Community hub
0 subscribers7 pages, 0 posts
Recent from talks
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Welcome to the community hub built to collect knowledge and have discussions related to DMARC.
Nothing was collected or created yet.
DMARC
View on Wikipediafrom Wikipedia
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email and email scams.
Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.
DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From: field presented to end users and how the receiver should deal with failures, and it provides a reporting mechanism for actions performed under those policies.
DMARC is defined in the Internet Engineering Task Force's published document RFC 7489,[1] dated March 2015, as "Informational".[2]
Overview
[edit]A DMARC policy allows a sender's domain to indicate that their email messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as to reject the message or quarantine it. The policy can also specify how an email receiver can report back to the sender's domain about messages that pass and/or fail.[3]
These policies are published in the public Domain Name System (DNS) as text TXT records.
DMARC does not directly address whether or not an email is spam or otherwise fraudulent. Instead, DMARC can require that a message not only pass DKIM or SPF validation, but that it also pass § Alignment. Under DMARC a message can fail even if it passes SPF or DKIM but fails alignment.[4]
Setting up DMARC may improve the deliverability of messages from legitimate senders.[5]
Alignment
[edit]DMARC operates by checking that the domain in the message's From: field (also called "RFC5322.From"[2]) is "aligned" with other authenticated domain names. If either SPF (specified using the aspf field) or DKIM (specified using the adkim field) alignment checks pass, then the DMARC alignment test passes.
Alignment may be specified as strict or relaxed. For strict alignment, the domain names must be identical. For relaxed alignment, the top-level "Organizational Domain" must match. The Organizational Domain used to be found by checking a list of public DNS suffixes. The upcoming spec instead specifies a Tree Walk through the parent domains. So, for example, "a.b.c.d.example.com.au" and "example.com.au" have the same Organizational Domain, because _dmarc.example.com.au is the only defined DMARC record among all the subdomains involved, including _dmarc.au. As this allows domain owners to define domain roles, it is deemed to be more accurate than the Public Suffix List.[6]
Like SPF and DKIM, DMARC uses the concept of a domain owner, the entity or entities authorized to make changes to a given DNS domain.
SPF checks that the IP address of the sending server is authorized by the owner of the domain that appears in the SMTP MAIL FROM command. (The email address in MAIL FROM is also called the bounce address, envelope-from or RFC5321.MailFrom.) In addition to requiring that the SPF check passes, DMARC checks that RFC5321.MailFrom aligns with 5322.From.[2]
DKIM allows parts of an email message to be cryptographically signed, and the signature must cover the From field. Within the DKIM-Signature mail header, the d= (domain) and s= (selector) tags specify where in DNS to retrieve the public key for the signature. A valid signature proves that the signer is a domain owner, and that the From field hasn't been modified since the signature was applied. There may be several DKIM signatures on an email message; DMARC requires one valid signature where the domain in the d= tag aligns with the sender's domain stated in the From: header field.
DNS record
[edit]DMARC records are published in DNS with a subdomain label _dmarc, for example _dmarc.example.com. Compare this to SPF at example.com, and DKIM at selector._domainkey.example.com.
The content of the TXT resource record consists of name=value tags, separated by semicolons, similar to SPF and DKIM.
The available tags are:[7]
- adkim, DKIM alignment mode (default
rfor relaxed, alternativelysfor strict) - aspf, SPF alignment mode (default
rfor relaxed, alternativelysfor strict) - fo, failure reporting options (default
0, alternatively1,d, ors) - p, policy (see below),
- pct, percent of "bad" email on which to apply the policy (default
100) - rf, format for message-specific failure reports
- ri, requested interval between aggregate reports
- rua, URI to send aggregate reports to
- ruf, URI to send failure/forensic reports to
- sp, subdomain policy (default same as
p), - v, version,
For example:
"v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com;"
In this example, the entity controlling the example.com DNS domain intends to monitor SPF and/or DKIM failure rates and doesn't expect email to be sent from subdomains of example.com. Note that a subdomain can publish its own DMARC record; receivers must check it out before falling back to the organizational domain record.
Step by step adoption
[edit]The protocol provides for various ratchets, or transitional states, to allow mail admins to gradually transition from not implementing DMARC at all, all the way through to an unyielding setup.[8][9][10] The concept of stepwise adoption assumes that the goal of DMARC is the strongest setting, which is not the case for all domains. Regardless of intent, these mechanisms allow for greater flexibility.
Policy
[edit]First and foremost, there are three policies:
- none is the entry level policy. No special treatment is required by receivers, but enables a domain to receive feedback reports.
- quarantine asks receivers to treat messages that fail DMARC check with suspicion. Different receivers have different means to implement that, for example flag messages or deliver them in the spam folder.
- reject asks receivers to outright reject messages that fail DMARC check.
The policy published can be mitigated by applying it to only a percentage of the messages that fail DMARC check. Receivers are asked to select the given percentage of messages by a simple Bernoulli sampling algorithm. The rest of the messages should undergo the lower policy; that is, none if p=quarantine, quarantine if p=reject. If not specified, pct defaults to 100% of messages. The case p=quarantine; pct=0; is being used to force mailing list managers to rewrite the From: field, as some don't do so when p=none.[11]
Finally, the subdomain policy, sp= and the newly added no-domain policy, np=[12] allow tweaking the policy for specific subdomains.
Reports
[edit]DMARC is capable of producing two separate types of reports. Aggregate reports are sent to the address specified following the rua. Forensic reports are emailed to the address following the ruf tag. These mail addresses must be specified in URI mailto format (e.g. mailto:worker@example.net ). Multiple reporting addresses are valid and must each be in full URI format, separated by a comma.[13]
Target email addresses can belong to external domains. In that case, the target domain has to set up a DMARC record to say it agrees to receive them, otherwise it would be possible to exploit reporting for spam amplification. For example, say receiver.example receives a mail message From: someone@sender.example and wishes to report it. If it finds ruf=mailto:some-id@thirdparty.example, it looks for a confirming DNS record in the namespace administered by the target, like this:
sender.example._report._dmarc.thirdparty.example IN TXT "v=DMARC1;"
Aggregate reports
[edit]Aggregate Reports are sent as XML files, typically once per day. The subject mentions the "Report Domain", which indicates the DNS domain name about which the report was generated, and the "Submitter", which is the entity issuing the report. The payload is in an attachment with a long filename consisting of bang-separated elements such as the report-issuing receiver, the begin and end epochs of the reported period as Unix-style time stamps, an optional unique identifier and an extension which depends on the possible compression (used to be .zip).[14]
For example:
example.com!example.org!1475712000!1475798400.xml.gz.
