What is DMARC?

Watch the short film

DMARC (Domain-based Message Authentication Reporting and Conformance) is an email validation system designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cybercrimes. DMARC leverages the existing email authentication techniques SPF (Sender Policy Framework) DKIM (Domain Keys Identified Mail). DMARC adds an important function, reporting. When a domain owner publishes a DMARC record into their DNS record, they will gain insight in who is sending email on behalf of their domain. This information can be used to get detailed information about the email channel. With this information a domain owner can get control over the email sent on his behalf. You can use DMARC to protect your domains against abuse in phishing or spoofing attacks.

As a website owner, you want to know for sure that your visitors or customers will only see emails that you have sent yourself. Therefore, DMARC is a must for every domain owner. Securing your email with DMARC gives email receivers certainty whether an email is legit and has originated from you. This results in a positive impact on email delivery and also prevents others from sending email using your domain.

History of DMARC

The DMARC standard was first published in 2012 to prevent email abuse. Several industry leaders have worked together to create the DMARC specification, DMARC was created by PayPal together with Google, Microsoft and Yahoo! These industry leaders came together to develop an operational specification, with the desire that it would be able to achieve formal standards status. They created the DMARC standard based on the existing email authentication techniques SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail).

DMARC is originally developed as an email security protocol. At first DMARC was mostly adopted by security experts in the financial industry. Since then the DMARC adoption is growing and becomes more spread over the online landscape. At this point DMARC is more and more recognised by email marketeers as an aspect of online security and improved deliverability.

DMARC is currently supported by all major ISPs (such as Google, Microsoft, Yahoo! etc). At the moment DMARC is awaiting approval to become an open standard approved The Internet Engineering Task Force (IETF).


With almost 5 billion email accounts worldwide, there’s no channel with a wider reach than the email channel. This ensures that cyber criminals like to use this channel for malicious purposes. Despite the fact that better security measures have been taken in recent years to protect this channel, the crime on this channel is increasing year by year. 95% of all hacking attacks and data breaches involve email.

This is the area where domain based authentication reporting and conformance (DMARC) adds value. DMARC does not only provides full insight in email channels, it also makes phishing attacks visible. DMARC is more powerful: DMARC is capable of mitigating the impact of phishing and malware attacks, preventing spoofing, protect against brand abuse, scams and avoid business email compromise. DMARC Analyzer enables organisations to deploy DMARC and simplify their DMARC deployment process.

Studies show why DMARC is crucial:

  • $1.6 million on average is what one single spear phishing attack costs for organizations
  • From 2013 to 2016 companies saw losses approaching $1.6 billion
  • $500 million every year is scammed by phishing attacks
  • Dealing with phishing attacks costs an average 10,000-employee company $3.7 million a year
  • The average employee wastes 4.16 hours a year on phishing scams
  • Between January 2015 and December 2016 dollar figures climbed sharply up with 2370% by phishing attacks
  • Just 3% of all users will report phishing email to their management
  • More than 400 businesses are targeted by BEC scams every day
  • 76% of organizations have reported that they have been victim of a phishing attack in 2016
  • Organizations that have reported being victim of a phishing attack in 2016: 76%
  • 1 in 3 companies have been victims of CEO fraud emails
  • 70% of all global emails is malicious
  • The volume of spam emails increased 4x in 2016
  • Q3 2016 the amount of phishing emails with ransomware has grown to 97.25% compared to 92% in Q1 2016
  • 9 out of 10 phishing emails has some form of ransomware in March 2016
  • Fake invoice messages are the #1 type of phishing lure
  • The number of reported W-2 phishing emails in 2017 increased by 870%
  • 78% of people claim to be aware of the risks of unknown links in emails. And yet they click anyway
  • In the year 2016 over 400,000 phishing sites have been observed each month on average
  • 30 percent of phishing emails get opened
  • In 2016 1 out of 131 emails contained some form of malware, the highest rate in 5 years

DMARC Analyzer provides user friendly DMARC analyzing software and act as your expert guide to move you towards a reject policy as fast as possible.

Where does DMARC help?

