Domain-based Message Authentication, Reporting & Conformance
Using DMARC you can help recipient servers reject and block spam and fraudulent email messages.
For example, you can say "I send emails from MailChimp and Convertkit. If you, dear mailserver, receive an email claiming to be from emailsherpa.com, and it is not from one of those senders, please put it into the spam folder immediately."
Why is this necessary?
A big problem inherent in email is the fact that a recipient cannot know if an email was actually sent from whoever claims to have sent it. All emails has a header telling the recipient who sent the email, but they can claim to be anyone.
It's a bit like you calling people on the phone, telling them you're the pope . The receiver only has your phone number and your guarantee that you are who you claim. It is up to them to evaluate if you're telling the truth. Luckily most people will catch your ruse, but email servers aren't that clever.
Control and visibility
DMARC provides a way for senders to specify how recipient servers should handle non-authenticated emails. In addition to this, it provides a reporting framework making it possible to get insights into what email servers actually recieve.
It builds on top of SPF and DKIM to prevent spoofing from their domains.
A big benefit of DMARC is the ability to roll it out gradually. You can start out just in monitor mode, where you're getting nothing but visibility into what emails are being sent from your domain.
When you're confident your legitimate messages are passing the authentication checks, you can request that failing messages get quarantined.
And finally, when you've been quarantining mails for a while without problems, you can start request them being rejected entirely.
- None: This is a passive monitor mode. It allows you to receive reports, but the recipient email servers take no extra action.
- Quarantine: When an email message is received that doesn't match the allowed sender for the domain, the message is quarantined. In most cases this means that it goes directly to the recipients spam folder.
- Reject: This is the strictest policy. Instead of placing unauthorized messages into the spam folder like "Quarantine" above, it lets the server outright reject and discard the message.