DMARC records are an important part of the email authentication trio (SPF, DKIM, and DMARC), and plays a part in email deliverability
. DMARC is specifically designed for evaluating email messages.
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Your DMARC record tells the receiving email servers what you want them to do with your emails that fail DMARC authentication, whether to do nothing, quarantine, or reject.
A primary use of DMARC is to help deal with spoofers. DMARC reports are also excellent in helping identify malicious actors and get feedback on your SPF & DKIM pass-fails.
The way that DMARC authentication works is it evaluates your message passing or failing SPF and DKIM authentication. In this way, proper implementation of DMARC requires you first implement your SPF records
and DKIM records
correctly, or else they will fail.DMARC Record Requirements
DMARC requires you already have SPF and DKIM records both set up. DMARC records are not the same as SPF records nor as DKIM records; thus DMARC is not a replacement for either of these records. Instead, the DMARC framework relies on the evaluation of both of these records.
A valid DMARC record must contain certain mandatory tag values such as p=, v=DMARC1, and hosted following the "_dmarc" prefix syntax.
DMARC is completely free of charge, though you can utilize certain third-party software to better tracking and read the report outputs.
Although it's really up to the recipient servers to honor or ignore your stated DMARC policy preferences, though most major inbox providers such as Gmail use DMARC authentication and will send across Aggregate Reports.How DMARC Authentication Works
To pass DMARC authentication, a message must pass at least one of these two checks:
- SPF authentication and SPF alignment
- DKIM authentication and DKIM alignment
A message fails the DMARC check if the message fails both:
- SPF (or SPF alignment)
- DKIM (or DKIM alignment)
So the evaluation process looks like this: