DMARC

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM to give domain owners explicit control over what happens when an email fails authentication. While SPF and DKIM verify sender identity and message integrity respectively, DMARC adds a policy layer that tells receiving mail servers how to handle messages that fail those checks, and provides a reporting mechanism so domain owners can monitor authentication results across all mail sent on their behalf.

How DMARC Works

DMARC is published as a DNS TXT record on the _dmarc subdomain of the sending domain. When a receiving mail server gets an email, it performs three key steps:

• Authentication: The server checks the message against SPF and DKIM as usual.
• Alignment: DMARC requires that at least one of SPF or DKIM not only passes, but also aligns with the domain in the From: header. Alignment means the domain authenticated by SPF or DKIM matches (or is a subdomain of) the domain the end user sees as the sender. This closes the loophole where an attacker could pass SPF on their own domain while spoofing the visible From: address.
• Policy enforcement: If neither SPF nor DKIM passes with alignment, the receiving server applies the policy specified in the DMARC record.

DMARC Policies

The DMARC record's p= tag defines the policy that receiving servers should apply to failing messages:

• p=none: Monitor mode. No action is taken on failing messages, but reports are still generated. This is the recommended starting point for new deployments.
• p=quarantine: Messages that fail DMARC are delivered to the recipient's spam or junk folder rather than the inbox.
• p=reject: Messages that fail DMARC are rejected outright and never delivered. This is the strongest protection against domain spoofing.

The Relationship with SPF and DKIM

DMARC does not replace SPF and DKIM - it depends on them. SPF validates that the sending server is authorized for the domain, and DKIM confirms the message has not been tampered with. DMARC adds the critical alignment requirement and a policy framework on top. For DMARC to pass, at least one of SPF or DKIM must both pass its own check and align with the From: domain. This means organizations must have properly configured SPF and DKIM records before DMARC can be effective.

Why DMARC Matters

Without DMARC, attackers can send emails that appear to come from your domain, even if you have SPF and DKIM configured. This is because without a DMARC policy, receiving servers have no instruction to reject unauthenticated messages. DMARC addresses this gap and provides several critical benefits:

• Prevents domain spoofing: A p=reject policy stops phishing emails that impersonate your domain from reaching recipients.
• Protects brand reputation: When customers receive phishing emails appearing to come from your domain, it erodes trust - even though you did not send them.
• Improves deliverability: Major email providers like Google and Microsoft prioritize messages from domains with valid DMARC policies, reducing the chance that legitimate emails land in spam.
• Reduces credential theft: By blocking spoofed emails, DMARC makes it harder for attackers to trick recipients into handing over login credentials.

DMARC Reporting

One of DMARC's most valuable features is its reporting mechanism, which gives domain owners visibility into how their domain is being used (and abused) across the global email ecosystem:

• Aggregate reports (rua): XML reports sent daily by receiving mail servers summarizing authentication results - how many messages passed, failed, and from which IP addresses. These help you identify legitimate senders that need SPF/DKIM configuration and unauthorized sources attempting to spoof your domain.
• Forensic reports (ruf): Detailed reports on individual messages that failed DMARC, including message headers. Not all providers send forensic reports due to privacy concerns, but they are useful for investigating specific spoofing incidents.

Regularly reviewing DMARC reports is essential for maintaining a healthy email infrastructure and catching spoofing attempts early.

Implementation Steps

A safe DMARC rollout follows a gradual enforcement approach:

• Step 1: Ensure SPF and DKIM are correctly configured for all legitimate sending sources (transactional email services, marketing platforms, corporate mail servers).
• Step 2: Publish a DMARC record with p=none and a rua address to start collecting aggregate reports without affecting mail delivery.
• Step 3: Analyze reports over several weeks to identify any legitimate senders not covered by SPF/DKIM, and fix their configuration.
• Step 4: Move to p=quarantine to begin filtering unauthenticated messages to spam.
• Step 5: Once confident that all legitimate mail passes, enforce p=reject for full protection.

DMARC in the Broader Email Security Context

DMARC protects your domain's outbound reputation, but a comprehensive email security strategy also needs to address inbound threats at the point of user registration. AntiProxies complements DMARC by providing email verification and disposable email detection at sign-up, ensuring that accounts are created with legitimate, permanent email addresses. While DMARC stops attackers from impersonating your domain, AntiProxies stops attackers from using throwaway identities to abuse your platform. Together, they form a complete email security chain - protecting both your domain's reputation and your user base. To learn more about why email validation is critical for growing platforms, read why every SaaS eventually builds email validation.