How does DMARC work?
DMARC (Domain-based Message Authentication, Reporting and Conformance) relies on the established SPF and DKIM standards for email authentication. It also piggybacks on the well-established DNS (Domain Name System).
In general terms, the process of DMARC validation works like this:
- A domain administrator publishes the policy defining its email authentication practices and how receiving mail servers should handle mail that violates this policy. This DMARC policy is listed as part of the domain’s overall DNS records.
- When an inbound mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain contained in the message’s From (RFC 5322) header. The inbound server then evaluates the message for three key factors:
- Does the message’s DKIM signature validate?
- Or, did the message come from IP addresses allowed by the sending domain’s SPF records?
- And, do the headers in the message show proper “domain alignment”?
- With this information, the server is ready to apply the sending domain’s DMARC policy to decide whether to accept, reject, or otherwise flag the email message.
- After using DMARC policy to determine the proper disposition for the message, the receiving mail server will report the outcome to the sending domain owner via the
ruf
email address.