Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an authentication, policy, and reporting protocol that works by matching the validity of SPF and DKIM records.
For DMARC rules to apply, both SPF and DKIM must work, and at least one must align:
If both SPF and DKIM align, it means that it’s a valid email from an authorized server with header information intact.
If at least one aligns, it still indicates that the sender owns the “Friendly-From” DNS space and thus is who they claim to be.
Why do you need DMARC?
SPF and DKIM allow mailbox providers to determine whether an email belongs in the inbox or the spam folder, or whether it should be rejected.
But they don’t allow domain owners to specify how to handle an email when authentication checks fail to validate.
At the same time, any email that does not pass the SPF and DKIM checks is considered spoofing or phishing and is not delivered. Unfortunately, this means that a legitimate email can also be rejected.
Adding a DMARC record to your DNS lets you set policies that dictate how email service providers should treat your emails in case DKIM or SPF checks fail.
DMARC records give you three policy options:
None: Unauthenticated emails should be treated as the receiving server sees fit.
Quarantine: The receiving server should accept the email but send it somewhere other than the recipient’s inbox (typically the spam folder).
Reject: Reject the email altogether.
You should routinely monitor DMARC reports as a sender, especially if you send mass emails and run multiple email campaigns regularly.
DMARC reports will inform you of any phishing or spoofing attempts to your domain. These reports will also let you know if your own emails are being rejected due to failed DKIM or SPF checks.