What is DMARC?

Specifically, DMARC is aimed at preventing email spoofing, a form of fraudulent emails that take advantage of recipients by using a forged sender address.

DMARC was developed in 2012 to be used on top of two existing frameworks, SPF (Sender Policy Framework) and DomainKeys Identified Mail (DKIM). DMARC largely removes the burden on the recipient to recognize spoofing by indicating that the sender’s messages are protected by SPF or DKIM or both. If neither authentication framework passes, the recipient is then given options for how to handle such as send to junk, reject, or quarantine. DMARC also enables the recipient to indicate whether or not the email passed or failed the DMARC authentication.

Email has long been a favorite target for malicious actors operating on the internet. If you use email, chances are you’ve received your fair share of spam. Worse, you may have received a phishing attack with or without knowing it. The volume and sophistication of attacks continue to increase each year and without proper DMARC protocol even the simplest email spoof could successfully find a victim.

The short answer is all businesses need email authentication and DMARC is one of the most widely deployed options sponsored by big names like Google and PayPal. The policies are available to anyone via the public Domain Name System (DNS) if you have the know how to configure email authentication policies.

In 2018, the Department of Homeland Security required all government agencies to implement a DMARC policy by January 14^th. This was mandated in BOD-18-01, a binding operation directive pursuant to FISMA that was issued in October 2017.