DMARC
What is DMARC?
DMARCAn email authentication standard defined in RFC 7489 that lets domain owners publish a policy telling receivers what to do with messages that fail SPF or DKIM and aligned domain checks.
Domain-based Message Authentication, Reporting and Conformance (DMARC), specified in RFC 7489, builds on SPF (RFC 7208) and DKIM (RFC 6376) by requiring identifier alignment between the From: domain and the SPF or DKIM authenticated domain. Domain owners publish a TXT record at _dmarc.example.com with a policy (p=none, quarantine, or reject), subdomain handling, alignment mode, percentage, and reporting URIs (rua, ruf). Receivers send aggregate (RFC 7489) and forensic (RFC 6591) reports that operators analyze to fix legitimate sources before enforcing reject. DMARC stops most direct domain spoofing, supports BIMI, and is required by Yahoo and Google bulk-sender rules adopted in 2024.
● Examples
- 01
Publishing v=DMARC1; p=reject; rua=mailto:dmarc@example.com to enforce strict authentication for example.com.
- 02
Using aggregate XML reports to discover and authenticate a forgotten marketing platform before moving from p=none to p=reject.
● Frequently asked questions
What is DMARC?
An email authentication standard defined in RFC 7489 that lets domain owners publish a policy telling receivers what to do with messages that fail SPF or DKIM and aligned domain checks. It belongs to the Network Security category of cybersecurity.
What does DMARC mean?
An email authentication standard defined in RFC 7489 that lets domain owners publish a policy telling receivers what to do with messages that fail SPF or DKIM and aligned domain checks.
How does DMARC work?
Domain-based Message Authentication, Reporting and Conformance (DMARC), specified in RFC 7489, builds on SPF (RFC 7208) and DKIM (RFC 6376) by requiring identifier alignment between the From: domain and the SPF or DKIM authenticated domain. Domain owners publish a TXT record at _dmarc.example.com with a policy (p=none, quarantine, or reject), subdomain handling, alignment mode, percentage, and reporting URIs (rua, ruf). Receivers send aggregate (RFC 7489) and forensic (RFC 6591) reports that operators analyze to fix legitimate sources before enforcing reject. DMARC stops most direct domain spoofing, supports BIMI, and is required by Yahoo and Google bulk-sender rules adopted in 2024.
How do you defend against DMARC?
Defences for DMARC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DMARC?
Common alternative names include: Domain-based Message Authentication, Reporting and Conformance.
● Related terms
- network-security№ 1076
SPF (Sender Policy Framework)
An email authentication mechanism defined in RFC 7208 that lets a domain publish in DNS which IP addresses or hosts are authorized to send mail using its domain in the envelope MAIL FROM.
- network-security№ 330
DKIM
An email authentication standard defined in RFC 6376 that lets a sending domain add a cryptographic signature to outgoing messages so receivers can verify that headers and body were not altered.
- network-security№ 095
BIMI
An email standard that lets domain owners display a verified brand logo next to authenticated messages in supporting clients, conditional on a DMARC policy of quarantine or reject.
- attacks№ 375
Email Spoofing
Forging email headers so a message appears to come from a trusted sender, typically to enable phishing, fraud, or malware delivery.
- attacks№ 135
Business Email Compromise
A targeted fraud in which an attacker impersonates or takes over a corporate mailbox to trick an employee into wiring money, changing payment details, or sending sensitive data.
- network-security№ 984
Secure Email Gateway
A perimeter or cloud service that filters inbound and outbound email for spam, phishing, malware, data leakage, and policy violations before it reaches user mailboxes.
● See also
- № 707MTA-STS
- № 058ARC (Authenticated Received Chain)
- № 452Greylisting
- № 336DNS Blocklist (DNSBL)