What is DMARC?
Domain-based Message Authentication, Reporting & Conformance or DMARC is an authentication, policy, and reporting protocol. It functions by building off of already created SPF and DKIM records. The DMARC record is used to establish linkage from the domain name, it will suggest actions, to the receiving server, for authentication failures. DMARC also allows for reporting to be enabled, informing the sending domain that an authentication failure has occurred and what actions were taken. This allows the domain owner to manage and be informed of the health of their domain's email environment (i.e.: spoofing, spamming, fraudulent email, etc). DMARC is available publicly and is free for use with no licensing required.
How does DMARC work?
A DMARC policy will allow the sending domain to notify that their mail is protected by SPF and DKIM, it also will let the recipient server know what to do with authentication failures. This removes the guesswork for the recipient server on how to handle failures.
DMARC was designed to fulfill the following:
Minimize false positives
Provide detailed authentication reporting
State sender policy at recipient server
Reduce phishing successful deliveries
Minimize the complexity of phishing a spoofing policies
To work at the scale of the Internet
DMARC is meant to replace Author Domain Signing Practices by adding support for:
DMARC is built upon both DKIM and SPF specifications and ideally, would have both to validate DMARC policy.
A very useful tool for parsing aggregate and failure reports is https://dmarcian.com/dmarc-xml/. This will convert the xml file received into human readable format, including charts and calculations based on results.
VERY IMPORTANT: When first setting up the DMARC policy, make sure to set all policies to take no action, but do have reporting enabled so that you can analyze aggregate and failure reports to validate the setup. This is an essential step to ensure no dip in receipt of mail.
DMARC records are published in DNS as a TXT record and informs receiving server what to do with non-aligned mail.
Below I have listed an example and then broken it down:
All information was garnered from the following sites: