It’s a common point of confusion, but the short answer is no, DMARC does not authenticate the 'From' header directly. Instead, it plays a different, but equally crucial role. DMARC verifies that the domain in the visible 'From' header, the one your recipients see in their email client, is aligned with the domains authenticated by SPF and DKIM. This process is what prevents bad actors from spoofing your domain and tricking your recipients.
To understand how this works, you first need to know that every email has two 'from' addresses. There’s the address you see in your inbox (the 'Header From' or 'Friendly From'), and a hidden one used by mail servers called the 'Envelope From' or 'Return-Path'. SPF and DKIM, the foundational email authentication standards, work with these addresses, but not always in the way you might expect.
SPF authenticates the server sending the email, checking if its IP address is authorized to send for the domain found in the 'Envelope From'. DKIM adds a digital signature to the email, which is linked to a specific domain. The problem is that neither of these protocols, on its own, requires the domain they are authenticating to match the domain in the visible 'From' header. This is a significant loophole that phishers and spammers can exploit.
How DMARC creates alignment
DMARC closes this loophole by introducing the concept of 'alignment'. For an email to pass DMARC, it must not only pass SPF or DKIM, but the domain used for that authentication must also align with the domain in the 'From' header. As Mailmodo puts it, a message will pass DMARC based on how strongly the From header matches the sending domain specified by SPF and DKIM.
This check happens in two ways:
- SPF Alignment: The domain in the 'Envelope From' (which SPF authenticates) must match the domain in the 'Header From'. If they match, the email achieves SPF alignment.
- DKIM Alignment: The domain specified in the DKIM signature (the d= tag) must match the domain in the 'Header From'. If they match, the email achieves DKIM alignment.
An email only needs to pass one of these alignment checks to pass DMARC. If both checks pass and align with the domain in the email's “From” header, the email is considered authenticated. As Amazon Web Services explains, the domain's DMARC policy protects your domain from third parties attempting to spoof the domain in the “From” header. If an email fails DMARC, your DMARC policy tells the receiving server whether to accept, quarantine, or reject the message.
Why is this distinction important?
Without DMARC's alignment check, a spammer could send an email using their own domain that passes SPF and DKIM perfectly fine, but put your company's domain in the visible 'From' header. Your customers would see an email that looks like it came from you, even though the underlying authentication records point elsewhere. It’s a classic phishing tactic.
DMARC connects the authentication performed by SPF and DKIM directly to the domain the user sees, effectively making sure that what you see is what you get. So, while DMARC doesn't authenticate the 'From' header in isolation, it is the critical protocol that validates it, providing a robust defense against spoofing and phishing attacks.