The XML content consists of a header, containing the policy on which the report is based and report metadata, followed by a number of records. Records can be put in a database as a relation and viewed in a tabular form. The XML schema is defined in Appendix C of specifications[15] and a raw record is exemplified in dmarc.org.[16] Here we stick with a relational example, which better conveys the nature of the data. DMARC records can also be directly transformed in HTML by applying an XSL stylesheet.
| Source IP | Count | Disposition | SPF | DKIM | Header from | SPF domain (result) | DKIM domain (result) | |
|---|---|---|---|---|---|---|---|---|
| 192.0.2.1 | 12 | none | Pass | Pass | example.org | example.org ( Pass) | example.org ( Pass) | |
| 192.0.2.1 | 1 | none | Pass | ✗ Fail | example.org | example.org ( Pass) | example.org (✗ Fail) | |
| 192.0.2.28 | 42 | none | ✗ Fail | Pass | example.org | example.org (✗ Fail) | example.org ( Pass) | forwarder.example ( Pass) |
| 192.0.2.82 | 21 | none | ✗ Fail | ✗ Fail | example.org | discusslist.example ( Pass) | example.org (✗ Fail) | discusslist.example ( Pass) |
| ... | ||||||||
Rows are grouped by source IP and authentication results, passing just the count of each group. The leftmost result columns, labelled SPF and DKIM show DMARC-wise results, either pass or fail, taking alignment into account. The rightmost ones, with similar labels, show the name of the domain which claims to participate in the sending of the message and (in parentheses) the authentication status of that claim according to the original protocol, SPF or DKIM, regardless of Identifier Alignment. On the right side, SPF can appear at most twice, once for the Return-Path: test and once for the HELO test; DKIM can appear once for each signature present in the message. In the example, the first row represents the main mail flow from example.org, and the second row is a DKIM glitch, such as signature breakage due to a minor alteration in transit. The third and fourth rows show typical failures modes of a forwarder and a mailing list, respectively. DMARC authentication failed for the last row only; it could have affected the message disposition if example.org had specified a strict policy.
The disposition reflects the policy published actually applied to the messages, none, quarantine, or reject. Along with it, not shown in the table, DMARC provides for a policy override. Some reasons why a receiver can apply a policy different from the one requested are already provided for by the specification:
- forwarded
- while keeping the same bounce address, usually doesn't break DKIM,
- sampled out
- because a sender can choose to apply the policy to a percentage of messages only,
- trusted forwarder
- the message arrived from a locally known source
- mailing list
- the receiver heuristically determined that the message arrived from a mailing list,
- local policy
- receivers are obviously free to apply the policy they like, it is just cool to let senders know,
- other
- if none of the above applies, a comment field allows to say more.
Forensic reports
[edit]Forensic Reports, also known as Failure Reports, are generated in real time and consist of redacted copies of individual messages that failed SPF, DKIM or both based upon what value is specified in the fo tag. Their format, an extension of Abuse Reporting Format, resembles that of regular bounces in that they contain either a "message/rfc822" or a "text/rfc822-headers".
Forensic Reports also contain the following:
- Source of Sending IP Address
- From email address
- Recipient email address
- Email subject line
- SPF and DKIM authentication results
- Received time
- Email message headers which include the sending host, email message ID, DKIM signature, and any other custom header information.[17]
Compatibility
[edit]Forwarders
[edit]There are several different types of email forwarding, some of which may break SPF.[18] This is one of the reasons why email forwarding can affect DMARC authentication results.[19]
Mailing lists
[edit]Mailing lists are a frequent cause of legitimate breakage of the original author's domain DKIM signature, for example by adding a prefix to the subject header. A number of workarounds are possible,[20][21] and mailing list software packages are working on solutions.[22]
Turn off all message modifications
[edit]This workaround keeps the standard mailing list workflow, and is adopted by several large mailing list operators, but precludes the list adding footers and subject prefixes.[23] This requires careful configuration of mailing software to make sure signed headers are not reordered or modified. A misconfigured email server may put List-id in its DKIM of messages sent to a mailing list, and then the list operator is forced to reject it or do From: rewriting.
From: rewriting
[edit]One of the most popular and least intrusive workarounds consists of rewriting the From: header field. The original author's address can then be added to the Reply-To: field.[24] Rewriting can range from just appending .INVALID[note 1] to the domain name, to allocating a temporary user ID where a modified version of the user's address is used, or an opaque ID is used, which keeps the user's "real" email address private from the list. In addition, the display name can be changed so as to show both the author and the list (or list operator).[25] Those examples would result, respectively, in one of the following:
From: John Doe <user@example.com.INVALID>
From: John Doe <user@example.com.dmarc.fail>
From: John Doe <243576@mailinglist.example.org>
From: John Doe via MailingList <list@mailinglist.example.org>
Reply-To: John Doe <user@example.com>
The last line, Reply-To:, has to be designed in order to accommodate reply-to-author functionality, in which case reply-to-list functionality is covered by the preceding change in the From: header field. That way, the original meaning of those fields is reversed.
Altering the author is not fair in general, and can break the expected relationship between meaning and appearance of that datum. It also breaks automated use of it. There are communities which use mailing lists to coordinate their work, and deploy tools which use the From: field to attribute authorship to attachments.[26]
Other workarounds
[edit]Wrapping the message works nicely, for those who use an email client which understands wrapped messages. Not doing any change is perhaps the most obvious solution, except that they seem to be legally required in some countries, and that routinely losing SPF authentication may render overall authentication more fragile.[27]
Sender field
[edit]Making changes to the From: header field to pass DKIM alignment may bring the message out of compliance with RFC 5322 section 3.6.2: "The 'From:' field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message." Mailbox refers to the author's email address. The Sender: header is available to indicate that an email was sent on behalf of another party, but DMARC only checks policy for the From domain and ignores the Sender domain.[note 2]
Both ADSP and DMARC[4] reject using the Sender field on the non-technical basis that many user agents do not display this to the recipient.
History
[edit]A draft DMARC specification has been maintained since 30 January 2012.[28]
In October 2013, GNU Mailman 2.1.16 was released with options to handle posters from a domain with the DMARC policy of p=reject.[22] The change tried to anticipate the interoperability issues expected in case restrictive policies were applied to domains with human users (as opposed to purely transactional mail domains).
In April 2014, Yahoo changed its DMARC policy to p=reject, thereby causing misbehavior in several mailing lists.[29][30] A few days later, AOL also changed its DMARC policy to p=reject.[31] Those moves resulted in a significant amount of disruption, and those mailbox providers have been accused of forcing the costs of their own security failures onto third parties.[32] As of 2020, the FAQ in the official DMARC wiki contains several suggestions for mailing lists to handle messages from a domain with a strict DMARC policy,[33] of which the most widely implemented is the mailing list changing the “From” header to an address in its own domain.
