anavem.
Back to Glossary
D

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is an email authentication protocol that uses SPF and DKIM to detect spoofed emails and enforce policies on how receiving servers should handle them.

What is DMARC?

DMARC is an email authentication standard that helps domain owners prevent email spoofing and gain visibility into how their domain is used in email. It builds on SPF and DKIM, adding policy enforcement (what to do when authentication fails), domain alignment (matching visible From domain), and reporting (visibility into email sources and failures). DMARC is enforced via DNS records.

Why DMARC matters

DMARC is critical because it:

  • Prevents domain impersonation and spoofing
  • Reduces phishing and spam using your domain
  • Improves email deliverability and reputation
  • Provides visibility through authentication reports
  • Protects brand and user trust

Without DMARC, attackers can more easily abuse a domain.

How DMARC works

A simplified DMARC flow:

  1. The receiving server checks SPF and DKIM
  2. It verifies alignment with the From domain
  3. The DMARC policy is evaluated
  4. The server applies the domain's policy
  5. Reports are sent back to the domain owner

DMARC does not replace SPF or DKIM - it coordinates them.

DMARC policies explained

DMARC supports three policy modes:

  • p=none – monitor only (no enforcement)
  • p=quarantine – suspicious messages go to spam
  • p=reject – failing messages are rejected outright

Organizations typically move gradually from monitoring to enforcement.

DMARC reports

DMARC provides two types of reports:

  • Aggregate (RUA) – summarized daily statistics
  • Forensic (RUF) – detailed failure samples (limited support)

These reports help identify misconfigurations and abuse.

DMARC vs SPF vs DKIM

Each mechanism has a distinct role:

  • SPF: validates sending server authorization
  • DKIM: validates message integrity and domain signing
  • DMARC: enforces policy and alignment using SPF/DKIM

All three should be deployed together.

DMARC limitations

DMARC does not:

  • Encrypt email content
  • Stop phishing from lookalike domains
  • Prevent attacks from compromised mailboxes
  • Replace user awareness training

DMARC protects your domain, not recipients in general.

Best practices for DMARC

Effective DMARC deployment includes:

  • Starting with p=none and monitoring reports
  • Ensuring DKIM and SPF alignment
  • Gradually moving to p=quarantine then p=reject
  • Monitoring reports continuously
  • Documenting third-party senders

Common misconceptions

  • "DMARC blocks all phishing"
  • "DMARC works without SPF or DKIM"
  • "DMARC is a one-time setup"
  • "p=reject will break all email"