DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is an email authentication, policy, and reporting protocol that protects against email spoofing, phishing, and other email-based attacks.

It works by authenticating the sender of inbound emails to verify they are legitimate and authorized to use your domain name in the email’s “From:” address. This prevents spoofing, where cybercriminals forge the “From:” email address to impersonate your brand and launch phishing campaigns against your customers.

DMARC accomplishes this by aligning the email’s “From:” domain name with the domain names found in the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication mechanisms.

If the domains don’t match, then the email fails DMARC authentication, and your policy determines what happens to that email – whether it gets delivered, quarantined, or rejected.

Key Takeaways

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance, an email validation system that authenticates inbound email.
It detects email spoofing to prevent phishing and verifies that the sender is authorized to use your domain name.
DMARC has 3 policy levels – none, quarantine, and reject – that determine what happens to unauthenticated email.
To set up DMARC, you need to create DMARC DNS TXT records and start receiving aggregate and forensic reports.
Gradually moving from monitoring to quarantine and rejecting policies is the best practice for DMARC deployment.
DMARC protects your brand, improves email deliverability, and provides visibility into fraudulent use of your domain.

How Does DMARC Authentication Work?

The DMARC authentication process involves three key steps:

SPF Alignment: DMARC first checks that the domain in the “From:” address matches the SPF domains authorized to send email for your organization. This verifies that the sender is allowed to use your domain name.
DKIM Alignment: Next, DMARC validates that the DKIM signature domain in the email aligns with your authorized domains. This proves that the email content, including the “From:” domain, has not been altered.
DMARC Policy Check: Finally, the DMARC policy on your domain is checked to determine the action. For emails that fail SPF or DKIM alignment, your reject, quarantine, or monitor policy will be enforced.

Aligning the SPF and DKIM domains confirms the sender is authorized and the email is valid. If any part fails, DMARC will detect the email as spoofed and fraudulent.

Key Benefits of DMARC

Here are some of the key benefits organizations can achieve by deploying DMARC for email authentication:

Prevents email spoofing: DMARC blocks spoofed emails that fraudulently use your domain in the “From:” address. This protects your customers and brand reputation.
Stops phishing: DMARC authentication prevents phishing campaigns that impersonate your domain in the sender address to target your customers.
Improves inbox deliverability: Emails that pass DMARC and SPF/DKIM have higher inbox placement rates and avoid the spam folder.
Provides visibility: DMARC aggregate and forensic reports give visibility into misuse of your domain for spoofing.
Enhances security: Implementing DMARC improves your overall email security posture and defense against email threats.
Protects brand reputation: DMARC protects customers from being deceived by fraudulent emails pretending to come from your brand.

DMARC Record Syntax

To implement DMARC, you need to publish a DMARC DNS TXT record for your root domain in public DNS like this: _dmarc IN TXT “v=DMARC1; p=none; pct=100; ruf=mailto:dmarc-reports@example.com; rua=mailto:dmarc-aggr@example.com”

This DMARC record has the following syntax:

v=DMARC1: The DMARC version: always DMARC1.
p=none: The DMARC policy is none, so quarantine or reject.
pct=100: Percentage of mail affected by the policy: start with 100.
ruf=: Address to receive DMARC failure reports.
rua=: Address for DMARC aggregate reports.

The policy and reporting addresses are the key components for enforcing DMARC and gaining visibility into how your domain is being used for sending emails.

DMARC Record Example

Here is an example DMARC TXT record that enforces a reject policy and sends reports to the security team: _dmarc IN TXT “v=DMARC1; p=reject; pct=100; ruf=mailto:dmarc-fail@example.com; rua=mailto:dmarc-aggr@example.com”

This record tells receiving mail servers to reject any emails from the ‘example.com’ domain that fail DMARC authentication and send reports to the specified addresses.

