securitya-plusBeginner26 min read

What Is Domain-based Message Authentication Reporting and Conformance? Security Definition

Also known as: DMARC, Domain-based Message Authentication Reporting and Conformance, email authentication, SPF, DKIM

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

DMARC is a security system for email that checks if a message actually came from the domain it says it is from. It works with two other technologies, SPF and DKIM, to verify the sender. If the email fails the check, DMARC tells the receiving server whether to reject it, quarantine it, or just let it through but report it. This helps stop email impersonation and phishing attacks.

Must Know for Exams

DMARC appears in the CompTIA Security+ (SY0-601 and SY0-701) exam objectives, specifically under domain 3 (Implementation) and domain 4 (Operations and Incident Response). It is also relevant to the CompTIA A+ (Core 2) exam, though at a more basic level, often as part of general email security awareness. The Security+ exam expects learners to understand the purpose of DMARC, how it relates to SPF and DKIM, and what the three policy actions (none, quarantine, reject) mean. Questions may ask you to identify the correct configuration for a given scenario, such as "An organization wants to block all emails that fail authentication. Which DMARC policy should they use?" The answer is "reject."

In the Security+ exam, DMARC is often grouped with other email security measures like SPF, DKIM, TLS, and STARTTLS. Learners need to know that SPF authenticates the sending server, DKIM authenticates the message content, and DMARC tells the receiving server what to do if those checks fail. The exam may present a scenario where a company is receiving complaints about phishing emails that look like they come from the company's own domain. The correct solution would be to implement DMARC with a reject policy, after first ensuring that SPF and DKIM are properly configured.

For the A+ exam, DMARC is typically covered in a broader context of securing communications and protecting against social engineering. The A+ exam may ask what technology can be used to prevent email spoofing, with DMARC being one of the correct options alongside SPF and DKIM. The focus is on recognition rather than deep configuration.

It is important to note that DMARC is not a standalone solution. It depends entirely on SPF and DKIM being correctly configured. An exam question might test this by describing a situation where DMARC is set to reject but legitimate emails are still being blocked. The cause might be that the company's email server is not included in the SPF record, so legitimate emails fail SPF, and since no DKIM signature is present, DMARC fails and the reject policy blocks them. Understanding this dependency is key for the exams.

Simple Meaning

Think of DMARC like a package delivery system with a verification stamp. When you order something online, you expect the package to arrive with proper labels and seals that prove it came from the real company. Email works similarly, but bad actors can easily fake the "from" address, making it look like an email came from your bank, your boss, or a trusted service. DMARC is a set of rules that email providers follow to check whether an email is legitimately from the domain it claims to be from.

To understand DMARC, you first need to know about two simpler tools it uses. SPF is like a guest list at a party. The domain owner publishes a list of all the servers that are allowed to send email for that domain. If a server that is not on the list tries to send an email claiming to be from that domain, SPF checks the server's IP address against the list and flags it. DKIM is like a wax seal on a letter. The domain owner puts a digital signature on every legitimate outgoing email, and the receiving server can check that the signature is genuine and that the email was not tampered with in transit.

DMARC takes these two checks and adds a policy. The domain owner publishes a policy that says what should happen when an email fails both SPF and DKIM checks. The policy can be set to "none" (just monitor and report), "quarantine" (send the email to the spam folder), or "reject" (block the email entirely). DMARC also generates reports that tell the domain owner which emails passed or failed, who sent them, and how many were rejected. This gives the domain owner visibility into how their domain is being used and abused.

For example, if a scammer sends an email pretending to be from "courseiva.com" to a Gmail user, Gmail will check the SPF and DKIM records for courseiva.com. If those checks fail, Gmail looks at the DMARC policy for courseiva.com. If the policy is set to "reject", Gmail will not deliver the email at all. If it is set to "quarantine", the email goes to spam. If it is set to "none", Gmail delivers the email but sends a report to the courseiva.com administrators about the failed attempt. This way, DMARC helps protect both the domain owner and the people receiving emails from that domain.

