What is DMARC?

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

Overview of DMARC

An overview of how DMARC works is available on this page.

Status of DMARC

On May 20th, 2026 the IETF RFC Editor published three Request For Comment (RFC) documents that updated the DMARC protocol and put it on the Standards Track.

• RFC 9989 describes the core protocol
• RFC 9990 covers aggregate reporting
• RFC 9991 details failure reporting

These documents update and obsolete RFC 7489, which was published as an Independent Submission on March 18th, 2015. The changes between RFC 7489 and the new documents were summarized in this blog post from December.

All of these documents, and more, were produced by the IETF DMARC Working Group.

Why is DMARC Important?

A brief answer to this question is available here.

How Does DMARC Work?

A brief, non-technical answer to this question is available here. A more detailed explanation is available on this page.

Who Can Use DMARC?

DMARC policies are published in the public Domain Name System (DNS), and available to everyone. Because the specification is available with no licensing or similar restriction, any interested party is free to implement it.