Organizations and their clients are being harmed by malicious emails send on their behalf, DMARC can block these attacks. With DMARC an organization can gain insight into their email channel. Based on the insight this gives, organizations can work on deploying and enforcing a DMARC policy.

When the DMARC policy is enforced to p=reject, organizations are protected against:

  • Phishing on customers of the organisation
  • Brand abuse & scams
  • Malware and Ransomware attacks
  • Employees from spear phishing and CEO fraud to happen

With DMARC Analyzer organizations can gain full insight into their email channel. Since organizations previously could only get insight into phishing attacks when an attack had already happened, gaining full insight into the email channel is a big advantage of DMARC. With DMARC it becomes possible to gain insight into phishing attacks. This way, customers can be informed in advance and therefore are aware of these attacks.

all guidance on how to create a DMARC record
use the DMARC Record Generator to generate your DMARC record
use the DMARC Record Checker to display, test and verify your DMARC record whether it’s valid
use the record setup guides for guidance on how to set up your DMARC record for specific webhosts
user friendly DMARC analyzing software

DMARC in practice

The main goal of DMARC is to detect and prevent email spoofing. For example, phishing scams using domains from banks to send out email on their behalf. Customers from that bank think they receive a legit email, that their bank card isn’t valid anymore. The link to click on will lead to a fraudulent website. This website is exactly the same as the real website and logging in will provide the cyber criminals the possibility to use your credentials.

Originally the email authentication techniques DKIM and SPF helped to protect your domains from scams like this. However cyber criminals can bypass these security measures. In order to fully secure your domain and email channel, DMARC will create a link between SPF & DKIM. When implementing DMARC into your DNS record you gain insight in your email channel. ISPs will provide Aggregate (RUA) and Forensic (RUF) DMARC reports on a daily basis and these reports can be send to the email address that’s published in your DMARC record. There are two available types of DMARC reports the Aggregate Reports (RUA) and Forensic DMARC reports (RUF):

Aggregate DMARC reports (RUA)

  • Sent on a daily basis
  • Provides an overview of email traffic
  • Includes all IP addresses that have attempted to transmit email to a receiver using your domain name

Please refer to our article about aggregate DMARC reports for more in-depth information about aggregate DMARC reports.

Forensic DMARC reports (RUF)

  • Real time
  • Only sent for failures
  • Includes original message headers
  • May include original message

Please refer to our article about forensic DMARC reports for more in-depth information about forensic DMARC reports.

DMARC Analyzer provides a dashboard to monitor and analyse your SPF, DKIM and DMARC results. Publishing a DMARC record into your DNS itself isn’t enough to secure your domains. DMARC is working with 3 DMARC policies, this makes is possible for you to decide what will happen with your emails. The ‘none’ policy is only for collecting data and monitoring your current email channel. To enforce your email channel there are 2 more DMARC policies. The ‘quarantine’ policy will deliver malicious email into the spam folder of the receiver and the ‘reject’ policy goes a step further with not deliver that email at all.

So DMARC makes it possible to secure your domains and let you decide what must happen when servers from an ISP receive malicious email. Please note! that DMARC is a very powerful solution to fully secure your email domain when configured correctly. Going to a quarantine or reject policy immediately can lead to a lot of false positives. Make sure before enforcing your domains everything is setup correctly. DMARC Analyzer offers 5 easy stages to help you to secure your email channel.

What is DMARC - DMARC Analyzer

Mitigate the impact of spoofing with DMARC

Within DMARC it is possible to instruct email receivers what to do with an email which fails the DMARC checks. In the DMARC record a DMARC policy can be defined that, depending on the setting, instructs an ISP how to handle emails that fail the DMARC checks. Email receivers check if incoming messages have valid SPF and DKIM records and if these align with the sending domain. After these checks a message can be considered as DMARC compliant or DMARC failed. After the email receiver verifies the authentication status of a message they will handle the message differently based on the DMARC policy that is set.

There are 3 possible DMARC policies available: None (monitoring only), Quarantine and Reject.

