What is DMARC?
DMARC, or “Domain-based Message Authentication, Reporting & Conformance,” is another type of email authentication. It adds linkage to the author From domain name, publishes policies for recipient handling of authentication failures, and reports from receivers to senders to improve and monitor the protection of the domain from fraudulent email.
Rather than thinking of DMARC as a service on the cloud, think of it more like a standard or policy that your domain is upholding. DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like an email from that domain to be handled if it fails an authorization test.
Your DMARC record is published alongside your DNS records, including:
SPF
A-record
CNAME
DKIM
Unlike SPF and DKIM, a properly configured DMARC policy can tell a receiving server whether or not to accept an email from a sender.
Note: Not all mail servers check DMARC before receiving a message, but all ISPs do.
How does DMARC work?
Our friends from Belkins have laid it out perfectly for you:
You craft your email and hit send to your contacts.
Your mail server adds a DKIM header, which looks for forged sender addresses.
DKIM confirms that you are legit.
Your email heads on over to your recipients’ mail server.
The recipients’ email server checks for authentication.
Once given the okay, DMARC jumps in to decide if your email should be passed, quarantined, or rejected.
If passed, your message arrives in your recipients’ inbox to catch one final spam filter.
You made it to the inbox!
DMARC is an important evolution of email authentication. This is just another great example of email senders and ISPs working together to protect the email channel. To learn more about DMARC, visit the organization’s website at dmarc.org.