The aggregate reports go to’ dmarc-aggr@example.com’ and give high-level analytics about DMARC pass/fail stats. The failure reports to’ dmarc-fail@example.com’ contain details of specific messages that failed DMARC for further analysis.

DMARC Record Creation and Deployment

Follow these steps to create and publish your DMARC DNS TXT record:

Decide on a policy: Choose none, quarantine, or reject based on your risk tolerance. Most organizations start with the none or monitor-only policy.
Set up reporting: Configure ruf and rua tags with inboxes to receive DMARC reports and gain visibility.
Create TXT record: Fill in the DMARC record with the syntax for your domain, including the policy, reporting, and other tags.
Add to DNS: Add the TXT record for your domain (e.g., _dmarc.example.com) to public DNS. This can be done through your domain registrar or DNS host.
Deploy & monitor: Roll out DMARC using a percentage like pct=10% initially. Monitor aggregate reports and increase coverage over time.
Tighten policy: Once you have good visibility into DMARC failures, start tightening the policy from none to quarantine or reject.

Be sure to follow DMARC publishing best practices, such as using a subdomain and gradually increasing the policy percentage over several weeks. This ensures a smooth deployment without breaking legitimate mail.

DMARC Reporting

DMARC relies on receiving regular aggregate and failure reports to provide visibility into how your domain is being used to send emails. These reports are essential for monitoring DMARC effectiveness and identifying fraudulent use of your domain.

There are two types of DMARC reports:

Aggregate Reports

Aggregate reports provide rolled-up statistics on the number of emails that passed or failed DMARC authentication.

They are sent on a daily or weekly basis to the rua email address specified in the DMARC record. Aggregate reports help reveal

DMARC policy coverage: Percentage of total mail that is subject to the DMARC policy.
Authentication rates: Percentage of emails that passed or failed SPF and DKIM alignment.
Policy actions: Number of messages that were rejected, quarantined, or monitored.
Source IPs: Top sender IP addresses for mail that failed DMARC.

Forensic Reports

Forensic reports contain detailed sample data on individual email messages that failed DMARC authentication.

They are sent to the ruf email address for every policy failure. Forensic reports provide:

Email headers: The full headers of messages that failed DMARC can be analyzed.
Failure details: Identify the specific reason the message failed: SPF, DKIM, or both.
Source: Determine the originating IP address of the failing message.

Forensic reports help your security team research incidents and identify sources of email fraud. The sample emails can also be used to refine SPF and DKIM alignment.

DMARC Policy Options

DMARC policies determine what action is taken on email that fails DMARC authentication:

None (p=none)

Email is delivered as normal.
Action is only taken if the email fails DMARC.
Used to monitor without impacting mail flow.

Quarantine (p=quarantine)

Email is routed to the spam or junk folder.
End users can still access the email if needed.
Warns users about unauthenticated mail.
Minimizes harm of phishing emails.

Reject (p=reject)

Email is rejected at the SMTP level if DMARC fails.
The message is bounced back to the sending server.
Provides the strongest protection against phishing.
This can cause some legitimate mail to be blocked.

The reject policy provides the strongest protection, as fraudulent emails are completely blocked. However, some valid emails may also get rejected if the authentication mechanisms are not fully aligned.

That’s why it’s recommended to increase the DMARC policy over time gradually:

Start with p=none to monitor without affecting mail flow.
Move to p=quarantine to reroute failures to the spam folder.
Finally, shift to p=reject when you have high SPF & DKIM alignment.

Monitor reports at each stage to minimize impact and ensure legitimate mail gets through.

DMARC Policy Percentage

The DMARC pct= value determines what percentage of mail should be subject to the DMARC policy.

pct=100 means the policy is applied to all mail.
pct=10 means only 10% of mail has the policy enforced.

