DMARC

Or.. Domain-based Message Authentication, Reporting and Conformance for short

So we can sign emails with DKIM and prove they are authorised to send from a domain with SPF, but there is one more thing we can do.

During an email's journey it might travel across multiple mail servers, meaning SPF and DKIM checks might not be conducted on the original domain and author and email.

DMARC allows a policy which tells a recipient to validate the FROM field on emails coming from your domain, and if there is no alignment between the FROM and MAIL FROM fields.

An important concept of DMARC is alignment, when we compare domains, how should we compare subdomains?

Relaxed - Only going to compare the organisational domain, meaning the domain that can be registered publicly. Strict - Both domains must EXACTLY match, inclusive of subdomains.

DMARC Evaluation

PASS - alignment found with a passing SPF result or a successful DKIM result
fail - No alignment found with any passing result.

DMARC record format

Utilises a TXT record, located in a dmarc record in a subdomain.

Required tags:
p - Policy for DMARC failures
none - Ignore failures
quarantine - Flag as spam/suspicious or check it further
reject - Do not deliver (should cause an SMTP session error)

v - Version of DMARC1 and must be the first tag in a record.

Optional tags:
adkim - DKIM alignment mode

r - Relaxed
s - Strict

aspf - SPF alignment mode

r - Relaxed
s - Strict
pct - Random chance of applying the policy.
sp - Policy override for subdomains.

DMARC Evaluation​

DMARC record format​

DMARC Evaluation

DMARC record format