DMARC (Domain-based Message Authentication, Reporting & Conformance) is the latest and greatest advance in email authentication. But, like SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail), it’s sometimes misunderstood. That’s why we’re dedicating the last post of our three-part email authentication series to explaining how it works, and why it matters.
What it is: DMARC ensures that legitimate email is properly authenticating against established DKIM and SPF standards, and that fraudulent activity appearing to come from domains under the organization’s control (active sending domains, non-sending domains, and defensively registered domains) is blocked. Two key values of DMARC are domain alignment and reporting.
How it works: DMARC’s alignment feature prevents spoofing of the “header from” address by:
To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.
DMARC allows senders to instruct email providers on how to handle unauthenticated mail via a DMARC policy, removing any guesswork on how they should handle messages that fail DMARC authentication. Senders can either:
Mailbox providers send regular DMARC aggregate and forensic reports back to senders, giving them visibility into what messages are authenticating, what messages are not, and why.
Why it matters: DMARC is the first and only widely deployed technology that can make the “header from” address (what users see in their email clients) trustworthy. Not only does this help protect customers and the brand, it discourages cybercriminals who are less likely to go after a brand with a DMARC record
Ready to get started with DMARC? Here’s your guide.