Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.
Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.
DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From:
field presented to end users; how the receiver should deal with failures – and provides a reporting mechanism for actions performed under those policies.
DMARC is defined in the Internet Engineering Task Force's published document RFC 7489, dated March 2015, as "Informational".
DMARC records are published in DNS with a subdomain label _dmarc
, for example _dmarc.example.com
. Compare this to SPF at example.com
, and DKIM at selector._domainkey.example.com
.
The content of the TXT resource record consists of name=value
tags, separated by semicolons, similar to SPF and DKIM. For example:
"v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com;"
Here, v
is the version, p
is the policy (see below), sp
the subdomain policy, pct
is the percent of "bad" email on which to apply the policy, and rua
is the URI to send aggregate reports to. In this example, the entity controlling the example.com DNS domain intends to monitor SPF and/or DKIM failure rates and doesn't expect email to be sent from subdomains of example.com. Note that a subdomain can publish its own DMARC record; receivers must check it out before falling back to the organizational domain record.
Example of DMARC configuration on cPanel DNS: