How to Explain DMARC in Plain English

Posted by Matt Moorehead on

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the latest and greatest advance in email authentication. But, like SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail), it’s sometimes misunderstood. That’s why we’re dedicating the last post of our three-part email authentication series to explaining how it works, and why it matters.

What it is: DMARC ensures that legitimate email is properly authenticating against established DKIM and SPF standards, and that fraudulent activity appearing to come from domains under the organization’s control (active sending domains, non-sending domains, and defensively registered domains) is blocked. Two key values of DMARC are domain alignment and reporting.

How it works: DMARC’s alignment feature prevents spoofing of the “header from” address by:

  1. Matching the “header from” domain name with the “envelope from” domain name used during an SPF check, and
  2. Matching the “header from” domain name with the “d= domain name” in the DKIM signature.

Capture1 (1)

To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.

DMARC allows senders to instruct email providers on how to handle unauthenticated mail via a DMARC policy, removing any guesswork on how they should handle messages that fail DMARC authentication. Senders can either:

  • Monitor all mail, to understand their brand’s email authentication ecosystem, and ensure legitimate mail is authenticating properly without interfering with the delivery of messages that fail DMARC
  • Quarantine messages that fail DMARC (e.g., move to the spam folder)
  • Reject messages that fail DMARC (e.g., don’t deliver the mail at all)

Mailbox providers send regular DMARC aggregate and forensic reports back to senders, giving them visibility into what messages are authenticating, what messages are not, and why.

Why it matters: DMARC is the first and only widely deployed technology that can make the “header from” address (what users see in their email clients) trustworthy. Not only does this help protect customers and the brand, it discourages cybercriminals who are less likely to go after a brand with a DMARC record

Ready to get started with DMARC? Here’s your guide.


Popular this Month

 Featured Image

10 Tips on How to Identify a Phishing or Spoofing Email

Phishing attacks are more rampant than ever before, rising by more than 162...

Read More

 Featured Image

Build Your DMARC Record in 15 Minutes

Implementing DMARC (Domain-based Message Authentication Reporting and...

Read More

 Featured Image

How to Explain DMARC in Plain English

DMARC (Domain-based Message Authentication, Reporting & Conformance) is...

Read More

Author Image

About Matt Moorehead

Matt Moorehead is a Strategic Project Manager for Return Path's Email Fraud Protection team. He works closely with top brands on technical and strategic initiatives to eliminate the impact of email fraud. In his spare time you can find Matt on the golf course or the ski slopes. Connect with him on LinkedIn @Matt Moorehead, IMBA, or @mattmooreheadRP on Twitter.

Author Archive

CTA Image

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.