An IETF working group was formed in August 2014 in order to address DMARC issues, starting from interoperability concerns and possibly continuing with a revised standard specification and documentation.[34] Meanwhile, the existing DMARC specification had reached an editorial state agreed upon and implemented by many. It was published in March 2015 on the Independent Submission stream in the "Informational" (non-standard) category as RFC 7489.[35]
In March 2017, the Federal Trade Commission published a study on DMARC usage by businesses.[36] Out of 569 businesses, the study found about a third implemented any DMARC configuration, fewer than 10% used DMARC to instruct servers to reject unauthenticated messages, and a majority had implemented SPF.
Contributors
[edit]The contributors of the DMARC specification include:[37][38]
- Receivers: AOL, Comcast, Google (Gmail), Mail.Ru, Microsoft (Outlook.com, Hotmail),[39] Netease (163.com, 126.com, 188.com, yeah.net), XS4ALL, Yahoo, Yandex
- Senders: American Greetings, Bank of America, Facebook, Fidelity Investments, JPMorganChase, LinkedIn,[40] PayPal, Twitter[41]
- Intermediaries & Vendors:[42] Agari (Founder/CEO Patrick R. Peterson),[42] Cloudmark,[42] Red Sift,[42] ReturnPath,[42] Trusted Domain Project,[42] ProDMARC,[42]
Commercial services
[edit]Popular services that perform DMARC analysis and/or record validation include Red Sift, Valimail, dmarcian, DMARC Advisor and EasyDmarc and Cloudflare.[43]
See also
[edit]Notes
[edit]References
[edit]- ^ RFC 7489
- ^ a b c Murray Kucherawy; Elizabeth Zwicky (18 March 2015). Domain-based Message Authentication, Reporting, and Conformance (DMARC). IETF. doi:10.17487/RFC7489. RFC 7489.
- ^ Terry Zink (27 September 2016). "How we moved microsoft.com to a p=quarantine DMARC record". MSDN blog.
If that sounds like a lot of work, that's because it was
- ^ a b Kucherawy, M.; Zwicky, E. (15 July 2013). "Domain-based Message Authentication, Reporting and Conformance (DMARC) [draft 01]". IETF. Appendix A.3, Sender Header Field. Retrieved 24 May 2016.
- ^ "Bulk Senders Guidelines – Gmail Help". support.google.com. Retrieved 24 April 2015.
- ^ Dave Crocker (24 November 2020). "Doing a tree walk rather than PSL lookup". dmarc-ietf (Mailing list).
- ^ RFC 7489. sec. 6.3. doi:10.17487/RFC7489.
- ^ "Tutorial: Recommended DMARC rollout". google.com.
- ^ "Implementation Guidance: Email Domain Protection". cyber.gc.ca. 12 August 2021.
- ^ "User Guide for Cisco Domain Protection" (PDF). cisco.com. 25 May 2021.
- ^ Jonathan Kamens (9 October 2018). ""p=none" vs. "p=quarantine; pct=0"" (Mailing list).
- ^ Scott Kitterman (26 July 2021). Tim Wicinski (ed.). Experimental Domain-Based Message Authentication, Reporting, and Conformance (DMARC) Extension for Public Suffix Domains. IETF. doi:10.17487/RFC9091. RFC 9091.
- ^ "RUA vs RUF - Different DMARC Report Types Explained". Progist.net. 14 December 2023. Retrieved 14 December 2023.
- ^ "What is the rationale for choosing ZIP for the aggregate reports?". DMARC.org. 2012. Retrieved 3 April 2019.
Once GZIP is registered as a MIME application type with IANA, the DMARC group will consider it as inclusion in the draft
- ^ Murray S. Kucherawy; Elizabeth Zwicky, eds. (March 2015). "DMARC XML Schema". Domain-based Message Authentication, Reporting, and Conformance (DMARC). IETF. sec. C. doi:10.17487/RFC7489. RFC 7489. Retrieved 3 March 2019.
- ^ "I need to implement aggregate reports, what do they look like?". DMARC.org. Retrieved 26 May 2016.
- ^ "The Ultimate Guide to DMARC Reporting in 2022". 23 August 2019.
- ^ Franck Martin; Eliot Lear; Tim Draegen; Elizabeth Zwicky; Kurt Andersen, eds. (September 2016). "Alias". Interoperability Issues between Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Indirect Email Flows. IETF. sec. 3.2.1. doi:10.17487/RFC7960. RFC 7960. Retrieved 14 March 2017.
- ^ "How does email forwarding affect DMARC authentication results?". progist.net. 6 January 2023.
- ^ Anti-Spam Research Group. "Mitigating DMARC damage to third party mail".
- ^ dmarc.org wiki
- ^ a b Mark Sapiro (16 October 2013). "Mailman and DMARC". list.org. Retrieved 13 August 2015.
- ^ "Upcoming changes for lists.debian.org". lists.debian.org.
- ^ Al Iverson (9 April 2014). "Spam Resource: Run an email discussion list? Here's how to deal with DMARC". spamresource.com. Retrieved 18 April 2014.
- ^ "How Threadable solved the DMARC problem". Threadable Blog. Retrieved 21 May 2016.
- ^ Theodore Ts'o (18 December 2016). "Realistic responses to DMARC". IETF-Discussion (Mailing list). Retrieved 14 March 2017.
The fact that the from field is not rewritten is IMPORTANT because rewriting the from field would break the 'git am' command, since it uses the From: field to fill in the git commit's from field
- ^ John Levine (31 May 2014). "Mitigating DMARC damage to third party mail". wiki. ASRG. Retrieved 1 June 2014.
- ^ "History", dmarc.org
- ^ Lucian Constantin (8 April 2014). "Yahoo email anti-spoofing policy breaks mailing lists". PC World. Retrieved 15 April 2014.
- ^ Laura Atkins (12 April 2014). "Yahoo Statement on DMARC policy". wordtothewise.com.
- ^ Vishwanath Subramanian (22 April 2014). "AOL Mail updates DMARC policy to 'reject'". AOL. Archived from the original on 13 August 2015. Retrieved 13 August 2015.
- ^ John Levine (13 August 2016). "DMARC and ietf.org". IETF (Mailing list). Retrieved 10 October 2016.
- ^ "FAQ in DMARC wiki". Retrieved 15 July 2020.
- ^ "WG Action: Formed Domain-based Message Authentication, Reporting & Conformance (dmarc)". IETF-Announce (Mailing list). 11 August 2014. Retrieved 10 October 2016.
- ^ "DMARC FAQ". dmarc.org.