Full Technical Definition

DMARC is an email authentication protocol defined in RFC 7489. It builds on two existing mechanisms: Sender Policy Framework (SPF, RFC 7208) and DomainKeys Identified Mail (DKIM, RFC 6376). DMARC allows a domain owner to publish a policy that instructs receiving mail servers on how to handle messages that fail SPF and DKIM checks. This policy is published as a DNS TXT record at a specific subdomain: _dmarc.example.com.

The DMARC DNS record contains several key fields. The "v" field indicates the DMARC version, which is always "DMARC1". The "p" field specifies the policy for the domain. Possible values are "none" (take no action, just report), "quarantine" (treat the message as suspicious, often delivering it to the spam folder), and "reject" (block the message entirely). The "sp" field allows a separate policy for subdomains. The "pct" field controls the percentage of messages to which the policy applies, allowing gradual rollout. The "rua" field specifies an email address where aggregate reports are sent. The "ruf" field specifies an email address for forensic failure reports. The "adkim" and "aspf" fields control alignment modes for DKIM and SPF, respectively. Alignment means that the domain in the DKIM signature or the domain in the SPF envelope must match the domain in the From header.

When an email arrives at a receiving server, the server checks the SPF record of the domain in the From header. It also checks the DKIM signature. For DMARC to pass, at least one of these checks must pass, and the domain used in that check must align with the domain in the From header. If both checks fail, the receiving server looks up the DMARC record for the domain. It then applies the policy specified in that record. If no DMARC record exists, the server usually delivers the message without any DMARC-based action.

Implementing DMARC involves several steps. First, a domain owner must set up SPF and DKIM for their email sending infrastructure. Then they publish a DMARC record with a policy of "none" to start collecting reports without impacting email delivery. They analyze the reports to identify all legitimate email sources. After confirming that all legitimate sources are authenticated, they adjust the policy to "quarantine" and eventually "reject". This phased approach prevents accidental blocking of legitimate email. DMARC is widely used by large email providers such as Google, Microsoft, and Yahoo, and many organizations require a DMARC policy of "reject" before they will accept email from a domain.

Real-Life Example

Imagine a large office building with a security guard at the front desk. Every employee has an ID badge with their photo and name. The guard checks the badge to make sure the person matches the photo. This is like DKIM, verifying the identity of the sender. The building also has a list of approved vendors who are allowed to deliver packages. If a delivery person shows up who is not on the list, the guard sends them away. This is like SPF, checking that the sending server is authorized.

Now suppose someone without a badge and not on the vendor list tries to enter the building claiming to be from "Acme Supplies". The guard has a problem: the person does not match either check. Without a policy, the guard might just let them in, and this could lead to theft or other problems. DMARC is like a rulebook that the building manager gives to the guard. The rulebook says: if someone fails both the badge check and the vendor list check, here is what you do. The manager can set the rule to "let them in but call me" (policy of none), "make them wait in the lobby and call someone to escort them" (policy of quarantine), or "do not let them in at all" (policy of reject). The rulebook also includes a reporting system: the guard writes down every failed attempt, who the person claimed to be, and what action was taken. The manager reads these reports every day to see if anyone is trying to break in.

In this analogy, the building manager is the domain owner, the guard is the receiving email server, the ID badge is DKIM, the vendor list is SPF, and the rulebook is DMARC. The reports help the manager understand how the building is being targeted and whether the security rules need to be adjusted. This mapping shows how DMARC protects email domains from being impersonated, just as the rulebook protects the building from unauthorized visitors.

Why This Term Matters

DMARC matters for any organization that sends email, because email spoofing is one of the most common and dangerous attack vectors in cybersecurity. Without DMARC, attackers can easily forge the From address on an email and make it appear to come from a trusted domain. This is called phishing, and it is used to steal login credentials, spread malware, or trick employees into transferring money. DMARC gives domain owners a way to prove that they are taking steps to protect their users and partners. Many large email providers, including Gmail and Outlook.com, check DMARC records and will reject or quarantine messages that fail DMARC if the policy is set appropriately.

For IT professionals and system administrators, implementing DMARC is a standard part of securing email infrastructure. It is not just about protection; it is also about reputation. When a domain has a strong DMARC policy of reject, receiving servers trust that domain more. This improves email deliverability for legitimate messages. Conversely, a domain without DMARC or with a policy of none is more likely to be treated as suspicious, especially by strict email filters.

