DMARC - What is it?
DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.
DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.
Why is DMARC Important?
With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more. Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users.
Users can't tell a real message from a fake one, and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users. Senders remain largely unaware of problems with their authentication practices because there's no scalable way for them to indicate they want feedback and where it should be sent. Those attempting new SPF and DKIM deployment proceed very slowly and cautiously because the lack of feedback also means they have no good way to monitor progress and debug problems.
DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse.
How Does DMARC Work?
A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes - such as junk or reject the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
Who Can Use DMARC?
DMARC policies are published in the public Domain Name System (DNS),
and available to everyone. Because the specification is available with
no licensing or similar restriction, any interested party is free to
Status of DMARC
April 2, 2014: The DMARC specification has been submitted as an
Informational Document to the RFC Independent Submissions Editor (ISE).
Link to DMARC Specification.
DMARC was developed by the organizations listed below over the course of
several years. The specification was publicly announced on January
30th, 2012 and was immediately available for download from the DMARC.org
website. A mailing list for anybody interested in reviewing or discussing the
specification was announced and started seeing traffic the same day.
Discussions on the list have provided a great deal of feedback on and
input to the specification.
After seeing dramatic adoption, DMARC was submitted to the
IETF for standardization on March 31, 2013. That summer a
BoF was held
agenda and minutes)
in Berlin to discuss chartering a working group to develop
extensions and supporting documents like the
Using DMARC best common practices (BCP) document.
While there was enthusiasm around the proposed working group, there was
also a strong sentiment among some respondents that either A) the specification
was complete enough that there was nothing to warrant an IETF working group,
or B) that the entire specification should be reconsidered from scratch,
which would leave implementors and deployers in an uncertain situation for
as long as several years, based on the pace of work on similar standards in
After a great deal of deliberation and exploring all options, the
switched to the Independent Submissions track
effective April 2, 2014. The
result will not be an IETF Internet Standard as originally envisioned by the
DMARC.org member organizations. However it will provide a fixed
reference document that can provide the basis for
development on the Standards track at a later date.
As of early 2013 DMARC had been deployed to protect roughly 2 billion
email accounts - over 60% of consumer mailboxes globally, and over
80% of consumer mailboxes in the United States.