The percentage gives you control over how aggressively you roll out DMARC. Here are some best practices:

For the initial DMARC setup, use a small pct, like 10%.
Monitor the aggregate and forensic reports.
Gradually keep increasing pct to 50%, 75% and finally 100%.
This ensures legitimate mail that fails DMARC is not suddenly blocked during deployment.
Typical DMARC rollout takes 3-6 months to reach full pct coverage.

The pct technique prevents a premature policy like reject from creating havoc by allowing you to expand coverage slowly. Increase the percentage as alignment improves.

Aligning SPF & DKIM with DMARC

To maximize DMARC effectiveness, the SPF and DKIM authentication mechanisms must be properly aligned.

Here are some tips for aligning SPF & DKIM with your DMARC ecosystem:

Tune SPF Records

Audit the SPF record to ensure all authorized servers are included.
Remove old servers and IPs that should not send mail.
Monitor SPF failures in aggregate reports and adjust the SPF record.

Publish DKIM

Ensure DKIM signatures are added to outbound mail.
Use a DKIM key length of 1024 bits or higher.
Publish public keys in DNS using TXT records.
Make sure the DKIM selector domain aligns with DMARC.

Monitor Failures

Review forensic reports for SPF and DKIM failures.
Identify and fix the causes for failed alignment.
Tune SPF and DKIM based on DMARC reports.

Proper SPF and DKIM setup is crucial for achieving a high DMARC pass rate and preventing authentication failures that lead to the blocking of legitimate mail.

DMARC Deployment Best Practices

Follow these best practices for a smooth and effective DMARC deployment:

Gradually increase pct from 10% to 100% over several weeks.
Start with a monitor-only p=none policy and move to quarantine or reject over time.
Ensure that the rua and ruf reporting addresses are configured and monitored.
Analyze aggregate reports to improve SPF & DKIM alignment.
Review forensic reports to identify and fix sources of failures.
Eliminate sources of spoofing like old unused domains.
Create DMARC policies for subdomains, senders, and 3rd parties.
Inform partners and vendors that send mail on your behalf about your DMARC rollout.
Publish DMARC record on a subdomain like _dmarc.example.com rather than root.
Use online DMARC monitoring tools to supplement reports.
Regularly review reports to keep improving your program.

Troubleshooting DMARC Issues

Some common issues may arise when implementing DMARC that can negatively impact mail delivery:

Low DMARC Pass Rate

If the DMARC aggregate reports show a high failure rate, focus on improving SPF/DKIM alignment and identifying any sources of spoofing. Review forensic reports to pinpoint why messages are failing.

Legitimate Mail Blocked

Quarantine policy first before rejecting mail. Review forensic reports for clues on why valid mail is failing DMARC. Ensure all sending infrastructure is properly authenticated.

No DMARC Reports

Check the rua and ruf tags have valid email addresses. Verify you can receive mail at those addresses. Set up DMARC monitoring tools as a backup.

Service Disruptions

Slowly roll out DMARC using pct to minimize chances of outages. Ensure mailing lists, scanners, and other services have SPF/DKIM in place before enforcement.

Message Delays

If messages are delayed while DMARC is checked, add dmarcian.org to the whitelist. Some providers may also throttle large reports.

Careful and gradual deployment is key to avoiding major DMARC implementation issues. Always start with monitor mode and conservatively increase enforcement.

DMARC Tools

Various software tools can assist with implementing, monitoring, and reporting on DMARC:

DMARC analyzers: Online services that aggregate reports and provide analytics like Valimail, Agari, and Dmarcian.
DMARC setup wizards: Tools that help construct DMARC records like DmarcWizard.com and DmarcBuilder.com.
SPF/DKIM checkers: Services to validate SPF and DKIM on domains like port25.com.
Email header analyzers: Tools to inspect full email headers for troubleshooting.
Forensic sandbox: Detonate and analyze sample phishing emails that failed DMARC.

These tools provide added visibility and simplify key tasks like configuring DMARC, checking authentications, and monitoring enforcement.

