Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

Overview

DMARC is an email security standard that helps domain owners protect their domain from spoofing and phishing and tells receiving mail servers what to do when an email fails authentication checks. It builds on SPF and DKIM and adds policy and reporting, so you can say, in effect: “If a message looks like it’s from my domain but fails checks, here’s how you should treat it—and please send me reports about what you see.”

In plain language: DMARC lets a company lock down who can send on its behalf and see who is trying to fake its email.

How DMARC Works (High Level)

DMARC uses a DNS TXT record on your domain (for example, _dmarc.example.com) that defines your policy. That record tells other mail systems:

  • Which authentication methods you use (SPF, DKIM).

  • How strictly to handle failures (just monitor, quarantine as spam, or reject).

  • Where to send reports about messages that claim to be from your domain.

When an email arrives:

  1. The receiving server checks SPF and DKIM for the domain.

  2. DMARC then checks alignment: do the domains used by SPF/DKIM match the visible “From:” domain?

  3. Based on the DMARC policy, the receiver decides whether to deliver, spam‑folder, or reject the message.

  4. The receiver may send XML‑format reports back to the domain owner with statistics on pass/fail results.

Key DMARC Policy Options

Within the DMARC record, the main policy (p=) can be:

  • none – Monitor only: Don’t block mail; just send reports.

  • quarantine – Treat failing mail as suspicious (for example, send to spam).

  • reject – Block failing mail from being delivered.

Other tags specify things like:

  • Where to send aggregate reports (rua=).

  • Where to send forensic/failure reports (ruf=).

  • How much of traffic to apply the policy to (pct= – percentage).

Benefits of DMARC for Businesses

When correctly configured and enforced, DMARC helps organizations:

  • Stop direct domain spoofing

    • Makes it much harder for attackers to send messages that appear to be from your exact domain.

  • Reduce phishing that abuses your brand

    • Receiving systems can more confidently block fraudulent emails claiming to be you.

  • Improve deliverability of legitimate mail

    • Authenticated, aligned messages are more likely to land in the inbox, not spam.

  • Gain visibility

    • DMARC reports show which services are sending email using your domain and which sources are failing, including possible abuse or misconfigurations.

Relationship with SPF and DKIM

DMARC doesn’t replace SPF and DKIM; it sits on top of them:

  • SPF: Says which servers can send email for a domain.

  • DKIM: Adds a digital signature proving messages were authorized and unchanged.

  • DMARC:

    • Requires SPF and/or DKIM to align with the visible From: domain.

    • Specifies what to do if checks fail.

    • Provides reporting back to the domain owner.

All three together form a stronger anti‑spoofing solution than any of them alone.

Plain‑Language Example

Imagine you are running arguscyber.com:

  • You set up SPF and DKIM for your legitimate mail systems.

  • You publish a DMARC record that says, “If an email claims to be from @arguscyber.com but doesn’t pass SPF/DKIM checks aligned with my domain, reject it, and send me a report.”

Result: when attackers try to send phishing emails from fake servers using @arguscyber.com in the From: line, receiving systems can see they don’t meet your DMARC policy and can drop or spam‑folder them, while sending you visibility about these attempts.

Best Practices for DMARC (Non‑Technical View)

For organizations:

  1. Start with monitoring (p=none)

    • First, turn on DMARC in reporting‑only mode to see who is sending mail as your domain and what passes/fails.

  2. Ensure SPF and DKIM are correctly set up

    • Make sure all legitimate email sources (internal servers, cloud email, marketing platforms, CRM systems, etc.) are covered and passing.

  3. Analyze reports and clean up senders

    • Identify legitimate services that need configuration fixes and unknown senders that may be abuse.

  4. Gradually tighten policy

    • Move from none to quarantine, and then to reject once you’re confident authorized mail is authenticating properly.

  5. Maintain and review regularly

    • Review DMARC reports periodically, especially when adding or changing email services.