Skip to main content

1. Introduction

The Sender Policy Framework ([SPF]) and DomainKeys Identified Mail ([DKIM]) provide domain-level authentication. They enable cooperating email receivers to detect mail authorized to use the domain name, which can permit differential handling. (A detailed discussion of the threats these systems attempt to address can be found in [DKIM-THREATS].) However, there has been no single widely accepted or publicly available mechanism to communication of domain-specific message-handling policies for receivers, or to request reporting of authentication and disposition of received mail. Absent the ability to obtain feedback reports, originators who have implemented email authentication have difficulty determining how effective their authentication is. As a consequence, use of authentication failures to filter mail typically does not succeed.

Over time, one-on-one relationships were established between select senders and receivers with privately communicated means to assert policy and receive message traffic and authentication disposition reporting. Although these ad hoc practices have been generally successful, they require significant manual coordination between parties, and this model does not scale for general use on the Internet.

This document defines Domain-based Message Authentication, Reporting, and Conformance (DMARC), a mechanism by which email operators leverage existing authentication and policy advertisement technologies to enable both message-stream feedback and enforcement of policies against unauthenticated email.

DMARC allows Domain Owners and receivers to collaborate by:

  1. Providing receivers with assertions about Domain Owners' policies

  2. Providing feedback to senders so they can monitor authentication and judge threats

The basic outline of DMARC is as follows:

  1. Domain Owners publish policy assertions about domains via the DNS.

  2. Receivers compare the RFC5322.From address in the mail to the SPF and DKIM results, if present, and the DMARC policy in DNS.

  3. These receivers can use these results to determine how the mail should be handled.

  4. The receiver sends reports to the Domain Owner or its designee about mail claiming to be from their domain.

Security terms used in this document are defined in [SEC-TERMS].

Last updated on