DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC (RFC 7489) is an email authentication policy framework that allows domain owners to specify how receiving mail servers should handle messages that fail SPF or DKIM alignment checks. It introduces the concept of identifier alignment — requiring that the domain in the From header matches the domain validated by SPF or DKIM. Domain owners publish DMARC policies as DNS TXT records under the _dmarc subdomain.

DMARC is the primary technical control against direct-domain spoofing, the technique behind most targeted phishing and business email compromise (BEC) attacks. Without a DMARC policy of quarantine or reject, any sender can forge a From address using your exact domain with no recipient-side enforcement. Aggregate (rua) and forensic (ruf) reports also give domain owners visibility into who is sending mail on their behalf, enabling ongoing monitoring and abuse detection.

A domain owner publishes a DMARC TXT record at _dmarc.example.com specifying a policy (p=none, p=quarantine, or p=reject) and optional reporting addresses. When a receiving mail server processes an inbound message, it evaluates SPF against the Return-Path domain and DKIM against the d= tag in the signature, then checks whether either result aligns with the RFC5322 From domain — in relaxed mode (organizational domain match) or strict mode (exact domain match). If neither SPF nor DKIM passes with alignment, the message fails DMARC and the receiving server applies the published policy. Receivers send aggregate XML reports (rua) on a scheduled basis and optionally forensic samples (ruf) per failure, allowing domain owners to detect misconfigured mail streams or active spoofing campaigns.