Below is a short history of DMARC, giving some background into why this is important and how it works.
How DMARC works
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that provides instructions, via a DMARC policy published in DNS, to ISPs and other email receivers about how to handle unauthenticated mail. It was originally designed to detect and prevent email spoofing.
DMARC leverages two existing email authentication protocols (SPF & DKIM) to help email receivers determine the authenticity of a message and whether to deliver the message to the inbox, block the message, or place the message in quarantine or spam based on policy values that have been set by the sender.
Here is an example of a DMARC record one might find in DNS:
The main purpose for DMARC is to set a "policy". This policy contains the action that should take place when unauthenticated mail from this domain is received. The options are to do nothing ("none"), put the mail in "quarantine" or "reject" the message. Only by using the “reject" policy, can a domain be fully protected.
The second functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in "rua" (aggregated reports) and "ruf" (forensic reports). https://e-mail.eco.de/wp-content/blogs.dir/26/files/eco_dmarc_legal_report.pdf provides an interesting perspective on the legal aspect of DMARC reports.
- reject - If the message does not pass DKIM and/or SPF, validation will fail.
- quarantine - If the message does not pass DKIM and/or SPF, validation will be handled by the mail provider accordingly (deliver to junk/spam, send a report to the sender, mark the message as suspicious, etc.).
- none - The domain owner is asking the receiver to take no action if the DMARC check fails. The receiver will still check SPF and/or DKIM validation and may reject the messages accordingly. A DMARC record with the policy value set to none may impact deliverabilty, but still allows the receiver to be able to identify where the messages are coming from and if they are authentic.
The authentication process
How rua and ruf reports work
How does DMARC affect deliverability?
DMARC allows ISPs to rely more on domain reputation. Especially when sending via shared IPs, a good domain reputation can be helpful in delivering your emails to the right place. Any domain owner that does not protect with DMARC is vulnerable for phishing and spoofing abuse, and if your domain can be abused by a third party, your domain reputation will most likely suffer.
But there’s more than that. Many senders use link tracking methods to track clicks. Some of those trackable links have the same characteristics as links used in phishing emails. Using badly-designed trackable links may lead to emails landing in the spam folder or even being blocked, unless DMARC is being used. DMARC excludes the possibility that badly-designed or formatted emails can be taken as phishing attempts.
Setting up DMARC
Before you can fully protect your domain with DMARC, it may be useful to test if all the mail you send from all environments you use is properly authenticated. This can be done with a policy set to "none" or "quarantine" and reporting mode on. You should be able to read the reports you receive in order to determine if your authentication works as expected.
As soon as SPF and DKIM are assured to be fully in line on all affected infrastructure, it is safe to change the policy to "reject". DMARC records are valid for all subdomains of the domain it is configured with. For example, a standard DMARC record on example.com also applies to subdomain.example.com. For optimal protection of your brand, it is recommended to set DMARC at the highest domain-level possible.