What Is DMARC?

DMARC, Domain-based Message Authentication, Reporting & Conformance, built upon two other protocols, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), is the latest and greatest in email authentication. Digital marketers know that email marketing is a critical channel for business. 72 percent of customers still rate email as the most preferred method of communication and for every $1 spent, email marketing generates $38 in ROI. Unfortunately, the most valuable marketing channel is also the least secure. Every day, beyond your control, cybercriminals send emails that spoof your brand and target your employees, customers, and partners with malicious content. An email attack can cost your company millions and destroy priceless consumer trust in your brand in seconds. That’s why it is critical to protect the email channel. The best way to do it? Implementing the DMARC authentication standard.

DMARC can get pretty complicated. Below, we break down how it works and why it’s crucial for marketers.

The role of DMARC

DMARC ensures that your legitimate messages are properly authenticating and that fraudulent activity, seeming to come from domains under your organization’s control (active sending domains, non-sending domains, and defensively registered domains), is blocked.

How DMARC Works

The email channel is vulnerable. Cybercriminals can (and will) manipulate the “from” address in messages to make them appear come from your brand. DMARC prevents this manipulation by:

  1. Aligning the visible “from” domain name with the domain listed in the hidden technical header of the message (aka SPF alignment)
  2. Aligning the “from” domain name with the domain found in the DKIM signature(aka DKIM alignment)


To pass DMARC, a message must pass SPF authentication/alignment and or DKIM authentication/alignment.

A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.

The best part about DMARC is that it allows senders to instruct mailbox providers on how to handle unauthenticated mail via a DMARC policy.

Senders can either:

  • Monitor all mail, to understand their brand’s email authentication ecosystem and ensure legitimate mail is authenticating properly without interfering with the delivery of messages that fail DMARC,
  • Quarantine messages that fail DMARC (e.g., move to the spam folder), OR
  • Reject messages that fail DMARC (e.g., don’t deliver the mail at all).

Mailbox providers then deliver regular DMARC reports back to senders, giving them visibility into what messages are and are not authenticating and why.

Why DMARC Matters for Marketers

DMARC not only protects the email channel from cybercriminals, it also protects the performance of your legitimate email campaigns.

In an effort to improve user experience and mitigate risk, mailbox providers are removing the guesswork for users when it comes to suspicious email and they’re cracking down on any company with an insecure email channel.

For example, as of February 2016, Google is flagging emails that fail authentication by replacing company avatars with a red question mark.

Email Authenticated

Other mailbox providers are following suit, including Microsoft, which inserts a red safety tip bar at the top of both known phishing messages and (potentially legitimate) messages that have failed authentication.

When consumers see an email with a question mark or warning, they will not only be less likely to engage with that email but will also be less likely to engage with that brand.

Without strong email authentication, legitimate emails sent by your company or by third parties sending on your behalf will likely be treated as phishing emails—they will be flagged for users, sent to the spam folder or rejected outright.

Want to learn more about how DMARC helps marketers? Listen to our webinar, “Why Marketers Should Fight Email Fraud.”