What is DMARC alignment?

DMARC alignment refers to the process where the domain used for SPF or DKIM authentication matches, or is a subdomain of, the visible From: header domain. If an email passes either SPF or DKIM and the relevant domain aligns with the From: domain, the DMARC check passes.

Can DMARC be implemented on subdomains?

Yes, DMARC can be implemented at the subdomain level. You can publish separate DMARC records for specific subdomains or define a subdomain policy within your main organizational DMARC record using the sp tag.

Why do I need DMARC if I already have SPF and DKIM?

While SPF and DKIM authenticate email senders, they don't explicitly tell receiving servers what to do with unauthenticated emails, nor do they verify the visible From: header. DMARC ties these two protocols together, adds the crucial concept of domain alignment, and provides a policy layer (none, quarantine, reject) to instruct receivers on how to handle emails that fail authentication and alignment. It also provides reporting mechanisms.

What happens if my DMARC reports go to a service I don't use?

If your DMARC reports are configured to go to an external service that you don't have an active contract with, it's highly likely that you are not benefiting from the reports. The service may be receiving and discarding them, leaving you without crucial visibility into legitimate email flows or spoofing attempts targeting your domain.

How long does it take to deploy DMARC fully?

The full deployment of DMARC from a 'p=none' monitoring policy to an enforcing 'p=reject' policy can take anywhere from a few weeks to several months, depending on the complexity of your email ecosystem and the number of legitimate sending sources that need to be aligned and authenticated. It is a phased approach that requires continuous monitoring and analysis of DMARC reports.

Are there any downsides to implementing DMARC?

The main downside is the potential for legitimate emails to be incorrectly classified as spam or blocked if your SPF and DKIM records are not fully comprehensive for all your sending sources. This is why a cautious, phased implementation approach with thorough monitoring is essential.

How does DMARC work, why implement it with SPF and DKIM, and what tools are available for DMARC record creation? - Technical - Email deliverability - Knowledge base

Email authentication is a critical defense against phishing and spoofing attacks. While Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) lay the groundwork, DMARC (Domain-based Message Authentication, Reporting, and Conformance) brings these protocols together, adding a layer of policy enforcement and reporting that’s essential for modern email security.

Simply put, DMARC acts as a referee, telling receiving email servers what to do if an incoming email claiming to be from your domain fails its SPF or DKIM checks. Without DMARC, even if you have SPF and DKIM configured, malicious actors can still spoof your domain, and you’d have no visibility into these attempts or control over how they are handled by recipients.

Implementing DMARC provides crucial insights into your email ecosystem and empowers you to protect your brand's reputation. It’s not just about stopping spoofing, it’s about gaining control and ensuring your legitimate emails reach the inbox.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

How DMARC works: The role of alignment

DMARC’s functionality is deeply tied to SPF and DKIM, but it adds a crucial concept: alignment. For DMARC to pass, an email must pass either SPF or DKIM, and crucially, the domain used in the authentication check (the SPF domain or DKIM signing domain) must align with the From header domain that the user sees. This alignment is key because SPF and DKIM alone don’t verify the visible From address.

For SPF, alignment means the domain in the Return-Path (or Mail From) header matches or is a subdomain of the From header domain. For DKIM, the domain specified in the d= tag of the DKIM signature must align with the From header domain. If either of these alignment checks passes, then DMARC considers the email legitimate according to your policy. More details can be found in a brief DMARC primer.

This mechanism of checking alignment is what makes DMARC so effective against direct domain spoofing, where attackers try to impersonate your brand directly in the From address. This differs from how SPF and DKIM operate alone, which primarily verify the sender's infrastructure rather than the visible domain. For more about this, see how email authentication standards work together.

How DMARC processing works

Sender Policy Framework (SPF) check: The receiving server checks the sender's IP address against the SPF record published in the DNS for the Return-Path domain. If the IP is authorized, SPF passes.
DomainKeys Identified Mail (DKIM) check: The server verifies the digital signature attached to the email against the public key published in the DNS for the DKIM signing domain. If the signature is valid, DKIM passes.
DMARC alignment check: DMARC then checks if the SPF or DKIM domains align with the From header domain. This can be strict (exact match) or relaxed (subdomain allowed).
Policy application: Based on the DMARC record's policy (none, quarantine, or reject), the receiving server takes action if the email fails alignment.
Reporting: Aggregate reports (RUA) provide data on email authentication results, while forensic reports (RUF) offer details on individual failures.

