Understanding DMARC🔗
Resources🔗
DMARC guides🔗
- Demystifying DMARC - A complete guide to SPF, DKIM, and DMARC
SPF and DMARC record validation🔗
If you are looking for SPF and DMARC record validation and parsing, check out the sister project, checkdmarc.
Lookalike domains🔗
DMARC protects against domain spoofing, not lookalike domains. for open source lookalike domain monitoring, check out DomainAware.
DMARC Alignment Guide🔗
DMARC ensures that SPF and DKM authentication mechanisms actually authenticate against the same domain that the end user sees.
A message passes a DMARC check by passing DKIM or SPF, as long as the related indicators are also in alignment.
+-----------------------+-----------------------+-----------------------+
| | **DKIM** | **SPF** |
+-----------------------+-----------------------+-----------------------+
| **Passing** | The signature in the | The mail server's IP |
| | DKIM header is | address is listed in |
| | validated using a | the SPF record of the |
| | public key that is | domain in the SMTP |
| | published as a DNS | envelope's mail from |
| | record of the domain | header |
| | name specified in the | |
| | signature | |
+-----------------------+-----------------------+-----------------------+
| **Alignment** | The signing domain | The domain in the |
| | aligns with the | SMTP envelope's mail |
| | domain in the | from header aligns |
| | message's from header | with the domain in |
| | | the message's from |
| | | header |
+-----------------------+-----------------------+-----------------------+
What if a sender won't support DKIM/DMARC?🔗
- Some vendors don't know about DMARC yet; ask about SPF and DKIM/email authentication.
- Check if they can send through your email relays instead of theirs.
- Do they really need to spoof your domain? Why not use the display name instead?
- Worst case, have that vendor send email as a specific subdomain of
your domain (e.g.
noreply@news.example.com
), and then create separate SPF and DMARC records onnews.example.com
, and setp=none
in that DMARC record.
Warning
Do not alter the p
or sp
values of the DMARC record on the
Top-Level Domain (TLD) – that would leave you vulnerable to
spoofing of your TLD and/or any subdomain.