Yes, absolutely. In fact, the DMARC policy's primary purpose is to ensure the authenticity of the domain in the header 'From' address. This is the address that you, as an email recipient, see in your inbox. This focus is what makes DMARC a powerful tool against email spoofing and phishing.
Before DMARC, other email authentication methods like SPF and DKIM existed, but they had a loophole. They authenticated the sending server or the message's integrity, but didn't necessarily check if the friendly 'From' address presented to the user was legitimate. DMARC closes this gap by introducing a concept called 'alignment'.
Understanding the two 'From' addresses
To understand how DMARC works, it's crucial to know that every email has two 'From' addresses. This is often a source of confusion.
- The Header 'From' (RFC5322.From): This is the address displayed by email clients like Gmail and Outlook. It's the one you see as the sender. As Bitsight points out, it's "usually the only address displayed by email clients."
- The Envelope 'From' (MAIL FROM or Return-Path): This address is used during the SMTP transaction, the technical conversation between mail servers. It's typically hidden from the user and is used to handle bounces.
A malicious actor could easily put a trusted domain (like your bank's) in the Header 'From' while using their own authenticated domain in the Envelope 'From'. Without DMARC, this email could pass SPF checks and still appear to be from a legitimate source.
How DMARC uses alignment
DMARC works by checking that the domain in the user-visible Header 'From' address matches, or aligns with, the domains found in the SPF and DKIM records. This is the core principle of DMARC authentication.
For an email to pass DMARC, one of the following alignment checks must pass:
- SPF Alignment: The domain in the Envelope 'From' address (which is what SPF validates) must match the domain in the Header 'From' address. If they don't match, SPF alignment fails, even if the SPF check itself passes.
- DKIM Alignment: The domain specified in the DKIM signature (the d= tag) must match the domain in the Header 'From' address. If they don't align, DKIM alignment fails.
By enforcing this alignment, DMARC ensures that the domain you see is the domain that's actually authenticating the email. This is how it protects your domain from being used in email spoofing and phishing scams.
What happens when alignment fails?
When an email fails the DMARC alignment check, the receiving mail server looks at your DMARC policy. The policy is published in your domain's DNS records and tells the server what to do with the failed message. The policy can be one of three things:
- p=none: The server takes no action but will send reports about the failure to the address specified in your DMARC record. This is a monitoring-only policy.
- p=quarantine: The server is instructed to treat the email with suspicion, usually by placing it in the recipient's spam or junk folder.
- p=reject: The server is instructed to reject the email outright. The message will not be delivered to the recipient at all.
In summary, DMARC is fundamentally tied to the Header 'From' address. It was created specifically to ensure that the domain users see is the same domain that is authorizing the email's delivery, thereby building trust in your domain and protecting everyone from phishing.