DMARC is also important for compliance and regulations. Many industry standards and government frameworks, such as the UK's National Cyber Security Centre guidelines and the US Homeland Security's Binding Operational Directive 18-01, require federal agencies to implement DMARC. In the private sector, financial institutions, healthcare organizations, and e-commerce companies use DMARC to protect their customers and meet compliance requirements. For example, the Payment Card Industry Data Security Standard (PCI DSS) encourages the use of email authentication technologies including DMARC.

Finally, DMARC provides visibility. The aggregate reports that DMARC generates show a domain owner who is sending email from their domain, both legitimate and illegitimate. This helps identify compromised email servers, misconfigured third-party services, and active phishing campaigns targeting the domain. Without DMARC, a domain owner might never know that their domain is being used for malicious purposes until a victim reports it.

How It Appears in Exam Questions

Exam questions about DMARC typically fall into several categories. The most common is the definition and purpose question. For example, "Which of the following technologies is used to specify how an email server should handle messages that fail SPF and DKIM authentication?" The answer is DMARC. Another common pattern asks about the three policy actions: "An organization wants to monitor email authentication failures without affecting delivery. Which DMARC policy should they configure?" The answer is none.

Scenario-based questions are also frequent. A typical scenario might describe a company that has configured SPF and DKIM but is still receiving reports of phishing emails from their domain. The question asks what additional technology they should implement. The correct answer is DMARC. A more complex scenario might describe a company that implements DMARC with a reject policy, but then discovers that legitimate emails from their third-party marketing platform are being rejected. The question asks what the likely cause is. The answer is that the third-party platform is not included in the SPF record, or it does not sign emails with DKIM. This tests the understanding of the dependency between DMARC and the underlying authentication mechanisms.

Troubleshooting questions may ask about misconfigurations. For instance, "An administrator sets the DMARC policy to reject but notices no change in email delivery. What is the most likely reason?" Possible answers include: the DNS record is not propagated, the record is misspelled, or the receiving server does not support DMARC. Another troubleshooting question might involve analyzing a DMARC report. The learner might be shown a report that indicates a high number of failed messages from an unknown IP address and asked what action to take. The correct action would be to investigate the source and possibly update the SPF record or DKIM keys.

Architecture and design questions may ask about phased deployment. For example, "What is the recommended sequence for implementing DMARC?" The correct sequence is: start with SPF and DKIM, then publish a DMARC record with policy=none, monitor reports, adjust the policy to quarantine, then finally change to reject. This phased approach is a key concept in the exams. Finally, there are alignment questions. The exam may ask about strict versus relaxed alignment for DKIM or SPF, and how that affects DMARC evaluation. Knowing that alignment means the domain in the DKIM signature or SPF envelope must match the domain in the From header is critical.

Practise Domain-based Message Authentication Reporting and Conformance Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Sarah is the IT administrator for a mid-sized company called TechFlow Inc. The company has been receiving complaints from customers about phishing emails that appear to come from the company's domain, techflow.com. Some customers have clicked on links in those emails and had their accounts compromised. Sarah knows she needs to fix this.

First, Sarah reviews the company's current email setup. TechFlow uses Microsoft 365 for email, but they also send marketing emails through a third-party platform called MailBlast. Sarah checks the SPF record for techflow.com and finds that it only includes Microsoft's email servers. The MailBlast servers are not listed. She also checks for DKIM and finds that DKIM signing is not configured for techflow.com at all. Sarah realizes that because there is no DKIM and the SPF record is incomplete, any email from MailBlast will fail both authentication checks.

Sarah decides to implement DMARC to protect the domain. She first adds MailBlast's sending IP addresses to the SPF record. Then she generates a DKIM key pair for techflow.com and configures both Microsoft 365 and MailBlast to sign outgoing emails with the private key. She publishes the public key in the DNS records. After confirming that both SPF and DKIM are working for all legitimate email sources, she publishes a DMARC record with a policy of "none" and an email address to receive reports. For a week, she monitors the reports and sees no unexpected failures. Then she changes the policy to "quarantine" for another week. Finally, she changes the policy to "reject". Now, when a scammer sends a fake email pretending to be from techflow.com, the receiving server checks SPF and DKIM, both fail, and the server looks up the DMARC record. The policy says reject, so the phishing email is blocked before it even reaches the customer's inbox. The complaints stop.