- ^ "Businesses Can Help Stop Phishing and Protect their Brands Using Email Authentication" (PDF). Federal Trade Commission. 3 March 2017.
- ^ Kucherawy, Murray; Zwicky, Elizabeth. "Acknowledgements". Domain-based Message Authentication, Reporting, and Conformance (DMARC). sec. E. I-D draft-kucherawy-dmarc-base-01.
- ^ DMARC Contributors (PDF)
- ^ Vitaldevara, Krish (10 December 2012). "Outlook.com increases security with support for DMARC and EV certificates". Outlook Blog. Microsoft. Retrieved 12 December 2012.
- ^ Martin, Franck (20 September 2012). "DMARC: a new tool to detect genuine emails". LinkedIn Engineering Blog. Linkedin. Retrieved 17 August 2013.
- ^ Josh Aberant (21 February 2013). "Introducing DMARC for Twitter.com emails". twitter.com. Retrieved 10 April 2014.
- ^ a b c d e f g "History – dmarc.org". dmarc.org. Retrieved 23 September 2020.
- ^ Hureau, Olivier; Bayer, Jan; Duda, Andrzej; Korczyński, Maciej (2024). Richter, Philipp; Bajpai, Vaibhav; Carisimo, Esteban (eds.). "Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARC". Passive and Active Measurement. Cham: Springer Nature Switzerland: 232–261. doi:10.1007/978-3-031-56249-5_10. ISBN 978-3-031-56249-5.
External links
[edit]- Official website
- The Anti Spam Research Group wiki: Mitigating DMARC damage to third party mail
DMARC
View on Grokipediafrom Grokipedia
DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol designed to protect domain owners from unauthorized use of their domain in email communications, such as spoofing and phishing attacks.[1] It builds upon two foundational standards—Sender Policy Framework (SPF), which verifies the sending IP address against authorized mail servers, and DomainKeys Identified Mail (DKIM), which uses cryptographic signatures to validate message integrity and origin—by aligning these mechanisms with the domain in the "From:" header and allowing domain owners to publish DNS-based policies specifying how receiving servers should handle messages that fail authentication.[2] Additionally, DMARC provides reporting features, including aggregate reports on email volume and authentication results as well as forensic reports on individual messages, enabling domain owners to monitor and refine their email ecosystem.[2]
Developed collaboratively by major technology companies including PayPal, Microsoft, Yahoo, and Google starting in 2010, DMARC was formally introduced as an open standard in 2012 to address limitations in SPF and DKIM, such as their inability to enforce domain-level policies or provide unified reporting. The protocol is specified in RFC 7489, an Informational document published by the Internet Engineering Task Force (IETF) on March 18, 2015, which defines its core mechanisms for policy advertisement, validation, and feedback. An updated specification known as DMARCbis is in the final stages of development as a Proposed Standard by the IETF, expected to be published soon.[2][3] Key policy options include "none" for monitoring without action, "quarantine" to treat suspicious emails as potential spam, and "reject" to block unauthenticated messages outright, giving domain owners granular control over enforcement.[2]
As of mid-2025, DMARC adoption has grown significantly, with approximately 18.2% of analyzed domains (from a sample of 10 million) implementing a valid DMARC record, though only about 10.6% enforce quarantine or reject policies, highlighting ongoing challenges in full deployment.[4] This increase—up roughly 75% from prior years—reflects mandates from governments and organizations, such as U.S. federal agencies requiring DMARC for enhanced email security, and its proven effectiveness in reducing phishing by up to 90% through spoofing prevention.[5][6] Despite widespread recognition, with over 66% of email senders aware of complementary SPF and DKIM usage, barriers like configuration complexity persist, underscoring DMARC's role as a critical yet evolving layer in the email authentication stack.[7]
This record sets a reject policy with strict DKIM alignment, relaxed SPF alignment, and full policy application, directing reports to the specified email addresses.[23]
An example of a basic monitoring record is:
Email receivers fetch the DMARC record by querying the DNS for the TXT resource record at the
This structure aggregates data without revealing individual message details, prioritizing privacy while offering actionable insights into email ecosystem health.[42]
Introduction
Definition and Purpose
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable email authentication protocol that enables domain owners to express domain-level policies for message validation, disposition, and reporting when emails fail authentication checks based on underlying mechanisms like SPF and DKIM.[2] Specified in RFC 7489 published in March 2015, DMARC builds on these foundational protocols by allowing organizations to publish DNS records that instruct receiving mail servers on how to handle messages purporting to originate from their domain but lacking proper authentication.[2] The primary purpose of DMARC is to protect email domains from unauthorized use, particularly in preventing phishing attacks, business email compromise (BEC), and impersonation by enabling domain owners to declare specific actions—such as monitoring, quarantining, or rejecting—unauthenticated messages.[2][8] By requiring alignment between the domain in the message's "From" header and the authenticated domains from SPF or DKIM, DMARC ensures that only legitimate senders can successfully deliver email on behalf of the domain, thereby reducing the risk of spoofing where attackers forge sender addresses to deceive recipients.[2] DMARC provides key benefits including enhanced visibility into the email ecosystem through aggregate and forensic reports that detail authentication outcomes and potential abuse, which helps domain owners monitor and refine their email practices.[2] These reports support sender reputation management by allowing organizations to identify and address unauthorized usage promptly, ultimately improving deliverability and trust in legitimate communications.[1] Historically, DMARC emerged in 2011 from collaborative efforts among major senders and receivers to address the limitations of SPF and DKIM alone, such as the lack of unified policy enforcement and reporting at scale, leading to its initial specification in 2012.[9][2]Relationship to SPF and DKIM
The Sender Policy Framework (SPF) is an email authentication protocol that allows domain owners to specify, via DNS TXT records, which mail servers are authorized to send email on behalf of their domain.[10] It verifies the sending IP address against these authorized hosts during SMTP transactions, returning results such as "pass" or "fail" to indicate whether the sender is legitimate.[10] DomainKeys Identified Mail (DKIM) provides a mechanism for email authentication through cryptographic signatures that assert responsibility for a message by its originating domain.[11] Senders apply a private key to sign selected headers and the message body, producing a hash that receivers verify using the corresponding public key published in the signer's DNS records, thereby confirming message integrity and origin without relying on envelope information.[11] DMARC builds upon SPF and DKIM by requiring that at least one of these mechanisms produces a "pass" result, with the authenticated identifier aligned to the domain in the RFC 5322 From header at either the organizational or domain level, to consider a message authenticated.[2] This dependency ensures DMARC cannot authenticate messages in isolation but leverages the strengths of SPF (envelope sender validation) and DKIM (content integrity) to provide a more robust framework.[2] SPF alone is limited in scenarios like email forwarding, where the envelope sender (MAIL FROM) is rewritten, potentially causing failures even for legitimate messages, while DKIM alone verifies signatures but does not enforce domain-level policies for handling failures.[2] DMARC addresses these gaps by combining the results of SPF and/or DKIM, applying alignment checks, and introducing explicit policy instructions to guide receiver actions on unauthenticated mail.[2]Core Mechanisms
