Understanding DMARC

By Jay Singh

Understanding the basics of how DMARC works can sometimes be a challenge with the sea of complicated resources a simple search can uncover. The reality, however, is that DMARC is not as complicated as you might think and understanding the basics of how it works is fairly simple.

DMARC builds upon two existing technologies, SPF and DKIM, that help authenticate email in different ways. SPF verifies if an email is sent from a valid IP address, and DKIM verifies if an email is sent from a valid source by using encryption in the header of an email. The problem with only using SPF and DKIM is that they do not enforce a policy, so it does not really add any protection to your domain. This is where DMARC comes in. DMARC uses the authentication that SPF and DKIM provide to enforce a policy. This means that only emails that pass SPF or DKIM authentication will pass DMARC validation and reach your recipient’s inbox. For unauthorized emails, DMARC will deal with them based on the DMARC policy you set. Here are the policies and what each means for unauthorised emails:

  1. p=none This means no policy is set, so all emails will still be able to reach receiver regardless of if they are authorised emails or not.
  2. p=quarantine This means that emails that fail DMARC validation will be sent to the junk/spam folder.
  3. p=reject This is the most powerful policy, and it results in all unauthorised emails being completely blocked.

Like SPF and DKIM, DMARC has been widely adopted by most major email receivers. This means that you will not only get reports back, but the DMARC policy you set will be upheld by them.

We at OnDMARC have created a video that explains what I have been describing with the help of some visuals and animation. We hope that the video gives you a better understanding of how DMARC works and where SPF and DKIM fit into the picture. You can watch the video below.

The author, Jay Singh, is with Marketing and Partnerships at Red Sift, a Global Cyber Alliance partner. You can follow him on Twitter @jaydsingh11.

Editor’s Note: The views expressed by the author are not necessarily those of the Global Cyber Alliance.