Common Mistakes

Thinking DMARC replaces SPF and DKIM

DMARC does not replace SPF or DKIM. It requires both to be configured and working. DMARC only tells the receiving server what to do if those checks fail. Without SPF and DKIM, DMARC has nothing to check and cannot provide any protection.

Always configure SPF and DKIM first, then add DMARC on top. Think of SPF and DKIM as the locks, and DMARC as the instruction that says what happens if the locks are picked.

Setting the DMARC policy to 'reject' before verifying all legitimate email sources

If the DMARC policy is set to 'reject' and a legitimate email source is not included in SPF or does not sign with DKIM, that legitimate email will be rejected. This can cause loss of business communications, missed invoices, and angry users.

Start with policy 'none' and monitor the reports for at least a week. Identify all legitimate sending sources, add them to SPF or configure DKIM for them, and only then move to 'quarantine' and then 'reject'.

Confusing SPF alignment with DMARC

SPF alignment is a part of DMARC, not the whole. SPF alone can pass if the sending server is authorized, but DMARC also requires that the domain in the SPF envelope matches the domain in the From header. A common mistake is to think that a passing SPF check automatically means DMARC passes.

Remember that DMARC passes only if at least one of SPF or DKIM passes AND the domain used in that check aligns with the From header. Alignment is a separate condition.

Assuming DMARC prevents all types of email fraud

DMARC only protects against direct domain spoofing where the From domain is forged. It does not protect against lookalike domains (e.g., courseiva.com vs coursiva.com), compromised accounts, or social engineering that does not involve spoofing the domain.

Use DMARC as part of a broader email security strategy that includes user training, anti-phishing filters, domain monitoring, and multi-factor authentication.

Forgetting to include third-party email senders in the SPF record or DKIM configuration

Many organizations use third-party services like marketing platforms, helpdesk software, or CRM tools to send email on their behalf. If these services are not included in the SPF record or do not sign with DKIM, emails from them will fail DMARC and may be rejected or quarantined.

When implementing DMARC, list every service that sends email from your domain. Add their IP addresses to the SPF record and configure DKIM signing for each service. Monitor DMARC reports to catch any missing sources.

Exam Trap — Don't Get Fooled

The exam presents a situation where an organization has DMARC configured with policy 'reject', but employees are still receiving phishing emails that look like they come from their own domain. The question asks what the most likely cause is, and one of the options is 'The DMARC record is missing the rua field.' Understand that the only required fields in a DMARC record are 'v' (version) and 'p' (policy).

The 'rua' field is optional and only controls reporting. The reject policy works regardless of whether 'rua' is present. The correct answer in this scenario would likely be that SPF or DKIM is not configured correctly, or that the phishing emails are using a lookalike domain instead of the actual domain.

Commonly Confused With

Domain-based Message Authentication Reporting and ConformancevsSPF (Sender Policy Framework)

SPF only checks that the sending server's IP address is authorized by the domain owner. It does not check the content of the email or tell the receiving server what to do if the check fails. DMARC builds on SPF by adding a policy and alignment checks. SPF is a component of DMARC.

SPF is like a guest list at a party door. DMARC is like a rulebook for the bouncer that also checks if the guest's ID photo matches their face, and then says 'let them in, watch them, or kick them out.'

Domain-based Message Authentication Reporting and ConformancevsDKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to the email header, which the receiving server can verify using a public key in DNS. It ensures the email was not tampered with and was signed by the domain. DMARC uses DKIM as one of its authentication checks, but DKIM alone does not specify a policy for failed messages.

DKIM is like a wax seal on a letter. DMARC is the instruction that says 'if the seal is broken or missing, throw the letter away.'

Domain-based Message Authentication Reporting and ConformancevsTLS for email (STARTTLS)

TLS encrypts the email while it is in transit between servers. It does not verify the identity of the sender or prevent spoofing. DMARC does not encrypt anything; it only authenticates the sender and applies a policy. They are complementary technologies for different security goals.

TLS is like sending a letter in a locked box. DMARC is like checking the return address and deciding whether to accept the letter at all. You can have one without the other.

Domain-based Message Authentication Reporting and ConformancevsMTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS ensures that email servers only connect using TLS and verifies the server certificate. It prevents man-in-the-middle attacks during email delivery. DMARC does not deal with the delivery path, only with the authentication of the sender domain. Both are security measures, but they address different layers.

MTA-STS is like requiring delivery trucks to use a secure highway and show proper ID at the checkpoint. DMARC is like checking the sender's return address on the package.

Step-by-Step Breakdown

1

Prepare SPF

The domain owner creates an SPF record in DNS that lists all IP addresses or hostnames authorized to send email for the domain. For example, 'v=spf1 include:_spf.google.com ~all' means only Google servers can send email, and all others are flagged as softfail. This step is essential because DMARC uses SPF as one of its two authentication checks.

2

Prepare DKIM

The domain owner generates a public-private key pair. The private key is used to sign outgoing emails. The public key is published in DNS as a TXT record. The receiving server uses the public key to verify the signature on incoming emails. DKIM is the second authentication check used by DMARC.

3

Publish a DMARC DNS record

The domain owner creates a TXT record at _dmarc.example.com. The record includes the version tag 'v=DMARC1', the policy tag 'p=none', 'p=quarantine', or 'p=reject', and optionally the reporting addresses (rua and ruf) and percentage (pct). This record tells receiving servers what to do with emails that fail SPF and DKIM.

4

Start with policy none and monitor

The domain owner sets the policy to 'none' initially. This allows receiving servers to still deliver the email even if authentication fails, but they will send aggregate reports to the specified address. The domain owner monitors these reports for at least a week to identify all legitimate email sources and any unauthorized senders.

5

Adjust policy to quarantine

After confirming that all legitimate email sources are properly authenticated (either via SPF or DKIM), the domain owner changes the policy to 'quarantine'. Now, emails that fail DMARC will be delivered to the spam or junk folder instead of the inbox. This step protects users while still allowing review of quarantined messages.

6

Escalate policy to reject

Once the domain owner is confident that no legitimate email will be blocked, they change the policy to 'reject'. Now, receiving servers will refuse to deliver any email that fails DMARC. This provides the strongest protection against domain spoofing and is the recommended final state for most organizations.

7

Continually monitor reports

Even after reaching the reject policy, the domain owner should continue to monitor DMARC reports. New third-party services may be added, sending infrastructure may change, and attackers may find new ways to target the domain. Regular review of reports ensures that the DMARC configuration remains effective and does not accidentally block legitimate email.

Practical Mini-Lesson

DMARC is a powerful tool, but it requires careful planning and ongoing maintenance. As an IT professional, your first task when implementing DMARC is to understand your email sending infrastructure. You need to know every service that sends email from your domain. This includes your main email server (like Exchange Online or Google Workspace), marketing platforms (like Mailchimp or HubSpot), CRM systems, support ticketing systems, and even automated notification systems. Each of these must either be included in your SPF record or configured to sign emails with DKIM. If you miss one, legitimate emails from that service will be rejected or quarantined when you move to a strict DMARC policy.

Configuring SPF can be tricky because of the 10 DNS lookup limit. Every time you add a service like 'include:_spf.google.com', that counts as one lookup. If you include multiple services, you can quickly hit the limit. If you exceed 10 lookups, SPF will fail permanently for all emails. To avoid this, you can use SPF macros or consolidate services under a single include. Another common issue is using '~all' (softfail) instead of '-all' (hard fail) in your SPF record. For DMARC to work effectively, you need to use '-all' so that unauthorized servers are clearly rejected.

DKIM configuration requires generating a key pair for each domain. Some services allow you to use a single key for multiple domains, but best practice is to use separate keys for better security. The public key is published in DNS as a TXT record with a specific selector name. You need to coordinate with each third-party service to get their required DKIM settings. After configuration, you should test DKIM signing by sending a test email and checking the headers for a valid 'DKIM-Signature' field.