Monitor policy: p=none

The first policy is the none (monitor) policy: p=none. The DMARC policy none instructs email receivers to send DMARC reports to the address published in the RUA or RUF tag of the DMARC record. his is known as a Monitoring only policy because with this (recommended starting) policy you gain insight in your email channel. The none policy will give insight in the email channel but does not instruct email receivers to handle emails failing the DMARC checks differently, this is why it is also known as the monitor policy. The none policy only gives insight in who’s sending email on behalf of a domain and will not affect the deliverability.

Quarantine policy: p=quarantine

The second policy is the quarantine policy: p=quarantine. Besides sending DMARC reports, the DMARC policy quarantine instructs email receivers to put emails failing the DMARC checks in the spam folder of the receiver. Emails that pass the DMARc checks will be delivered in the primary inbox of the receiver. The quarantine policy will already mitigate the impact of spoofing, but spoof emails will still be delivered to the receiver (in the spam folder).

Reject policy: p=reject

The third policy is the reject policy: p=reject. The DMARC policy reject. Besides sending DMARC reports, the DMARC policy reject instructs email receivers to not deliver emails failing the DMARC checks at all. Emails that pass the DMARC checks will be delivered in the primary inbox of the receiver. This policy mitigates the impact of spoofing. Since the DMARC policy reject makes sure all incorrect setup emails (spoofing emails) will be deleted by the email receiver and not land in the inbox of the receiver.

A DMARC policy is a request not an obligation
It is important to note that a DMARC policy instructs to handle the emails according the DMARC policy, but email receivers are not obligated to take the DMARC policy into account. Email receivers sometimes use their own local policy. When a email receiver has reasonable thoughts that an email is legitimate, they will sometimes apply their own local policy. This means that an email failing the DMARC checks can land into the primary inbox of the receiver, despite the fact your enforced the DMARC policy reject. Occasionally email receivers will override DMARC policies with a local policy.

Watch our video: DMARC explained

Misunderstandings about DMARC

With DMARC an organization can block malware, phishing attacks and increase email deliverability! DMARC is powerful, but there are also some misunderstandings about DMARC:

DMARC is not a quick deliverability fix

By placing a DMARC record (and enforcing it), ISP’s who adopted DMARC will notice you are working on improving the security of your email channel. Therefore ISPs who adopted DMARC are more likely to let your emails land in the primary inbox of the receiver. However just deploying a DMARC policy is not just a quick email deliverability fix. By deploying and enforcing a DMARC policy your deliverability can improve, however this is not a guarantee.

Immediately enforcing to a reject policy is not a good idea

When an organization encounters a phishing attack on their behalf, they are often likely to immediately lock down their email channel by placing a DMARC record and immediately enforcing this to a 100% p=reject policy. This is indeed effective to block phishing attacks immediately, however this will also lead to legitimate email being lost. DMARC Analyzer experiences that in 99% of the cases, organizations do not have a compliance rate of near 100% when they start with DMARC. DMARC Analyzer advices to start with a p=none policy and to monitor the results, improve SPF and DKIM authentication and than enforce the policy. Depending on the infrastructure of an organization this process can take one to twelve months. We strongly disencourage to immediately enforce a reject policy.

DMARC does not protect inbound email streams

DMARC is not designed to protect the inbound part of the email channel, DMARC protects the outbound part of the email channel. However DMARC influences a little part of the inbound email channel. Emails that are being sent to colleagues will be influenced by DMARC. Since these are emails being sent (although the email stays inbound), DMARC can influence these emails.

User-friendly DMARC analyzing software 

DMARC Analyzer provides user-friendly DMARC analyzing software and act as your expert guide to move you towards a reject policy as fast as possible. DMARC Analyzer provides a SaaS solution which empowers organisations to easily manage complex DMARC deployment. The solution provides 360° visibility and governance across all email channels. Everything is designed to make it as easy as possible. Download the datasheet for more information about DMARC Analyzer

DMARC Analyzer Dashboard Suite

all guidance on how to create a DMARC record
use the DMARC Record Generator to generate your DMARC record
use the DMARC Record Checker to display, test and verify your DMARC record whether it’s valid
use the record setup guides for guidance on how to set up your DMARC record for specific webhosts
user-friendly DMARC analyzing software

DMARC Analyzer provides user-friendly DMARC analyzing software and act as your expert guide to move you towards a reject policy as fast as possible.