Guidance

Using Domain-based Message Authentication, Reporting and Conformance (DMARC) in your organisation

Updated 15 March 2021

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email standard that:

The receiving email service uses SPF and DKIM to confirm the sender’s identity. If the receiving email service confirms the sender’s identity it will forward the email to the receiver’s inbox. If the receiving email service cannot confirm the sender’s identity it will mark the email as spam. 

Benefits of DMARC

By using DMARC, you can:

  • help protect your users, employees and reputation from cybercrime
  • reduce customer support costs relating to email fraud
  • improve trust in the emails your organisation sends
  • see the legitimate and fraudulent use of your domains via DMARC reports

Setting up DMARC

Publish a text (TXT) record in your DNS like this one:

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]

This tells anyone receiving email from you that:

  • you have a DMARC policy (v=DMARC1)
  • any messages that fail DMARC checks should be treated as spam (p=quarantine)
  • they should treat 100% of your messages this way (pct=100)
  • they should send reports of email received back to you (rua=mailto:[email protected])

Further email security guidance

All public sector organisations must follow guidance on how to set up email services securely.

Dmarc.org has more information on DMARC. You can also read this guide to creating a DMARC record and implementation guides for cloud-based email services like G Suite and Office 365.

Google uses DMARC to show when email is authenticated in Gmail.

Authenticated Receive Chain is a related standard that supports email authentication in indirect email flow.