DMARC - Domain-Based Email Authentication

About 2 min read

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a protocol that authenticates the sending domain of email and prevents spoofed messages. By integrating the two existing technologies SPF and DKIM and adding a handling policy for messages that fail authentication along with a reporting feature, it is becoming the international standard for email security as an effective countermeasure against phishing and spear phishing.

The Three-Layer Structure of SPF, DKIM, and DMARC

To understand email authentication, you need to clarify the roles of three technologies. SPF (Sender Policy Framework) is a mechanism for declaring, in a domain's DNS records, the IP addresses that are allowed to send email from that domain. The receiving server verifies whether the sending IP of the message is included in the SPF record.

DKIM (DomainKeys Identified Mail) is a mechanism in which the sending server attaches a digital signature to the message and the receiving server verifies the signature using the public key published in DNS. It guarantees that the content of the message has not been tampered with in transit.

DMARC is the "policy layer" that ties these two together. It verifies the consistency between the authentication result of SPF or DKIM and the domain shown in the message's From header (the domain that the user actually sees). This is called "alignment." DMARC complements the "legitimacy of the displayed sender domain" that SPF and DKIM alone could not cover.

Phased Adoption of Policy Modes

A DMARC policy can be configured in three stages. p=none is monitoring mode; even if authentication fails, it does not affect message delivery and only collects reports.p=quarantine routes messages that fail authentication to the spam folder.p=reject rejects messages that fail authentication outright.

In practice, setting it to reject right away is dangerous. If legitimate sending paths are not properly configured for SPF/DKIM, even your own legitimate messages will be rejected. The recommended deployment procedure is to first use none for 2-4 weeks to collect reports and grasp the email sending paths from your own domain. Next, move to quarantine to check the impact, and if there are no problems, raise it to reject. This phased approach lets you strengthen security while keeping the impact on legitimate messages to a minimum.

The 2024 Mandate by Google and Yahoo

In February 2024, Google and Yahoo made DMARC configuration mandatory for bulk senders (more than 5,000 messages per day). This decision is a turning point in email security. The messages of senders who do not comply are either restricted in delivery or classified as spam in Gmail and Yahoo Mail.

The impact of this mandate was far-reaching. Every kind of bulk sender was forced to respond, including companies that send marketing email in large volumes, newsletter delivery services, and order-confirmation emails from e-commerce sites. In particular, companies that use multiple email delivery services together (such as SendGrid, Amazon SES, and Mailchimp) needed to configure SPF and DKIM correctly on every sending path, and many struggled to comply. From the perspective of phishing protection as well, this mandate is a major step forward.

How to Read and Use DMARC Reports

Once you configure DMARC, two types of reports are sent from receiving servers. The aggregate report (Aggregate Report, RUA) is in XML format and statistically summarizes the authentication results per sending IP. The forensic report (Failure Report, RUF) contains detailed information about individual messages that failed authentication.

Because the XML of aggregate reports is hard for humans to read directly, the standard practice in the field is to use visualization tools such as DMARC Analyzer or dmarcian. The important information to read from the reports is the "sending IPs that claim your domain but fail authentication." If this is your own legitimate server, it indicates a configuration gap; if it is an unfamiliar IP, it may indicate spoofing. DMARC reports are also effective for detecting spoofed messages combined with social engineering.email security books on Amazon explain the specific steps for report analysis.

Current Adoption Rates and Challenges

As of 2025, the DMARC adoption rate among Fortune 500 companies has reached about 90%, but reject only about half of those companies have reached a reject policy. The adoption rate among Japanese companies is even lower, and especially among small and medium-sized enterprises there are many cases where the very existence of DMARC is not recognized. Like encryption, DMARC is an infrastructure-level security measure, and because it is hard to see, it faces a structural challenge: its investment priority tends not to rise. Amid the growing threat of AI-generated phishing, protecting email accounts is becoming ever more important.