Getting DMARC Reports in Gmail

Google’s Gmail provides a way to retrieve your DMARC aggregate and forensic reports right in your email inbox.

Here’s how to configure Gmail to receive DMARC reports:

Create a filter with rua@ or ruf@ in the To: field
Check the box to “Never send it to Spam.”
Choose “Filter messages like these.”
Click “Create filter with this search.”
Check “Apply the label” and name it something like DMARC Reports

Now, all messages sent to your rua and ruf addresses will be labeled DMARC Reports for easy access in Gmail. The raw XML reports can be downloaded for analysis.

This provides an alternative to setting up dedicated mailboxes to get your DMARC reports. The same technique works for Microsoft 365 and other email providers.

Final Thoughts

Implementing DMARC is a highly effective way for organizations to protect their domain, email users, and brand reputation against the rising threat of phishing, spoofing, and email fraud.

By authenticating inbound emails, DMARC gives companies the ability to detect and block spoofed messages pretending to come from their domain. Gradually rolling out DMARC using aggregate and forensic reports enables organizations to gain visibility into email threats targeting them and fine-tune their policies over time without impacting legitimate mail flow.

As email remains the top vector for cyberattacks, a layered email security strategy built on frameworks like DMARC, DKIM, and SPF is essential for any organization that values its customer trust and brand integrity. With some planning and effort, companies can leverage DMARC to substantially enhance their email authentication and prevent their domains from being used for email crimes.

Frequently Asked Questions (FAQ)

What is a DMARC record?

A DMARC record is a DNS TXT entry that publishes your DMARC policy and reporting details for receiving mail servers to authenticate your emails.

Where do I put the DMARC record?

The DMARC record should go in DNS on your root domain (e.g., example.com) or a subdomain such as dmarc.example.com

What are DMARC tags?

DMARC tags like p, pct, ruf, and rua are used in the TXT record to specify your policy, percentage, and reporting addresses for aggregate and forensic reports.

How long does it take for DMARC to work?

A new or updated DMARC record takes about 24-48 hours to propagate through DNS and starts being enforced by receiving mail servers.

What happens if DMARC fails?

If DMARC authentication fails, the policy in your DMARC record (none, quarantine, or reject) will determine what happens to that email.

How do I get DMARC reports?

To receive DMARC aggregate and forensic reports, you need to configure the rua and ruf tags in your DMARC DNS record pointing to inboxes that will collect the reports.

What is a DMARC forensic report?

Forensic reports contain detailed sample data on specific email messages that failed DMARC authentication, including headers and failure reasons.

How often are DMARC reports sent?

Aggregate reports are typically sent daily or weekly, depending on volume. Forensic reports are generated for every detected DMARC failure.

What is a DMARC record lookup?

A DMARC record lookup lets you query public DNS for the DMARC record published for a domain. This helps identify if a domain has DMARC enabled and view their policy.

What’s the difference between DMARC and SPF?

SPF verifies authorized sending IP addresses for a domain. DMARC aligns the domain in the email’s “From:” with the SPF and DKIM domains to authenticate the sender.

What’s the difference between DMARC and DKIM?

DKIM signs and verifies email content. DMARC checks that the domain in the signature aligns with the sender’s domain in the “From:” address.

Can DMARC prevent business email compromise?

Yes, DMARC can help prevent BEC attacks by detecting and blocking spoofed domains criminals use to impersonate company executives.

Does the law require DMARC?

There is no legal requirement to implement DMARC. However, some industry sectors, like finance and healthcare, require email authentication.

What is a DMARC survey?

A DMARC survey audits your existing email infrastructure to identify any gaps that need to be fixed before rolling out DMARC across your domains.

What is DMARC spoofing?

DMARC spoofing is when an attacker forges the email headers and sender domain to try and bypass DMARC authentication checks and deliver spoofed emails.

Priya Mervana

Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.

What is DMARC and How to Set It Up for Your Organization?

What is DMARC?