Domain-based Message Authentication, Reporting, and Conformance — an email authentication protocol that builds on SPF and DKIM to give domain owners control over what happens to emails that fail authentication checks.
Domain-based Message Authentication, Reporting, and Conformance — an email authentication protocol that builds on SPF and DKIM to give domain owners control over what happens to emails that fail authentication checks.
Think you've been targeted?
Paste the suspicious content here for an instant analysis.
No signup · 6 detection layers · Results in seconds · Cmd+Enter
DMARC is the policy layer that ties SPF and DKIM together. While SPF and DKIM can verify email origins, DMARC tells the receiving server what to do with messages that fail those checks: accept them, quarantine them (send to spam), or reject them outright.
DMARC also solves the "alignment" problem — it checks that the domain in the header "From" address (what the user sees) matches the domain verified by SPF and DKIM. This closes the gap that allowed attackers to pass SPF checks while still spoofing the visible sender.
The reporting feature of DMARC sends feedback to domain owners about who is sending email using their domain, legitimate or otherwise. This visibility helps organizations identify and stop unauthorized use of their brand in phishing campaigns.
After the US government mandated DMARC with a "reject" policy for all .gov domains in 2018, the volume of spoofed emails impersonating government agencies dropped dramatically. This made it significantly harder for scammers to send convincing IRS, Social Security, and Medicare phishing emails.