If you send a lot of emails as part of your work or if you own a website domain, you need to know about DMARC. It protects outbound emails that an organization sends or has others send on its behalf with the help of DMARC software.

Think about the following questions: What insight or control do you have on the email that has a ‘from’ address claiming to be from your domain? Where are these messages being delivered? Are they destined for your customers, business partners, and perhaps even your employees’ personal email addresses trying to dupe them? Add to that, are you confident your emails are reaching inboxes without getting flagged as spam?

The reality is that it’s very simple (and cheap) for scammers to send an email posing as you, and this email spoofing can wreak havoc on your inbox deliverability and reputation.

DMARC ensures this doesn’t happen to your business. We’ll outline the technology and how simple it is to deploy and phase into an organization.

DMARC helps avoid this. It specifies what an email service provider like Gmail or Yahoo should do in case of email spoofs or phishing attempts. It also helps the organization, here G2, to know that someone’s sent a phishing mail using our domain name.

Here’s the technical breakdown of how this works: 

1. The domain owner creates a DMARC record and publishes it in their DNS records. This record specifies:

• Whether SPF and/or DKIM authentication is used for your domain.
• DMARC alignment: How closely the domain identified in the “From:” header of the email needs to match the domain used in the SPF or DKIM authentication. 
• DMARC policy: What action should receive servers take for emails that fail the SPF/DKIM checks?
• Where to send DMARC reports for analysis (often to a DMARC reporting service).

• The receiving mail server checks the DKIM signature to confirm the email content hasn’t been tampered with.
•  They check the SPF record to verify that the email is sent from an authorized IP address for the domain.

4. If the email passes both SPF and DKIM checks or one of the checks aligns with the DMARC policy, the email is delivered normally.

5. If the email fails the checks, the receiving server refers to the DMARC policy to determine what to do with it – to reject it completely and not deliver it, to mark it as spam, or to send it normally but share a report with the mail administrator. 

6. The receiving mail server sends aggregate reports to the address specified in the DMARC policy. These reports contain information about the emails that were received, whether they passed or failed the authentication checks, and how they were handled.

Depending on the stage of your implementation of DMARC, you can start by simply observing the email that is sent by your domain and then advance to take certain actions on the email based on whether the sender meets certain criteria.

Let’s examine in detail the important component of DMARC: the DMARC record.

DKIM, SPF, and DMARC are three email authentication methods. Comparing them helps us understand how each works, its purposes, and how they complement each other to provide comprehensive email security. 

DKIM

DKIM, as mentioned earlier, focuses on verifying the integrity of the email content. It employs public key cryptography to ensure that an email message was sent from an authorized mail server, detect forgeries, and prevent sending harmful spam emails. Here’s how it works.

The domain owner configures their mail server to sign outgoing emails with a private key and publishes a public key in the DNS. The receiving mail server uses the public key to verify the email’s DKIM signature, ensuring the email has not been tampered with and was sent by an authorized server.

SPF

SPF focuses on verifying the sender’s identity. A domain administrator publishes an SPF record as part of the domain’s overall DNS records, listing the IP addresses of mail servers that can send email from that domain. 

When an email is received, the receiving mail server checks the SPF record of the sender’s domain to verify if the email is sent from an authorized IP address.

Limitations of DKIM and SPF

DKIM and SPF were introduced over a decade ago and provided a way for domain owners to allow other organizations to send emails on their behalf, otherwise known as “sources.”

However, these security protocols fell short on a couple of things. First, an organization is blind to how often and where DKIM and SPF are (or are not) working. This is where the reporting aspect of DMARC came into play and established a standard format for mail handlers to compile information about this activity and where to send the reports. 

The second shortcoming specifically addresses DKIM and SPF failed authentication. Before DMARC, an organization was entirely dependent on the recipient’s inbound mail gateway to take the necessary action against an email that fails a DKIM or SPF check. With DMARC, the domain owner gets the first say in instructing the mail handler on a specific course of action. 

The DMARC authors saw that an organization was blind to DKIM and SPF’s effectiveness. They also recognized that an organization was doubly blind to legitimate mail that was failing authentication or possibly sketchy emails that failed authentication still weaseling their way through to the unsuspecting victim. 

In the spring of 2011, top organizations such as PayPal, Google, and Yahoo! Mail came together to collaborate on a strategy for combating fraudulent email. To this day, these same prevalent forces support and recommend DMARC to avoid harmful email practices like phishing and Business Email Compromise (BEC).

The DMARC protocol was initially created as an email security system and was primarily used by security specialists in the finance industry. Since then, DMARC adoption has increased and become more widespread across the internet. DMARC is now pending approval by the Internet Engineering Task Force to become an open standard (IETF). 

How does DMARC work with DKIM and SPF?

DMARC oversees the entire email authentication process and provides reporting. It allows domain administrators to define a policy for how receiving email servers should handle emails that fail SPF and/or DKIM checks and provides a reporting mechanism. 

While SPF and DKIM can function independently without relying on a DMARC policy, it’s not recommended to have a DMARC policy without SPF or DKIM. 

