<img src="https://d5nxst8fruw4z.cloudfront.net/atrk.gif?account=lYCzn1QolK10N8" style="display:none" height="1" width="1" alt="">

Explain the DMARC, Hold the Jargon

David Harris
by David Harris on August 11, 2014

How does it work? Should I use it?

There have been some big changes at gmail.com, yahoo.com, and aol.com recently regarding their DMARC policies, and this has had an effect on some email marketers. Interest in DMARC has also been growing. You may have been wondering, other than a five letter acronym, "what is this DMARC thing?"

What is DMARC?

First, the obligatory: DMARC stands for "Domain-based Message Authentication, Reporting & Conformance". That's a mouth full!

DMARC is used to prevent email Phishing. This is when a bad actor sends an email impersonating another domain name, typically in order to steal personal information such as passwords. For example, before DMARC there was a lot of email claiming to be from "paypal.com" trying to steal the passwords and money from real paypal users.

To explain DMARC we have to start with email authentication.

Email authentication allows the receiver of an email to "know for sure" that an email message is really from who it says it is from. As crazy as it sounds, the underlying email protocols allow anyone to send an email with any from address. (Just as anyone can write any return address on a physical envelope.) It's up to receiving and spam filtering systems to determine if the from address is forged or not, and DMARC helps them to do that.

DMARC lets a domain name publish a "policy" on how it sends email. This policy might, in a very rough first-person translation, be something like this: "All valid email from me will be authenticated in this particular way. Any email claiming to be from me that doesn't follow these standards, you can throw it away -- because it's not from me"

DMARC builds on top of SPF and DKIM, the two most common email authentication methods, to accomplish all of this.

So how does DMARC work?

DMARC does three specific things:

(1) DMARC provides a way to tell if the from address of an email message is "proved authentic" by the DKIM and SPF authentication results

The problem DMARC solves is that DKIM and SPF prove that particular domain names sent the email, but these domain names are often "under the hood" technical details of the email and don't always don't match up with the domain name that the user sees: the domain name in the from address of the message.

DMARC defines how these "under the hood" domain names must match up (or align) with the domain name in the from address. When they match appropriately, the email is called "DMARC-aligned"

The "DMARC-alignment" can be strict, which requires an exact match.

Or a domain name can say in its "DMARC policy" that "relaxed" alignment is allowed, which looks like this: the "under the hood" domain name can be "server1234.whatever.paypal.com" which, because this is a sub-domain of "paypal.com," is "aligned" with a domain name in the from address of "paypal.com".

When an email message is not aligned, it is called "unaligned".

(2) DMARC provides a way to tell receivers and spam filters what to do with mail that is
not DMARC-aligned

The "DMARC policy" of a domain name will say what should be done with email that is not DMARC-aligned.

If an organization is 100% sure that all legitimate email they send is DMARC-aligned, then the non-DMARC-aligned email is sure to be Phishing or Spam, and they can publish a policy saying "delete it all" or "put it all in the Spam folder."

However, It's really hard for a large organization with lots of departments and technical systems to be 100% sure that all legitimate mail is DMARC-aligned, so DMARC also allows organizations to gently phase into a strict policy. For example, a policy could direct receivers to put 10% of the unaligned email into the Spam folder and to process 90% of it normally.

(3) DMARC provides a way for a domain to request reports on non-DMARC-aligned mail
claiming to be from it

This reporting feature is helpful in two ways:

(1) It helps organizations find sources of legitimate but non-DMARC-aligned mail so they can get to where 100% of their legitimate email is authenticated and DMARC-aligned.

(2) It can give a domain information on the phishing emails that are attempting to impersonate it. This can be helpful for anti-fraud departments.

Should I use DMARC?

DMARC is a powerful tool for fighting phishing, but it is not required to deliver your
permission-based email to the inbox as long as you're sending email from your own domain
name (which you should be).

DMARC is not for everyone. Properly deploying DMARC in a large organization and ensuring all legitimate email is DMARC aligned can be a lot of work. If you're a target of phishing, then DMARC is an invaluable tool in that fight.

Leave a comment

David Harris
Written by David Harris
David first started his own business when he was still in high school. DRH Internet, Inc. began as a web hosting company, but as David's consulting experience grew, he found himself working frequently with open source email servers and writing custom software to solve problems. Over time his software grew into a full-fledged email platform called—you guessed it—GreenArrrow. In his spare time, you can usually find him taking classical guitar lessons, drinking gourmet coffee, playing Go, and spending time with his wife Penni and their four amazing children.

Want more? Here's what everyone else is reading:

Multiple IP Addresses: Why and How Many?

Two Reasons to Consider Switching

Whether you're new to sending email in bulk, or an experienced mailer switching from an ESP...

David Harris
By David Harris - August 12, 2013
Email Domains and Deliverability: How Setup Affects Your Sending

Hammering Out Which Domain To Use

When sending email, domains are a key part of how people remember and experience your brand....

Jonathan Winters
By Jonathan Winters - December 8, 2017
Manage Your Domain Reputation with Google Postmaster Tools

Can it really be this easy?

I love details, and I love numbers. Makes sense, right? I’m a developer. Details matter because...

David Harris
By David Harris - April 25, 2018