Why implement it with SPF and DKIM

Implementing DMARC, especially when combined with SPF and DKIM, significantly enhances your email security posture. It acts as a powerful deterrent against phishing and spoofing, which are rampant threats to businesses and individuals alike. Without it, anyone can send an email pretending to be from your domain, eroding trust and potentially causing significant damage to your brand reputation. For more details, consider how DMARC prevents spammers from using your domain.

Beyond security, DMARC plays a pivotal role in email deliverability. Major email providers like Gmail and Yahoo increasingly rely on DMARC, SPF, and DKIM to determine whether an email is legitimate. If your domain isn't authenticated properly, your emails are more likely to land in spam folders or be blocked entirely, impacting your marketing campaigns, transactional emails, and overall communication effectiveness. This directly relates to email deliverability issues that many businesses face.

Furthermore, DMARC provides valuable reporting features. By analyzing DMARC reports, you can identify legitimate email sources that might not be correctly authenticated, as well as detect unauthorized senders attempting to spoof your domain. This data is crucial for fine-tuning your authentication setup and maintaining a strong email reputation. Understand the pros and cons of DMARC for email deliverability.

Benefits of DMARC implementation

Enhanced security: Prevents direct domain spoofing, phishing, and email fraud, protecting your customers and brand.
Improved deliverability: Signals to mailbox providers that your emails are legitimate, increasing inbox placement rates.
Brand reputation: Builds trust with recipients and protects your brand from association with malicious email activities.
Visibility and reporting: Provides detailed reports on who is sending email using your domain, helping you identify legitimate and unauthorized senders.

Potential challenges

Complexity: Requires careful planning and configuration, especially for organizations with multiple email sending services.
Monitoring requirements: DMARC reports can be voluminous and complex, necessitating dedicated tools or expertise for analysis.
Potential for legitimate email blocking: Aggressive DMARC policies (like reject) can block valid emails if SPF or DKIM are not perfectly configured for all sending sources.
Subdomain considerations: Requires careful attention to policies for subdomains, as they can inherit policies from the organizational domain.

DMARC policies and reporting

A DMARC record, published as a TXT record in your DNS, contains instructions for receiving mail servers on how to handle emails that fail DMARC authentication. The core of this instruction is the policy tag, p=, which can be set to one of three values:

p=none: This is a monitoring-only policy. Failing emails are delivered as usual, but you receive DMARC reports. This is the safest starting point for deployment.
p=quarantine: Failing emails are sent to the recipient's spam or junk folder. This is a cautious step toward enforcement.
p=reject: Failing emails are outright rejected by the receiving server and not delivered. This provides the highest level of protection but should only be used once you are confident all legitimate email sources are DMARC compliant. For guidance on this, review safely transitioning your DMARC policy.

The reporting aspect of DMARC is invaluable. You specify email addresses in your DMARC record (using the rua and ruf tags) where aggregate and forensic reports are sent. These reports provide data on which senders are passing or failing DMARC for your domain. Analyzing these reports is crucial to ensure legitimate emails aren't accidentally blocked or sent to a blocklist (or blacklist). Ignoring these reports, especially when they are configured to go to an external party you don't have a contract with, means you lose critical visibility into your email streams.

Example DMARC record for monitoring (p=none)DNS

v=DMARC1; p=none; rua=mailto:dmarc_reports@yourdomain.com; ruf=mailto:forensic_reports@yourdomain.com; fo=1;

Understanding and configuring these policies, along with other DMARC tags, is critical for a successful DMARC implementation. You can find a comprehensive list of DMARC tags and their meanings to assist with this process. Remember, a phased approach starting with p=none and careful monitoring of reports is recommended before moving to more restrictive policies.

