DMARC (Domain-based Message Authentication, Reporting & Conformance) is the latest email authentication standard in addition to SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail).
What it is: DMARC authenticates against established DKIM and SPF standards, and ensures fraudulent activity from domains under a organization’s control (active sending domains, non-sending domains, and defensively registered domains) is blocked. Two key values of DMARC are domain alignment and reporting.
How it works: DMARC’s alignment feature prevents spoofing of the “header from” address by:
- Matches “header from” with the “envelope from” used during an SPF check, and
- Matches “header from” with the “d= domain name” in the DKIM signature.
Passing DMARC: A message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.
DMARC policy instructs how messages are handled if DMARC fails, removing any guesswork
- Setup Monitoring (Audit) to identify the behavior and e-mails failing DMARC
- Quarantine messages that fail DMARC, OR
- Reject messages that fail DMARC
Why it matters: DMARC is the latest and first widely deployed email authentication standard that can make the “header from” address reliable. Ultimately, it discourages bad actors to go after a brand with a DMARC record.