Alignment Models
In DMARC, alignment models determine whether the domains identified by SPF or DKIM authentication mechanisms correspond sufficiently to the domain in the message's From header, ensuring that the authenticating entity is authorized to send on behalf of the claimed domain. This alignment check is a prerequisite for a DMARC authentication pass, preventing unauthorized senders from leveraging passing SPF or DKIM results. DMARC supports two alignment modes: strict and relaxed, specified via the "aspf" and "adkim" tags in the DMARC policy record, defaulting to relaxed if unspecified. In strict alignment, the domain from the SPF "HELO" or "MAIL FROM" identifier or the DKIM "d=" tag must exactly match the From header's organizational domain, allowing no subdomain variations. Conversely, relaxed alignment permits a broader match, where the SPF or DKIM domain can be a subdomain of the From header's organizational domain (or vice versa), accommodating common email infrastructure like subdomains for mailing services. For instance, if the From header is "[email protected]" and SPF authenticates from "mail.example.com", this passes relaxed alignment but fails strict alignment, as "mail.example.com" is a subdomain of "example.com". The concept of the organizational domain is central to alignment, representing the base domain (e.g., "example.com" for subdomains like "mail.example.com") that defines the scope for matching. Organizational domain discovery in the current specification (RFC 7489) relies on the Public Suffix List (PSL) to identify registrable domains, with the DMARCbis specification (internet-draft as of 2025)[12] introducing the Tree Walk algorithm as a replacement. The Tree Walk iteratively checks DNS records up the domain tree until a DMARC policy is found, eliminating PSL dependencies and improving reliability across top-level domains. The Tree Walk starts at the full domain and ascends parentward, stopping at the first domain with a valid DMARC record, which becomes the organizational domain for alignment purposes.[13] Alignment failure occurs if neither a passing SPF result nor a passing DKIM result aligns with the From header domain under the specified mode, resulting in an overall DMARC failure regardless of individual authentication outcomes. This ensures that even if SPF or DKIM passes technically, the message cannot be trusted for the claimed domain without proper alignment, prompting policy enforcement actions based on the DMARC configuration.Authentication Checks
DMARC authentication begins by identifying the Organizational Domain of the RFC 5322.From header field, which is determined by applying the rules for domain ownership as outlined in the DMARC specification (RFC 7489), using the Public Suffix List to find the base domain that the sender controls, with the DMARCbis draft proposing the Tree Walk algorithm as an alternative.[13][12] This domain serves as the reference for subsequent alignment checks. The receiver then performs SPF and DKIM authentications independently, evaluating whether each mechanism authenticates an identifier that aligns with the From domain under either strict (exact domain match) or relaxed (matching Organizational Domain) alignment modes, as specified in the DMARC policy.[14] For SPF, the check verifies if the sending IP address is authorized by the SPF policy of the domain in the RFC 5321.MailFrom (envelope sender) field, resulting in a "pass" only if this domain aligns with the From header domain.[15] Alignment occurs in relaxed mode if the Organizational Domains match (e.g., "child.example.com" aligns with "example.com") or in strict mode if the domains are identical; the domain from the HELO or EHLO command is used as the SPF identifier for alignment only if the RFC 5321.MailFrom has a null domain (i.e., <>); otherwise, the MailFrom domain is used.[15] Similarly, for DKIM, the receiver verifies the cryptographic signature(s) on the message, checking the "d=" (signing domain) tag in each signature; a "pass" requires at least one valid signature where the signing domain aligns with the From domain using the same strict or relaxed rules.[16] A message passes DMARC authentication if at least one of SPF or DKIM produces a passing result with proper identifier alignment; failure occurs if neither mechanism passes or if alignment is absent for both.[17] In cases of multiple DKIM signatures, the evaluation considers all present signatures, succeeding if any one is valid and aligns appropriately, while messages lacking a valid RFC 5322.From header or with malformed identifiers fall outside DMARC's scope and cannot align.[14] Upon completion, the receiving system adds a DMARC-Authentication-Results header field to the message, recording the outcome (such as "pass", "fail", or error codes like "temperror") for use in policy enforcement and reporting.[18]Policy Enforcement
DMARC policy enforcement occurs after email authentication checks, where receiving servers evaluate whether a message passes or fails the DMARC mechanism based on SPF and DKIM alignment. If a message fails these checks, the receiving server applies the domain owner's specified policy to determine its disposition, such as delivery, quarantine, or rejection.[19] The DMARC policy is defined by the "p=" tag in the domain's DMARC record, which specifies one of three options: "none", indicating monitoring only with no alteration to message delivery; "quarantine", instructing receivers to treat failing messages as suspicious, often by routing them to spam folders or applying other scrutiny; or "reject", requiring receivers to block delivery of failing messages.[17] The "none" policy allows domain owners to observe authentication patterns without impacting legitimate mail, while "quarantine" and "reject" progressively strengthen protection against spoofing.[17] Enforcement typically happens during the SMTP transaction for "reject" policies, where the receiving server issues a 5xx permanent failure code, such as "550 5.7.1 Email rejected per DMARC policy", to prevent message acceptance.[20] For "quarantine", enforcement is post-acceptance, with messages flagged or isolated rather than outright rejected, allowing flexibility for user review. Receivers may also silently discard messages under "reject" by returning a 250 success code while dropping the email, though explicit rejection during SMTP is recommended.[20] Subdomains can have their own policy via the "sp=" tag, which overrides the organizational domain's "p=" policy if set; for example, "sp=quarantine" applies specifically to messages purporting to originate from subdomains.[17] If "sp=" is absent, the subdomain inherits the parent domain's policy. The "pct=" tag enables gradual policy rollout by applying the specified action to only a percentage of failing messages (ranging from 0 to 100, defaulting to 100), such as "pct=50" to enforce on half of failures while monitoring the rest.[17] This allows domain owners to test enforcement without immediate widespread disruption. The "fo=" tag provides temporary overrides for triggering failure reports, specifying conditions like "fo=1" for reports on any authentication failure or "fo=d" for DKIM-specific failures, ensuring detailed visibility during enforcement transitions.[17]Configuration
DNS TXT Record Syntax
DMARC policies are published in the Domain Name System (DNS) as TXT records located at the subdomain_dmarc followed by the domain name, such as _dmarc.example.com. This placement allows email receivers to query the record during the Simple Mail Transfer Protocol (SMTP) session to retrieve the domain's authentication and disposition instructions.[21]
