***This article was updated on 6/26/2018 with the latest information and industry news around DMARC. Enjoy!

Understanding DMARC

A DMARC record – which stands for Domain-based Message Authentication, Reporting, and Conformances – is a technical email authentication standard benefitting email senders by helping establish the legitimacy of emails by validating that an email is actually coming from the specified source. With DMARC, an organization can publish a policy that defines it’s email authentication practice and provide instructions to receiving mail servers for how to enforce them.

This process ultimately helps protect email senders and recipients from spam, spoofing, and phishing, and is key to improving email deliverability.

Setting up, verifying, and managing your DMARC record can be tricky. Email senders also occasionally need to troubleshoot setup issues, figure out how to check their DMARC record to verify it’s validity, or locate their DMARC record or report when no DMARC record is found. We’ve outlined several useful resources your organization can keep benefit from when you’re at this stage of the email authentication configuration process.

DMARC Defined

First, our glossary definition of DMARC is as follows:

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. The DMARC specification allows senders and recipients to exchange email authentication to guard against online phishing and other bad practices in the messaging industry. DMARC.org is a group that was created by 15 email services providers, financial firms and message security companies in 2012. Members of the group include Google, Microsoft, Return Path and Yahoo. DMARC.org aims to create standards or email marketing best practices to combat the threats posed by phishing, spam and other abuses of email. DMARC adoption is important for marketers, as large ISPs and inbox providers such as Gmail and Yahoo are key gatekeepers to large segments of customers — if a business’ email is not DMARC compliant, its email deliverability could be adversely affected.

For a more visual explanation, check out this short video illustrating how DMARC works and what it does, created by OnDMARC.

DMARC in Action

DMARC is an open protocol that enables email senders to prevent impersonations and actively block phishing attacks. By compiling the authentication identifier signals from SPF and DKIM, DMARC can first accurately identify if an email is sent from an authorized sender, and then enforce a policy that instructs receiving servers on how to manage incoming emails that user your domain.

DMARC validation essentially works like this:

  1. A domain administrator publishes the policy defining its email authentication practices and how receiving mail servers should handle mail that violates this policy. This DMARC policy is listed as part of the domain’s overall DNS records.
  2. When an inbound mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain contained in the message’s “From” (RFC 5322) header. The inbound server then checks evaluates the message for three key factors:
    1. Does the message’s DKIM signature validate?
    2. Did the message come from IP addresses allowed by the sending domain’s SPF records?
    3. Do the headers in the message show proper “domain alignment”?
  3. With this information, the server is ready to apply the sending domain’s DMARC policy to decide whether to accept, reject, or otherwise flag the email message.
  4. After using DMARC policy to determine the proper disposition for the message, the receiving mail server will report the outcome to the sending domain owner.

For a complete overview, follow this DMARC explained guide.

Can’t Find Your DMARC Record?

If no DMARC record is found, there are several ways in which you can locate your DMARC record, or create your own.

Check out these third party tools to verify your DMARC record:

More DMARC tools, resources, and guidance can also be found at the official DMARC site.

Protecting Your Email Reputation with DMARC

If you’re wanting to ensure DMARC works for your own domain, there are three main steps that you’ll want to follow:

  1. Make preparations to receive DMARC reports
  2. Decide what DMRC policy to use for your domain
  3. Publish your DMARC record

The bulk of your time will be spent on configuring reports which come in two formats: aggregated reports and forensic reports. These reports will be generated by any domain that does DMARC validation and sees mail claiming to be from your domain, and will be sent to you on at least a daily basis.

For a complete overview of setting up DMARC as well as some best practices, explore this helpful DMARC how-to, written by one of our in-house email deliverability experts.

Other Helpful SparkPost Tools

SparkPost also offers helpful tools that enable email senders to properly configure their email security standards and therefore, maximize deliverability rates. We have previously discussed how SPF and DKIM can be used to improve email deliverability.

We encourage you to take advantage of the following free tools that make it easy to build and verify email:

As always, give us a shout on Twitter or our community slack with any questions.


new rules email deliverability best practices