DMARC.org Domain-based Message Authentication, Reporting & Conformance
Home | Overview | Resources | FAQ | Specification | Participate | About DMARC.org | News

DMARC - What is it?

DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.

DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.

Why is DMARC Important?

With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more. Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users.

Users can't tell a real message from a fake one, and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users. Senders remain largely unaware of problems with their authentication practices because there's no scalable way for them to indicate they want feedback and where it should be sent. Those attempting new SPF and DKIM deployment proceed very slowly and cautiously because the lack of feedback also means they have no good way to monitor progress and debug problems.

DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse.

How Does DMARC Work?

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes - such as junk or reject the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

Who Can Use DMARC?

DMARC policies are published in the public Domain Name System (DNS), and available to everyone. It is the goal of DMARC.org to submit the draft specification to the IETF so that it may begin the process of becoming an official Internet Standard RFC - available to everyone for reference, implementation, and improvement.

Contributors Include:
Agari American Greetings AOL Bank of America Cloudmark Comcast Facebook Fidelity Investments Google LinkedIn Microsoft PayPal Return Path Trusted Domain Project Yahoo! JP Morgan Chase & Co. NetEase - 163.com

 

Industry Liaisons:
BITS MAAWG OTA
Highlights
Current Specification:

3/31/2013 DMARC Base Specification

News:

2/6/2013 In First Year, DMARC Protects 60 Percent of Global Consumer Mailboxes

2/4/2013 M3AAWG Releases Comprehensive DMARC Training Videos to Fight Email Spoofing
 
 
Quotes
"PayPal is a strong supporter of DMARC.org and its partners who are working together to make the Internet safer."
- Michael Barrett, Chief Information Security Officer, PayPal
"BITS has been committed to defining and improving email authentication standards and practices to meet the financial services industry's needs. DMARC's evolutionary approach is critical in assuring these needs are met for years to come,"
- Paul Smocer, President of BITS
"Since 2004, OTA has been on the forefront of advancing best practices to restore trust in email and to protect consumers from harm. We are excited about the promise of DMARC and how it builds on these efforts enhancing brand, business and consumer protection."
- Craig Spiezle, Executive Director & President Online Trust Alliance.
"Having hosted its early meetings as DMARC took shape, M3AAWG continues to support the organization's goals. We believe this type of engaged industry cooperation is an essential part of fighting abuse and protecting consumers."
- Jerry Upton, M3AAWG Executive Director.

Unless otherwise noted, all content on this website is (CC By 3.0) by DMARC.org, with technical contributions to the specification made according to the Open Web Foundation Contributor License Agreement (CLA 1.0)