The syntax of a DMARC TXT record follows a tag-value format, where tags are separated by semicolons and values are assigned using equals signs. The Augmented Backus-Naur Form (ABNF) for the record is defined as dmarc-record = dmarc-version dmarc-sep [dmarc-request] *( ";" dmarc-request ), ensuring structured parsing of the content. Multiple TXT strings may be concatenated if the record exceeds DNS limits, and unknown tags are ignored during validation.[22]
Two tags are mandatory for a valid DMARC record: the version tag v, which must be set to DMARC1 and appear as the first tag, and the policy tag p, which specifies the requested disposition for failing messages and accepts values of none (monitor only), quarantine (treat as suspicious), or reject (block delivery). Domain owners typically begin with p=none to enable monitoring via reports without impacting message delivery, upgrading to p=quarantine or p=reject after reviewing aggregate reports for at least one week to confirm consistent authentication success.[17]
Common optional tags include rua for designating URIs (typically mailto: addresses) where aggregate reports are sent, ruf for failure reports, fo for failure reporting options (e.g., 1 to generate reports on any authentication failure), adkim for DKIM identifier alignment mode (with values r for relaxed or s for strict; defaults to r), and aspf for SPF domain alignment mode (also r or s; defaults to r). The pct tag allows specifying a percentage of messages (0-100; defaults to 100) to which the policy applies, enabling gradual rollout.[17]
A representative example of a complete DMARC TXT record is:
v=DMARC1; p=reject; rua=mailto:reports@[example.com](/page/Example.com); ruf=mailto:failures@[example.com](/page/Example.com); adkim=s; aspf=r; pct=100
v=DMARC1; p=reject; rua=mailto:reports@[example.com](/page/Example.com); ruf=mailto:failures@[example.com](/page/Example.com); adkim=s; aspf=r; pct=100
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
_dmarc subdomain of the message's RFC 5322 From domain; if absent, they query the organizational domain's subdomain. The record is parsed into tag-value pairs, and the resulting policy is enforced based on SPF and DKIM authentication outcomes, with external report URIs verified if they differ from the domain. It is recommended to ensure that SPF and DKIM records have been set up and are authenticating messages successfully for at least 48 hours before publishing the DMARC record.[24] Adding a DMARC TXT record to DNS typically takes minutes, while propagation across the global DNS network can take up to 48 hours, though often faster. Domain owners can verify the record's visibility and correctness using tools such as MX Toolbox's DMARC Check or dmarcian's DMARC Inspector.[25][26][27][28][29]
Policy Options
DMARC policy options are specified through tags in the DNS TXT record, allowing domain owners to define how receivers should handle messages that fail authentication checks. The primary policy tag is p, which dictates the requested action for the domain: "none" instructs receivers to take no action beyond monitoring, enabling domain owners to observe traffic without disrupting delivery; "quarantine" treats failing messages as suspicious, typically routing them to the spam folder; and "reject" requires receivers to refuse delivery of failing messages during the SMTP transaction.[17] This tag is mandatory for a valid DMARC record and applies to the organizational domain unless overridden.[16] For subdomains, the sp tag sets an independent policy, using the same values as p ("none", "quarantine", or "reject"), which allows granular control over subdomain-specific handling without affecting the parent domain.[17] If sp is absent, it defaults to the value of p, ensuring consistent policy inheritance unless explicitly customized.[15] This separation supports scenarios where subdomains, such as those used for specific services, require different enforcement levels. Alignment strictness is controlled by adkim for DKIM and aspf for SPF, each accepting "r" (relaxed) or "s" (strict) modes to determine how closely the authenticating domains must match the message's domain.[17] In relaxed mode (the default for both), alignment succeeds if the domains share the same organizational domain or parent; strict mode requires an exact match, offering tighter security at the potential cost of flexibility.[26] These tags interact with the policy by influencing whether a message passes DMARC authentication, thereby triggering the p or sp action only if alignment fails alongside SPF or DKIM checks. The pct tag limits the enforcement scope by specifying the percentage (0-100, default 100) of failing messages to which the policy applies, facilitating gradual rollout without immediate full enforcement.[17] For example, setting pct=50 means the policy action (e.g., reject) is applied to half of the failing messages selected randomly by the receiver, while all messages continue to generate reports regardless of this tag.[30] This interaction allows domain owners to monitor impact before increasing the percentage, reducing risks during implementation. Reporting frequency is adjusted via the ri tag, a 32-bit unsigned integer in seconds indicating the desired interval between aggregate reports (default 86400, or daily).[17] Receivers aim to comply on a best-effort basis, often sending reports daily or more frequently if feasible, ensuring domain owners receive timely visibility into authentication outcomes.[31] For public suffix domains, the np tag, introduced experimentally, defines the policy for non-existent subdomains (DNS NXDOMAIN responses), using values "none", "quarantine", or "reject" to mitigate abuse from unregistered subdomains.[32] If absent, it defaults to the p value, which is typically "none" for public suffixes to avoid overly restrictive enforcement on registrars.[33] This tag enhances protection for top-level domains by allowing policies tailored to hypothetical subdomains that do not exist, as outlined in RFC 9091.[34]Reporting Directives
DMARC reporting directives enable domain owners to specify destinations for receiving feedback on email authentication outcomes, facilitating monitoring and analysis without delving into report structures. These directives are optional tags within the DMARC DNS TXT record, allowing receivers to send aggregate summaries and failure notifications to designated URIs.[2] The rua tag designates one or more URIs where aggregate reports—summarizing DMARC validation results over a 24-hour period—are to be delivered. Supported URI schemes include mailto: for email transmission and https:// for secure web posting, with multiple destinations specified as a comma-separated list. Aggregate reports from a given reporting source are generated daily in XML format, compressed with GZIP, and sent only once per unique source to avoid redundancy.[17][30] The ruf tag similarly specifies URIs for forensic reports, which provide message-specific details on authentication failures, using the same mailto: and https:// schemes in a comma-separated list. These reports are generated and sent in near real-time upon detection of a failure, aiding in rapid investigation of potential abuse. The ruf tag is particularly useful when paired with failure reporting options to control the scope of notifications.[17][35] The fo (failure options) tag controls the conditions under which forensic reports are triggered, requiring the presence of the ruf tag to be effective. Its value is a colon-separated list of characters, with the following options:- 0: Generate a report if all underlying authentication mechanisms (SPF and DKIM) fail (default behavior).
- 1: Generate a report if any underlying authentication mechanism fails.
- d: Include a report for DKIM failures, regardless of SPF results.
- s: Include a report for SPF failures, regardless of DKIM results.
