A DMARC record, short for Domain-based Message Authentication, Reporting, and Conformance record, is a Domain Name System (DNS) TXT record that specifies how a domain handles emails failing Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) checks. It also provides instructions for reporting authentication results.
What Is a DMARC Record?
A DMARC record is a policy published in DNS that tells receiving mail servers how to treat messages that do not align with SPF and DKIM authentication. It works as an additional security layer to prevent email spoofing, phishing, and unauthorized use of your domain.
DMARC provides three main functionalities:
- Policy enforcement: Instructs mail servers to allow, quarantine, or reject emails that fail SPF and DKIM alignment
- Alignment check: Makes sure that the "From" address in the email header matches the domain used in SPF or DKIM
- Reporting: Sends aggregated or forensic reports about authentication results to domain owners
The DMARC record is stored as a TXT record in DNS and typically includes parameters like:
- v= For version
- p= For policy (none, quarantine, or reject)
- rua= For aggregate report addresses
- ruf= For forensic report addresses
How Does a DMARC Record Work?
The DMARC process includes:
- Email received: The recipient server checks the domain’s DMARC record
- Authentication verification: The server confirms SPF and DKIM status and whether they align with the email's header domain
- Policy application: Based on the DMARC record, the server takes one of three actions:
- p=none: No enforcement, just reporting
- p=quarantine: Deliver to spam or junk folder
- p=reject: Block the email entirely
- Report generation: Authentication results are sent to the addresses specified in the DMARC record
Why Is a DMARC Record Important?
DMARC records are critical for:
- Preventing spoofing and phishing: Blocks fraudulent emails sent using your domain
- Protecting brand reputation: Reduces the risk of your domain being exploited by attackers
- Improving deliverability: Internet service providers (ISPs) trust authenticated domains, leading to better inbox placement
- Providing visibility: Reports help you monitor who is sending emails on behalf of your domain
Failure to implement DMARC can leave your domain vulnerable to abuse, leading to security breaches and trust issues with your recipients.
Common Use Cases
DMARC records are commonly used for:
- Email security enforcement: Applying strict reject policies for unauthorized emails
- Compliance: Meeting authentication requirements for regulated industries
- Monitoring third-party senders: Ensuring that authorized services pass SPF and DKIM checks
- Phased policy rollout: Starting with p=none to monitor, then moving to quarantine and reject for full enforcement
Example scenario: A company implements DMARC to protect against phishing attacks targeting its customers. Initially, it uses p=none for monitoring, then gradually enforces quarantine and reject as SPF and DKIM configurations stabilize.
FAQs About DMARC Record
What does a DMARC record look like?
A typical DMARC record might be: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com
Can I use DMARC without SPF or DKIM?
No. DMARC relies on at least one of these protocols for authentication.
Does DMARC improve deliverability?
Yes. While it doesn’t guarantee inbox placement, strong authentication helps reduce spam filtering.
