DMARC - Domain-based Message Authentication, Reporting and Conformance

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS-based email authentication protocol that was standardized in 2015 as RFC 7489. It builds on the two predecessor protocols, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and addresses their common weakness: Without DMARC, emails can pass the SPF/DKIM check yet still carry a forged sender address (From header).

The Fundamental Problem: Email Spoofing

The SMTP protocol was designed in 1982 without any authentication mechanisms. Anyone can send an email with any sender address—technically, it requires only a few lines of code. This design flaw is the basis for:

CEO fraud (Business Email Compromise): Emails sent in the CEO’s name demanding money transfers
Phishing campaigns: Emails from security@ihre-bank.de or support@paypal.com
Brand abuse: Attackers send spam on behalf of legitimate companies

DMARC closes this gap by allowing email recipients to verify whether a received message actually originates from the domain specified in the From header.

The three building blocks: SPF, DKIM, DMARC

SPF (Sender Policy Framework)

SPF specifies in a DNS TXT record which mail servers are authorized to send emails on behalf of a domain:

example.com. TXT &quot;v=spf1 include:_spf.google.com ip4:203.0.113.0/24 -all&quot;

Limitation: SPF checks the technical envelope sender address (MAIL FROM / Return-Path), not the visible From header. An attacker can use their own SPF-compliant address as the envelope sender and still display info@ihre-domain.de in the From header.

DKIM (DomainKeys Identified Mail)

DKIM cryptographically signs outgoing emails. The public key is stored in the DNS:

selector._domainkey.example.com. TXT &quot;v=DKIM1; k=rsa; p=MIGfMA0GCSq...&quot;

Limitation: DKIM checks the signature domain (d= tag), not the From header. The two can be different.

DMARC - Alignment and Policy

DMARC links SPF and DKIM to the From header through the concept of alignment:

SPF Alignment: The SPF envelope domain must match the From-header domain
DKIM Alignment: The DKIM d= domain must match the From-header domain

If alignment fails, the DMARC policy takes effect.

DMARC DNS Record Explained

_dmarc.example.com. TXT &quot;v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; pct=100; sp=reject&quot;

Tag	Meaning
`v=DMARC1`	Protocol version
`p=none/quarantine/reject`	Policy for non-compliant emails
`rua=`	Recipient address for aggregate reports
`ruf=`	Recipient address for forensic reports
`pct=`	Percentage of messages to which the policy is applied
`sp=`	Subdomain policy
`adkim=s/r`	DKIM alignment: strict or relaxed
`aspf=s/r`	SPF alignment: strict or relaxed

DMARC Policy Levels

`p=none` - Observation mode

Emails are delivered unchanged. DMARC reports are sent. Starting point for all new implementations—absolutely necessary to map legitimate email flows before activating stricter policies.

`p=quarantine` - Mark as suspicious

Non-compliant emails end up in the spam/quarantine folder. Recipients can still view them, but they are flagged.

`p=reject` - Reject

Non-compliant emails are completely rejected by the receiving mail server. Maximum protection - but only enable this if all legitimate email sources are correctly configured.

Implementation in 5 steps

Step 1: Set up a DMARC report recipient

Set up a mailbox or a DMARC report aggregator (e.g., DMARC Analyzer, Valimail, dmarcian).

Step 2: Configure SPF correctly

List all legitimate mail servers. Check: marketing tools (Mailchimp, HubSpot), CRM systems, ERP systems, cloud services (Office 365, Google Workspace).

Step 3: Set up DKIM

Enable DKIM signing for all legitimate email sources.

Step 4: Enable DMARC with `p=none`

_dmarc.yourdomain.de. TXT &quot;v=DMARC1; p=none; rua=mailto:dmarc-reports@ihredomain.de&quot;

Step 5: Analyze reports and tighten policy

Analyze the reports for 4–6 weeks. Identify unknown email sources. Reconfigure SPF/DKIM for all legitimate sources. Then proceed step by step: p=quarantine → p=reject.

Why DMARC is essential for businesses

Starting February 2024: Google and Yahoo require DMARC for bulk senders (>5,000 emails/day). Without proper DMARC configuration, emails will end up in spam or be rejected.

BIMI Requirement: Brand Indicators for Message Identification (BIMI) displays the company logo in the inbox—but only if DMARC is set to p=quarantine or p=reject.

Phishing Protection: Without DMARC, any attacker can send emails on behalf of your domain. With p=reject, this is technically impossible.

According to AWARE7 data, in 2025, 38% of DAX40 companies still had no DMARC or only a p=none DMARC—leaving them vulnerable to email spoofing.

Further information: Start a free domain check | Improve email security