chat
expand_more

What Is DMARC? How It Sends Secure Emails & Stops Spoofing

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a type of email authentication protocol that helps verify an email’s origins. Recipients can use DMARC to authenticate an email’s sending domain and domain owners can also ensure their domain isn’t used for email spoofing.

If DMARC is in place, receiving email servers will not deliver an incoming email until authenticating the sending domain.

DMARC helps protect domains from business email compromise and phishing attacks that use domain spoofing to trick victims. It essentially allows email senders and receivers to work together to improve email security, protecting organizations and users alike.

How Does DMARC Work?

DMARC aligns with DKIM and/or SPF authentication mechanisms. Domain owners can publish a DMARC record in the DNS for email servers to adhere to. It’s a text entry with domain policy specifications. Depending on specifications, once DKIM or SPF (or both) pass, DMARC authenticates, allowing an email server to verify a sending domain.

Domain owners can use DMARC to instruct servers:

  • Whether the domain uses DKIM, SPF, or both to send mail.

  • How to verify the From: field.

  • When to allow, quarantine, or reject an email.

  • How to report any actions.

  • What to do with a failure.

If a domain owner creates a DMARC record indicating that their emails are protected by DKIM or SPF, external servers will verify those records before delivering the email. If it doesn’t pass, the email server can assume it’s not from the purported domain, and reject it or quarantine it in the junk folder, depending on the DMARC specifications.

What Does DMARC Do?

DMARC authentication is an added layer of security and authentication in an email exchange. This is crucial as email scams grow in both frequency and scope of damage. DMARC helps prevent email spoofing, a common tactic cybercriminals use to send convincing phishing emails. This protects brands from harmful impersonations, and users from interacting with hard-to-detect scam emails. A convincing email spoof is extremely difficult for users to notice.

With DMARC authentication, email spoofing is considerably more difficult. Email servers can detect and quarantine spoofed emails from non-authenticated domains with more accuracy. It’s beneficial for both email senders and recipients.

A DMARC Record Example

A DMARC record is stored directly in a DNS as a TXT record. Here’s an example of what it looks like:

v=DMARC1;p=quarantine;pct=100;rua=mailto:dmarcexample@exampledomain.com

This example contains the following parameters:

  • v: Protocol version

  • p: Policy

  • pct: Percent of messages to filter

  • rua: Email address to send aggregate reports

The parameters in this DMARC report requests that recipients quarantine all non-aligned emails, sending an aggregate report to the email address.

There are various other tags and policies you can use to specify different actions.

DMARC Policies

  • None: Don’t restrict the email.

  • Quarantine: Deliver the email into a restricted location, like a junk folder.

  • Reject: Don’t deliver the email.

DMARC Tags

Beyond version (v), policy (p), percentage (pct), and (report email address) rua, there are a several other tags:

  • Subdomain policy (sp): The DKIM policy for any associated subdomains.

  • Failure reporting options (fo): Specifies how to create forensic reports.

  • ADKIM (adkim): Alignment mode for DKIM.

  • ASPF (aspf): Alignment mode for SPF.

  • Report format (rf): How to format the forensic report.

DMARC vs. DKIM vs. SPF

What’s the difference between DMARC, DKIM, and SPF? They’re all standard email authentication protocols that work together to safely deliver secure emails.

  • DKIM (DomainKeys Identified Mail) helps ensure sender addresses aren’t forged and emails aren’t altered in transit. DKIM affixes a digital signature linked to a domain name, so recipients can verify that the sender address is authorized by said domain.

  • SPF (Sender Policy Framework) specifies the mail server that domain owners use to send mail from. The receiving mail server can check it to verify that incoming mail comes from IP addresses that are authorized to send from said domain.

DMARC works with both DKIM and SPF to authenticate and deliver emails. Depending on DMARC specifications, servers will verify that DKIM and/or SPF are aligned. In short, they’re all separate but related authentication protocols.

Get the Latest Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email and collaboration application attacks with Abnormal.
See a Demo