Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an authentication policy that is published in the DNS and tells receivers what to do with unauthenticated email. DMARC uses a short entry in a domain's DNS zone file. Because DMARC-style alignment is widely used as a spam-filtering metric, publishing a basic DMARC policy should be a top priority.
What is DMARC?
- Allows senders to specify what actions they want a mailbox provider to take with unauthenticated email.
- Allows senders to request aggregated and anonymized data from ISPs about email that claims to be from their domains.
- Creates a way for ISPs to supply data in a standardized format. A standard format allows domain owners to monitor spoofing of their domains and make informed decisions about how to handle spoofing. This action is attractive for commonly phished businesses such as banks, payment systems, and social media.
DMARC does not allow senders to bypass spam filters.
DMARC-style alignment is used as a spam-filtering metric. Senders should make it a top priority to sign their email with DKIM and SPF, align the email correctly, and publish a basic DMARC policy.
An email must come from the domain that it says it comes from. DMARC alignment occurs when either the return path or the DKIM
d= value is in the same domain space as the "friendly from" address.
In DMARC alignment, a message must pass:
- SPF authentication and SPF alignment
For SPF alignment,
RETURN-PATHmust match the
- DKIM authentication and DKIM alignment
For DKIM alignment,
d= valuemust match
- Both SPF and DKIM authentication and alignment
For more information about DMARC policies, see the following websites: