Skip to main content

2. Requirements

Specification of DMARC is guided by the following high-level goals, security dependencies, detailed requirements, and items that are documented as out of scope.

2.1. High-Level Goals

DMARC has the following high-level goals:

  • Allow Domain Owners to assert the preferred handling of authentication failures, for messages purporting to have authorship within the domain.

  • Allow Domain Owners to verify their authentication deployment.

  • Minimize implementation complexity for both senders and receivers, as well as the impact on handling and delivery of legitimate messages.

  • Reduce the amount of successfully delivered spoofed email.

  • Work at Internet scale.

2.2. Out of Scope

Several topics and issues are specifically out of scope for the initial version of this work. These include the following:

  • different treatment of messages that are not authenticated versus those that fail authentication;

  • evaluation of anything other than RFC5322.From;

  • multiple reporting formats;

  • publishing policy other than via the DNS;

  • reporting or otherwise evaluating other than the last-hop IP address;

  • attacks in the RFC5322.From field, also known as "display name" attacks;

  • authentication of entities other than domains, since DMARC is built upon SPF and DKIM, which authenticate domains; and

  • content analysis.

2.3. Scalability

Scalability is a major issue for systems that need to operate in a system as widely deployed as current SMTP email. For this reason, DMARC seeks to avoid the need for third parties or pre-sending agreements between senders and receivers. This preserves the positive aspects of the current email infrastructure.

Although DMARC does not introduce third-party senders (namely external agents authorized to send on behalf of an operator) to the email-handling flow, it also does not preclude them. Such third parties are free to provide services in conjunction with DMARC.

2.4. Anti-Phishing

DMARC is designed to prevent bad actors from sending mail that claims to come from legitimate senders, particularly senders of transactional email (official mail that is about business transactions). One of the primary uses of this kind of spoofed mail is phishing (enticing users to provide information by pretending to be the legitimate service requesting the information). Thus, DMARC is significantly informed by ongoing efforts to enact large-scale, Internet-wide anti-phishing measures.

Although DMARC can only be used to combat specific forms of exact-domain spoofing directly, the DMARC mechanism has been found to be useful in the creation of reliable and defensible message streams.

DMARC does not attempt to solve all problems with spoofed or otherwise fraudulent email. In particular, it does not address the use of visually similar domain names ("cousin domains") or abuse of the RFC5322.From human-readable <display-name>.

Last updated on