DMARC Explained: How it Works
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect email senders and recipients from spam, spoofing, and phishing. It addresses shortcomings in SPF and DKIM since they both cannot authenticate the sender of an email against the “From:” address of an email message. A DMARC record ensures that there is a match between the “From:” address that a user sees, and the DKIM key’s domain or the SPF of the verified sender.
What does DMARC do?
Email authentication; DMARC ensures that only authorized senders can send emails using a domain from the “From:” field of their email messages.
Reporting; It includes a reporting mechanism, where email receivers can notify the domain owner whether the email they received passed or failed authentication. The DMARC record also sends reports to the domain owner that lets them know who is using their domain to send emails. The reports generated are useful as they allow domain owners to have full control over who has the permission to send emails on behalf of the domain.
How does DMARC work?
When your domain is configured and set to an enforcement policy, email receivers will reject or quarantine any messages from senders not authorized by your enforcement policy.
When an email is received, it goes through a verification process that is implemented depending on the email authentication protocols set. The DMARC, SPF, and DKIM records complement each other. First, upon receipt of an email, the SPF record checks the sending IP address of the message, while the DKIM validates the message using the senders’ published key.
After the email has passed the verification of SPF and DKIM records, the record checks whether the domain used by the sender matches the one in the “From:” address.
If the email does not pass the DMARC record, receivers take action based on the policy in the domain owner’s DMARC record. The three policies that can be set in a DMARC record are p=none, p=quarantine (move to a spam folder), or p=reject (a block from delivery.) When the record is set to none, no action is taken on unauthenticated email messages.
The domain owner can then use the data returned from email receivers to understand who is sending an email out using their domain if the DMARC record includes a reporting address.
Implementing these email authentication protocols in your business helps to verify that an email sent is actually from your domain, which improves the deliverability rate of your emails. Properly configuring DMARC helps mail servers determine how to evaluate messages that claim to be from your domain name to prevent both spoofing and phishing attacks.