What is DMARC (Domain-based Message Authentication, Reporting, and Conformance)?
Turkish: DMARC
DMARC combines SPF and DKIM results with domain policy and reporting so email senders can reduce spoofing and phishing risk.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email security standard that combines SPF and DKIM authentication results with a domain-level policy. It tells receiving mail servers what to do with messages that fail checks for a domain.
For example, if an attacker tries to send invoice email while impersonating a company domain, a DMARC record can tell receivers to only report the message, quarantine it, or reject it. Domain owners gain both an enforcement policy and visibility through reports.
How Does It Work?
DMARC is published as a DNS TXT record. The record can include a policy (p=none, p=quarantine, p=reject), report addresses (rua, optionally ruf), and alignment settings.
DMARC checks two main conditions:
- Does the message pass SPF or DKIM?
- Does the passing result align with the visible From domain?
The second condition matters because a service may technically pass SPF or DKIM while being unrelated to the domain shown to the user.
Setup and Risk Management
DMARC is often started with p=none for monitoring. Reports are reviewed, legitimate senders are brought fully under SPF/DKIM coverage, and the policy is then moved gradually toward quarantine and reject.
SPF validates sender IP authorization, while DKIM validates a domain signature on the message. DMARC turns those results into a domain policy. Misconfiguration can reject legitimate mail, so marketing, transactional email, and corporate mail sources should be inventoried together.
Related Terms
DKIM adds a cryptographic signature to email so receiving servers can verify that a domain authorized and preserved the message.
PhishingPhishing tricks users with fake messages or sites to steal passwords, payment data, or approval for unauthorized actions.
SPF (Sender Policy Framework)SPF is an email authentication control that publishes approved sending servers in DNS, helping receivers spot spoofed domain mail.