NEED Help? You can check your Domain Safety Rating yourself with our Free Domain Record Checker