Policy	Action on failure	Visibility	Risk
p=none	Emails are delivered to the inbox (default behavior).	Full visibility into all email streams, both legitimate and fraudulent.	Low risk of blocking legitimate emails.
p=quarantine	Emails are sent to the spam folder or marked as suspicious.	Good visibility, plus initial enforcement against spoofing.	Moderate risk of legitimate emails landing in spam if not fully configured.
p=reject	Emails are completely blocked and not delivered.	Highest enforcement, but relies on accurate reporting for full understanding.	High risk of legitimate emails being blocked if not meticulously configured.

Tools for DMARC record creation

Creating a DMARC record involves publishing a specific TXT record in your domain’s DNS. While you can manually construct this record, it's easy to make mistakes that can impact your email deliverability. Fortunately, several online tools, often called DMARC record generators or wizards, can simplify this process.

These tools typically provide a user-friendly interface where you can input your domain, choose your desired policy (e.g., none, quarantine, reject), specify where you want reports sent, and configure other optional tags like pct (percentage of mail to apply policy to) or sp (subdomain policy). After filling in the details, the generator provides the exact TXT record string you need to add to your DNS records. For example, our own free DMARC record generator tool streamlines this process.

When adding the TXT record, it typically needs to be placed at the _dmarc subdomain (e.g., _dmarc.yourdomain.com). This subdomain doesn’t need to exist beforehand; the _dmarc prefix is a standard convention for DMARC records. You can also have separate DMARC records for specific subdomains if your email sending practices vary across them, allowing for granular control over your email security policies.

Views from the trenches

Best practices

Start with a p=none DMARC policy to gather data without impacting email delivery.

Analyze DMARC aggregate (RUA) reports regularly to understand email traffic and identify unauthorized senders.

Ensure all legitimate email sending services are correctly configured for SPF and DKIM alignment before enforcing DMARC.

Implement a DMARC monitoring solution to simplify report analysis and quickly identify issues.

Gradually move to more restrictive policies (quarantine, then reject) after verifying all legitimate emails pass authentication.

Common pitfalls

Publishing a p=reject policy too soon, causing legitimate emails to be blocked or sent to spam folders.

Failing to monitor DMARC reports, missing critical insights into spoofing attempts or authentication failures.

Not accounting for all email sending sources, including third-party marketing platforms and transactional email services.

Ignoring subdomain policies, which can inherit policies from the organizational domain.

Not understanding SPF and DKIM alignment, leading to DMARC failures even when SPF/DKIM records exist.

Expert tips

Validate your DMARC record using an online checker after publication to ensure correct syntax and deployment.

Pay close attention to the DMARC 'fo' tag, which controls reporting options for forensic reports.

If using multiple email service providers, ensure each one supports DMARC alignment for your domain.

Be aware that DMARC reports can be large XML files; a DMARC monitoring service is highly recommended for interpretation.

Remember that DMARC is a continuous process of monitoring and adjustment, not a one-time setup.

Expert view

Expert from Email Geeks says DMARC's primary function is to ensure that only authorized entities send email using your domain in the From: header. This is achieved by checking SPF and DKIM alignment with the From: domain. If neither aligns, DMARC fails, and the email is handled according to your published policy.

February 1, 2019 - Email Geeks

Expert view

Expert from Email Geeks says that DMARC policies, especially p=none, are designed for a phased rollout. Starting with p=none allows you to collect reports and identify legitimate email streams that might not be authenticating correctly, preventing unintended deliverability impacts when you move to enforcing policies like p=reject.

February 1, 2019 - Email Geeks

Summary of DMARC and its importance

DMARC is an indispensable component of a robust email security strategy. By leveraging the foundational authentication of SPF and DKIM and adding the critical layer of alignment, policy enforcement, and comprehensive reporting, it empowers domain owners to prevent unauthorized use of their brand and safeguard their email reputation. Ignoring DMARC can leave your domain vulnerable to phishing and spoofing attacks, ultimately impacting your deliverability and brand trust.

While the initial setup might seem daunting, tools for DMARC record creation and the phased deployment approach (starting with a p=none policy) make it accessible. The benefits, including improved security, enhanced deliverability, and invaluable insights into your email traffic, far outweigh the initial effort. Prioritizing DMARC implementation is a proactive step toward securing your digital communications in an increasingly complex threat landscape.