Reporting and Monitoring
As of November 2025, DMARC reporting mechanisms are defined in RFC 7489 (2015), with proposed updates in the advanced DMARCbis draft (draft-ietf-dmarc-dmarcbis-41, last updated July 2025). Key changes in the draft include stricter XML schemas for aggregate reports with new tags (e.g., for generator and human-readable results), removal of the 'ri' tag to enforce daily or more frequent reporting, mandatory external destination validation, limits on DKIM signatures per row, and separation of aggregate and failure reporting into dedicated specifications. Failure reporting remains unchanged.[3][2]Aggregate Reports
Aggregate reports in DMARC, also known as RUA reports, provide domain owners with periodic summaries of email authentication outcomes for messages claiming their domain in the From header. These reports enable monitoring of sending sources, identification of authentication failure patterns, and assessment of overall compliance rates with DMARC policies.[30] The reports follow an XML format specified in RFC 7489, with a root element of<feedback> that encapsulates metadata, policy details, and aggregated data records. The structure includes a <report_metadata> element for report identification (such as organization name, reporting email, report ID, and date range via <begin> and <end> timestamps in Unix epoch seconds), a <policy_published> element detailing the DMARC policy applied during the period (including domain, alignment modes like adkim and aspf, policies p and sp, percentage pct, and failure reporting options fo), and one or more <record> elements containing the aggregated data. Each <record> includes a <row> for summary metrics, <identifiers> for evaluated domains (such as envelope_from, envelope_to, and header_from), and <auth_results> for detailed SPF and DKIM outcomes.[37][30]
Within each <row>, key data encompasses the source IP address of the connecting MTA (<source_ip>), the number of messages summarized (<count>), and authentication results under <policy_evaluated>, including the disposition applied (none, quarantine, or reject), SPF result (none, neutral, pass, fail, softfail, temperror, or permerror), and DKIM result (none, pass, fail, policy, neutral, temperror, or permerror). DMARC alignment and overall pass/fail status are derived from these SPF and DKIM outcomes combined with header alignment. The <identifiers> and <auth_results> provide context on domains and specific authentication details, such as the DKIM signing domain or SPF scope.[38][37]
For delivery, aggregate reports are generated and sent at least daily (default interval of 86400 seconds) or more frequently if specified via the ri= reporting interval directive in the DMARC record, typically to URIs designated in the rua= tag (such as mailto: addresses). To authorize a specific external domain (e.g., externaldomain.com) to receive reports for the receiving domain (e.g., receivingdomain.com), publish a TXT DNS record at externaldomain.com._report._dmarc.receivingdomain.com with value "v=DMARC1;" (semicolon optional but recommended for compliance). A wildcard record *._report._dmarc.receivingdomain.com with value "v=DMARC1;" authorizes reports from any domain, though this is not recommended for security reasons as it may allow unauthorized submissions, but it is common in shared reporting setups.[39][40] The XML content is compressed using GZIP, with a media type of application/gzip, and attached to email messages using a standardized filename format: {reporting-URI}!{policy-domain}!{begin-timestamp}!{end-timestamp}.xml.gz. This ensures efficient transmission and storage for ongoing analysis.[41][17]
A representative example of a <row> element within a <record> might appear as follows, summarizing messages from a specific IP:
xml
<row>
<source_ip>192.0.2.1</source_ip>
<count>5</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<row>
<source_ip>192.0.2.1</source_ip>
<count>5</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
Failure Reports
Failure reports, also known as forensic or RUF reports, provide detailed, per-message information about emails that fail DMARC authentication checks, enabling domain owners to perform targeted investigations.[2] These reports are triggered based on the "fo" (failure options) tag specified in the DMARC TXT record, which determines the conditions for generating a report. For instance, "fo=0" (the default) triggers a report only if both SPF and DKIM fail to produce an aligned pass result, while "fo=1" triggers on any authentication failure, and options like "fo=d" or "fo=s" limit reports to DKIM or SPF failures, respectively.[17] The "ruf" tag must also be present in the record, specifying the URI (typically an email address) where reports are sent.[22] The format follows the Authentication Failure Reporting Format (AFRF), a structured subset of the Abuse Reporting Format (ARF) defined in RFC 6591, sent as a multipart MIME email and differing from the XML-based aggregate reports by focusing on individual incidents rather than summaries.[43][35] Key elements include a human-readable text part, a machine-readable feedback report with authentication details, and an attachment containing the original message headers or full body.[44] Within the feedback report, the content is organized into fields such as "auth_results" detailing SPF and DKIM outcomes (e.g., SPF-DNS record, DKIM-Domain, DKIM-Selector, and evaluation results like pass or fail), a "received" chain tracing the message path via header fields, and policy details like the evaluated DMARC policy and alignment mode.[45][46] The attachment typically includes the raw message, including full headers and a body snippet, to facilitate forensic analysis.[35] The primary purpose of failure reports is to aid in debugging specific authentication failures, such as misconfigurations in sending infrastructure, and investigating potential abuse like spoofing attempts by examining the exact message and authentication artifacts.[35] However, these reports are optional for receiving servers, which may decline to send them due to privacy concerns, as they often contain sensitive information like full email headers, recipient addresses, and message bodies.[35] Additionally, receivers are encouraged to rate-limit or aggregate reports (e.g., by recipient domain or time window) to prevent denial-of-service risks from high-volume senders.[35]Report Interpretation and Tools
Interpreting DMARC reports involves examining key metrics to assess email authentication efficacy and identify potential issues. Pass rates for SPF and DKIM indicate the proportion of messages that successfully authenticate via these mechanisms, typically expressed as percentages within the report's record counts; for instance, a high SPF pass rate above 90% suggests robust sender authorization, while lower rates may signal misconfigurations.[47] Top failing IPs highlight source addresses responsible for the majority of authentication failures, allowing domain owners to prioritize investigations into unauthorized senders. Alignment issues, derived from the row-level policy_evaluated elements, reveal mismatches between the From domain and SPF/DKIM identifiers, often due to subdomain usage or forwarding, with common failure modes including "spf=permerror" or "dkim=fail" paired with non-aligned headers.[48][49] Analysis of DMARC reports begins with parsing the XML structure to extract structured data from aggregate or failure reports. Tools convert raw XML into tabular formats, aggregating volumes of passes, fails, and policy outcomes across reporting periods. Visualization techniques, such as charts for failure trends over time or heatmaps of IP distributions, help quantify volumes and spot anomalies like sudden spikes in fails from new IPs. Identifying legitimate versus malicious sources requires cross-referencing report data against known authorized senders; for example, legitimate traffic from marketing platforms may show consistent passes, while sporadic fails from residential IPs could indicate spoofing attempts.[50][51][52] Several open-source tools facilitate DMARC report interpretation by automating parsing and visualization. Dmarcian's free XML-to-human converter processes aggregate reports into readable summaries, highlighting key metrics like pass rates and failing sources without requiring a paid account. Postmark's DMARC Weekly Digests service ingests reports from major providers and delivers human-readable email summaries, focusing on alignment issues and top IPs for quick insights. The Python-based parsedmarc library serves as a CLI utility and module for parsing reports, integrating with Elasticsearch and Kibana for advanced visualization of failure volumes and policy evaluations.[53][54][55] Best practices for report interpretation emphasize aggregating data over extended periods, such as weekly or monthly summaries, to discern trends beyond daily fluctuations and establish baselines for pass rates. Correlating report findings with internal email logs enables validation of legitimate sends against reported authentications, resolving discrepancies like unreported forwards. Monitoring during pct rollouts—gradually increasing the percentage of emails subject to policy enforcement from 10% to 100%—involves tracking failure rates at each increment to avoid deliverability disruptions, with adjustments based on observed alignment issues.[56][57][58] Handling privacy in DMARC reports is crucial, as they contain sensitive metadata like source IP addresses that could reveal user or organizational details if exposed. Best practices include anonymizing such data, such as hashing or truncating IPs, before storage or sharing to mitigate risks from report floods or unauthorized access, while implementing External Destination Verification to control report recipients.[59][60]Implementation Guide
Step-by-Step Adoption Process
Before implementing DMARC, organizations must establish valid SPF and DKIM records for their domain and ensure they have been properly authenticating messages for at least 48 hours to allow full DNS propagation and reliable authentication signals. These prerequisites ensure that email authentication signals are in place, allowing DMARC to evaluate alignment between the sending domain and message headers without immediate disruptions.[61][62][27] The adoption process begins with publishing an initial DMARC DNS TXT record at the subdomain_dmarc.example.com (where "example.com" is the organizational domain) using the policy tag p=none, which instructs receivers to take no action on failing messages but to continue monitoring. Adding the DNS TXT record typically takes minutes, with propagation typically up to 48 hours (often faster).[17] This record must include the rua= tag specifying one or more URIs (typically mailto: addresses) where aggregate reports will be sent, enabling the organization to collect visibility into email traffic without enforcing policies.[30] For example, a basic record might read: v=DMARC1; p=none; rua=mailto:[email protected].[63]
Next, organizations analyze the incoming aggregate reports from the rua= URI to identify authorized email senders and detect unauthorized or misaligned traffic. These XML-formatted reports, generated daily by participating receivers, detail authentication outcomes, volume statistics, and sources of email for the domain, helping to map legitimate senders and pinpoint issues such as unsigned bulk mail or spoofing attempts. This step requires reviewing aggregate reports for at least one week to establish a baseline, though several weeks of data collection is typically needed to build a comprehensive view of the sending infrastructure.[38][31][58]
Once legitimate senders are identified, adjustments are made to SPF and DKIM configurations to ensure proper alignment with the From: header domain, using the aspf= and adkim= tags in the DMARC record (set to r for relaxed or s for strict mode) to define how closely identifiers must match. To introduce enforcement gradually and avoid widespread delivery issues, the pct= tag is set to a low percentage (e.g., pct=10 to apply the policy to only 10% of failing messages), allowing a transition to p=quarantine while monitoring impacts.[25][17]
As confidence in the setup grows, the policy is escalated to p=quarantine for broader application (e.g., marking failing messages as spam), followed by p=reject to instruct receivers to refuse delivery of non-compliant emails entirely. For subdomains, a separate sp= tag is configured (e.g., sp=reject) to apply tailored policies, preventing inheritance issues from the parent domain's record. Policy options like p=reject ensure strong protection once alignment is verified across all senders.[17][19][63]
Finally, ongoing monitoring involves reviewing failure reports via the optional ruf= tag (e.g., ruf=mailto:[email protected]), which provides detailed forensic data on individual failing messages, including headers and authentication results, to identify and resolve breakages such as third-party service misconfigurations. The fo= tag can be used to control report generation (e.g., fo=1 for all failures), facilitating rapid handling of delivery disruptions during enforcement. This iterative monitoring ensures sustained efficacy as email practices evolve.[35][64][62]
Best Practices and Common Pitfalls
Organizations implementing DMARC should begin with a monitoring-only policy ofp=none to observe authentication results without affecting message delivery, for an extended period sufficient to gather sufficient data on legitimate email flows and establish a baseline. This approach allows domain owners to identify and resolve issues in SPF and DKIM configurations before enforcing stricter policies. Prior to deploying DMARC, it is essential to achieve 100% coverage of SPF and DKIM authentication across all outbound email sources, ensuring that legitimate messages pass at least one mechanism with proper alignment. For redundancy in report reception, domain owners are advised to specify an external rua= URI in the DMARC record, such as a third-party service, but this requires verification via a DNS TXT record at the external domain to authorize report delivery and prevent abuse.[65][66][67][26]
A common pitfall in DMARC deployment is adopting overly strict alignment modes (adkim=s and aspf=s), which can cause failures for legitimate emails where domain mismatches occur, leading to unnecessary rejections or quarantines. Another frequent error is ignoring subdomains, as a base domain policy does not automatically apply to subdomains unless explicitly set via the sp= tag, potentially leaving them vulnerable to spoofing. Misconfiguring the pct= tag can also result in uneven policy enforcement; for instance, setting a low percentage too hastily may fail to protect the majority of traffic, while abrupt increases can disrupt delivery. Rushing to enforcement policies without adequate time to review aggregate reports and establish a baseline of legitimate traffic is another common pitfall, which can lead to delivery issues for authorized emails.[13][68][69][58]
To enhance security, domain owners should rotate DKIM keys used for DMARC-aligned signing at regular intervals, such as every 6 to 24 months, to mitigate risks from key compromise. Reporting URIs in rua= and ruf= tags must be validated, especially for external destinations, to ensure only authorized recipients receive sensitive data. Compliance with RFC 9091 is recommended for handling public suffix domains (PSDs), allowing operators of PSDs like certain top-level domains to publish policies via the np= tag and register in the PSD DMARC registry to protect non-existent subdomains. Implementers should monitor IETF developments, such as DMARCbis drafts for updates to reporting and policy mechanisms, as of 2025.[70][71][34][72]
For a smooth rollout, organizations should employ a phased strategy by incrementally increasing the pct= value—starting at 10-25% after initial monitoring and gradually advancing to 100%—while continuously analyzing aggregate reports to avoid widespread delivery disruptions. This methodical progression helps maintain email deliverability during the transition to enforcement policies like p=[quarantine](/page/Quarantine) or p=reject.[58][73]