📛 DMARC: The Missing Layer in Email Authentication
Despite implementing SPF and DKIM, many organisations still fall victim to spoofed emails. That’s where DMARC (Domain-based Message Authentication, Reporting & Conformance) comes in — a protocol designed to enforce domain identity and ensure only authorised sources can send on your behalf.
🧬 What Is DMARC?
DMARC builds on SPF and DKIM by tying them together with policy enforcement and visibility. It ensures that:
- SPF or DKIM passes and
- The domain used in SPF/DKIM aligns with the domain in the visible
From:address - The recipient knows what to do if these checks fail (via your policy)
It’s published as a DNS TXT record under:
_dmarc.yourdomain.com
🧩 How DMARC Works With SPF and DKIM
| Layer | What It Does | Limitation Alone |
|---|---|---|
| SPF | Validates sending server (IP/domain) | Doesn’t protect visible From: |
| DKIM | Cryptographically signs message | Can be signed by 3rd-party domain |
| DMARC | Requires alignment with From: + defines policy | Adds control and reporting |
DMARC ties it together by saying:
“Only allow this message if SPF and/or DKIM passes AND the domain matches what’s in the From: header.”
🚦 Phased DMARC Rollout Strategy
Implementing DMARC properly requires a staged approach — going straight to p=reject without monitoring can break legitimate mail flow.
1️⃣ Phase 1: p=none — Monitor Only
Start by publishing a record like:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;
p=none: Do not enforce yet — just monitorrua: Aggregate reports sent daily (XML format)ruf: Forensic reports (failure samples)fo=1: Report on every DKIM or SPF fail (not just both)
This instructs receivers to send you reports about who is sending mail using your domain — without taking enforcement action. Use this phase to:
- Identify all legitimate mail senders (marketing platforms, CRMs, SaaS apps, etc.)
- Ensure each one:
- Is listed in your SPF record
- Signs mail with DKIM
- Has correct domain alignment
2️⃣ Phase 2: p=quarantine — Flag Suspicious Mail
Once all legit sources are covered, increase enforcement:
v=DMARC1; p=quarantine; pct=50;
This tells receivers to quarantine failing mail (e.g. send to spam folder) with a phased percentage rollout.
3️⃣ Phase 3: p=reject — Full Enforcement
Finally, enforce strict authentication:
v=DMARC1; p=reject;
Now, spoofed or unauthenticated messages pretending to be your domain are blocked outright.
🛡️ What DMARC Helps Prevent
Implementing DMARC helps stop:
- Spoofed “From” emails pretending to be from your domain
- Business Email Compromise (BEC) — attackers using executive names/domains
- Phishing that impersonates your organisation to customers, partners, or employees
- Abuse of your domain for spam campaigns (affecting your reputation)
By requiring alignment and signature, DMARC makes unauthorised email impersonation far more difficult.
📬 But Doesn’t DMARC Make Email Harder to Deliver?
No — it actually improves deliverability when implemented properly.
- Major inbox providers (Google, Microsoft, Yahoo, etc.) prefer authenticated mail
- Authenticated messages with valid SPF, DKIM, and DMARC are more likely to reach inboxes
- You reduce the risk of your domain being blocklisted or marked as spam
- Combined with BIMI (Brand Indicators for Message Identification), it even enables logo display in inboxes
🧾 Wrapping Up
DMARC isn’t just a technical checkbox — it’s a powerful policy layer that brings together SPF and DKIM to enforce your domain’s identity in email.
When rolled out properly, it gives you visibility, control, and protection against spoofing, phishing, and impersonation attacks. It also signals to inbox providers that you’re a legitimate, trusted sender — improving the chances that your real messages land where they belong.
If you’ve already implemented SPF and DKIM, DMARC is the final step that makes them truly effective.
Start in monitor mode. Learn what’s really using your domain. Then lock it down.
Email is still one of the most abused protocols in the world — DMARC helps you take it back.