When you first publish a DMARC record with policy 'none', you will start receiving aggregate reports. These reports are XML files that summarize the results of authentication checks for all emails received from your domain. You can use free or commercial tools to parse and analyze these reports. Look for emails that failed both SPF and DKIM. If you see failures from IP addresses you recognize as legitimate, you need to add them to your SPF record or configure DKIM for them. If you see unknown IP addresses, those could be attackers trying to spoof your domain. You may want to take additional action such as reporting them to the hosting provider.

Moving from 'none' to 'quarantine' is a significant step. It means that some email from your domain may now go to spam. Communicate this change to your organization's users and to any third parties that send email on your behalf. Give them a deadline to fix any authentication issues. After a few weeks of quarantine, review the reports again to ensure that no legitimate business email is being quarantined. Only then should you move to 'reject'. Once you are at 'reject', your domain is well protected, but do not stop monitoring. Check the reports monthly to catch any new unauthorized senders or misconfigurations.

In a real-world IT environment, DMARC is often part of a broader email security strategy that includes anti-spam filters, anti-phishing gateways, user awareness training, and incident response plans. DMARC alone cannot stop all email threats, but it is one of the most effective measures against domain spoofing. It also improves your domain's reputation, which can increase deliverability rates for your marketing and transactional emails. For IT certification exams, remember the three policies, the dependency on SPF and DKIM, the alignment requirement, and the phased deployment approach.

Memory Tip

Remember DMARC as "Don't Mail Anything Rejected Check" — the three policy actions are None, Quarantine, Reject. The 'C' stands for conformance, meaning the email must conform to both SPF and DKIM standards.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

What does DMARC stand for?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is a protocol that helps prevent email spoofing by allowing domain owners to set policies for unauthenticated email.

Is DMARC required for email to work?

No, DMARC is not required for email to work. However, many email providers and organizations now require DMARC for better security. Without DMARC, your domain is more vulnerable to spoofing and phishing attacks.

Can DMARC prevent all phishing emails?

No, DMARC only prevents emails that spoof your exact domain. It does not prevent lookalike domains (like amaz0n.com instead of amazon.com), compromised accounts, or email-based attacks that do not involve spoofing the From address.

What is the difference between DMARC policy 'quarantine' and 'reject'?

Quarantine sends the email to the spam or junk folder. Reject blocks the email entirely so it never reaches the recipient. Reject is stronger but requires more careful setup to avoid blocking legitimate emails.

Do I need both SPF and DKIM for DMARC to work?

DMARC requires that at least one of SPF or DKIM passes, and that the domain used in the pass aligns with the From header. If both fail, DMARC fails and the policy is applied. So you need at least one of them configured correctly, but having both is better.

How long does it take for a DMARC DNS record to take effect?

Changes to DNS records, including DMARC records, can take anywhere from a few minutes to 48 hours to propagate. Always wait for propagation before making significant policy changes like moving from quarantine to reject.

What is an aggregate report in DMARC?

An aggregate report is an XML file sent to the email address specified in the rua field of the DMARC record. It contains statistics on how many emails passed or failed SPF, DKIM, and DMARC, and where they came from. This helps domain owners monitor their email authentication health.

Can I use DMARC if I use a third-party email hosting service?

Yes, you can and should use DMARC even if you use a third-party email service. You need to configure SPF and DKIM according to the service's instructions, then publish your own DMARC record for your domain.

Summary

DMARC is an email authentication protocol that helps protect your domain from being used in spoofing and phishing attacks. It works by building on SPF and DKIM, which verify that an email came from an authorized server and that its content has not been tampered with. DMARC adds a policy that tells receiving mail servers what to do if those checks fail: do nothing and report (none), send to spam (quarantine), or block the email (reject).

For IT certification exams, the key points to remember are the three policy actions, the dependency on SPF and DKIM, the concept of alignment, and the recommended phased deployment starting with policy none. DMARC is not a standalone solution but a critical component of a comprehensive email security strategy. In real-world IT, implementing DMARC reduces the risk of successful phishing attacks, improves email deliverability, and helps organizations meet compliance requirements.

By understanding DMARC, you demonstrate a practical knowledge of modern email security that is highly valued in any IT role.