Domain-based Message Authentication, Reporting & Conformance

DMARC is a way to let recipient servers know what email servers you send emails from, and what they should do if they receive an email not sent from one of your servers.

Using DMARC you can help recipient servers reject and block spam and fraudulent email messages.

For example, you can say "I send emails from MailChimp and Convertkit. If you, dear mailserver, receive an email claiming to be from, and it is not from one of those senders, please put it into the spam folder immediately."

Why is this necessary?

A big problem inherent in email is the fact that a recipient cannot know if an email was actually sent from whoever claims to have sent it. All emails has a header telling the recipient who sent the email, but they can claim to be anyone.

It's a bit like you calling people on the phone, telling them you're the pope [1]. The receiver only has your phone number and your guarantee that you are who you claim. It is up to them to evaluate if you're telling the truth. Luckily most people will catch your ruse, but email servers aren't that clever.

Control and visibility

DMARC provides a way for senders to specify how recipient servers should handle non-authenticated emails. In addition to this, it provides a reporting framework making it possible to get insights into what email servers actually recieve.

It builds on top of SPF and DKIM to prevent spoofing from their domains.

Gradual rollouts

A big benefit of DMARC is the ability to roll it out gradually. You can start out just in monitor mode, where you're getting nothing but visibility into what emails are being sent from your domain.

When you're confident your legitimate messages are passing the authentication checks, you can request that failing messages get quarantined.

And finally, when you've been quarantining mails for a while without problems, you can start request them being rejected entirely.