At this stage, you’re not taking any action against email deliverability. You are simply enabling an in-depth overview of who is using your domains and where you need to authenticate sources that are sending on your behalf. Only when the reports are validating that your sources are authenticated, should you proceed to the next phase of DMARC, which secures your domains.

2. Security

Once you have confidence you have established a means of SPF and DKIM authentication for your sources, a DMARC policy can move from an observation state of ‘p=none’ to ‘p=quarantine’. This policy state instructs receiving email systems to flag messages that don’t pass authentication as junk. 

While this does not technically protect your domain from phishing, by flagging the message as junk, the recipient either never sees the message or is warned of its diminished authenticity.

After a period of time being in the ‘p=quarantine’ state and at the same time ensuring that you are not impacting any valid email, you may take advantage of the ‘p=reject’ policy. In this stage, you are instructing mail handlers to reject the receipt and delivery of this message outright. The recipient never receives the email, as it is not delivered per your instruction. 

3. Deliverability

There is an inherent benefit in establishing SPF and DKIM authentication and advancing your DMARC policy to either ‘p=quarantine’ or ‘p=reject’. Aside from the obvious protection of your domain, you have made every mail handler’s job across the globe a little easier.

If there are around 300 billion emails sent every day, of which 75 to 85 percent are junk or threat emails, you have made the email handler’s job much easier by allowing them to discard the junk. Thus, between the authentication and the mail handler promoting your sending capability, an advanced DMARC policy state will improve your organization’s email deliverability rates. 

Hackers are always seeking new ways to penetrate networks through phishing, spoofing, whaling, and other social engineering techniques. When you combine the fact that spoofed email is cheap and easy to send with the fact that users struggle to spot fake emails, you have a hacker’s favorite tool to penetrate an organization. 

It’s no coincidence that the FBI’s Internet Crime Report found that phishing topped its list of 2023 cybercrimes. Further, the business email compromises alone cost companies nearly $3 billion. 

DMARC is an important step in protecting your domain and your brand by preventing malicious actors from impersonating your domain in emails. It may also improve your sender reputation scores, which can positively impact deliverability rates. DMARC adds confidence that the sender’s domain is accurately represented in the “header from.”

Adopting DMARC promotes an industry standard for dealing with unauthenticated emails, thereby protecting all email users from spoofed malicious emails.

Moreover, industry heavyweights like Google and Yahoo! have made DAMRC compulsory for all bulk email senders since February 2024. So, it is absolutely essential to have a DMARC policy in place for security and compliance.

Any article discussing email security standards like DMARC is incomplete without mentioning Brand indicators for message identification or BIMI.

BIMI is the latest email security protocol developed by AuthIndicators Working Group that includes Google, Yahoo!, Twilio SendGrid, Valimail and more. takes email authentication a step further and complements DMARC. It essentially allows the sender to place their trademarked and certified logo next to the ‘from’ address in the recipient’s mail client. The intent is to instill confidence in the recipient to feel that the message is authentic. It’s important to note that BIMI is an emerging technology with its RFC specification in draft mode.

There have been several techniques for validating senders and employing logos for years, with the first formalized BIMI spec published in February 2019. The AuthIndicators Working Group was created to formalize and promote BIMI throughout the industry. Participants from Google, Fastmail, LinkedIn, Validity, Mailchimp, Verizon Media, and SendGrid are part of the group. With that said, Yahoo!, Google, Verizon, and Fastmail all publicly announced their support of the technology in 2021, and its adoption rate is growing.

With BIMI, you have complete control over the logo that is displayed, allowing you to maintain control over your brand and subscriber experience, all while building trust. There are several factors that must be implemented and aligned for BIMI to work: 

• The sender’s DMARC record must be in a state of quarantine or reject
• The recipient’s email client must support this functionality
• The sender must publish a DNS record, including a URL to their logo in SVG format
• The mailbox provider must be able to validate the BIMI record in the “From” domain’s DNS TXT record. That record is a URL for your brand’s logo and Verified Mark Certificates (VMC). If the records are identical, the logo is displayed.

How do BIMI and DMARC work together?

Mail providers that support BIMI will look up the BIMI file for the incoming message by querying the domain. The BIMI file refers the receiving email server to the brand logo and shows it in the inbox once the email passes DMARC verification.

Signed, sealed, delivered

Email security protocols continue to evolve. First came DKIM as an “internet standard,” followed by SPF, DMARC, and, most recently, BIMI. Perhaps the only consistent thing they have in common is their enemy, the inherent security flaws in emails. 

There was a time when the question may have been “Do I need DMARC to protect my domain?” That’s now replaced with a more relevant question: “What provider will allow me to implement and monitor these crucial email security protocols and have the skills to adapt their platform to the ever-changing email security landscape?

If you are asking this question, select a partner from the list above that prioritizes staying ahead of emerging standards to ensure your email remains secure and compliant. 

Need more protection? Explore different email security software to find the right solution that fits your business needs. 

This article was originally written in 2021. It has been updated with new information.