Domain-based Message Authentication, Reporting & Conformance


Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol defined in RFC 7489

Domain-based Message Authentication, Reporting & Conformance is designed to give email domain owners the ability to protect their DNS Domain from unauthorized use, commonly known as email Spoofing Attack. The purpose and primary outcome of implementing DMARC is to protect a DNS Domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.

Domain-based Message Authentication, Reporting & Conformance operates by checking that the domain in the message's From: field (also called "5322.From") is "aligned" with other authenticated DNS Domain names. If either SPF or DKIM alignment checks pass, then the DMARC alignment test passes.

DNS Resource Records#

DMARC records are published in DNS with a subdomain label _dmarc, for example _dmarc.example.com. Compare this to SPF at example.com, and DKIM at selector._domainkey.example.com.

The content of the TXT DNS Resource Record consists of name=value tags, separated by semicolons, similar to SPF and DKIM. For example:

Here, v is the version, p is the policy, sp the subdomain policy, pct is the percent of "bad" emails on which to apply the policy, and rua is the URI to send aggregate reports to. In this example, the entity controlling the example.com DNS Domain intends to monitor SPF and/or DKIM failure rates and doesn't expect emails to be sent from subdomains of example.com. Note that a subdomain can publish its own DMARC record; receivers must check it out before falling back to the organizational domain record.

More Information#

There might be more information for this subject on one of the following: