Important Alert: Google and Yahoo will require DMARC starting from April 2024.

How Does DMARC Work?

DMARC, or Domain-based Message Authentication Reporting and Conformance, is an email authentication protocol created with the objective of securing business domains and brands from spoofing attacks. 

Attackers can impersonate your organization to send phishing emails to your customers, business partners and even your own employees. Email fraud is one of the most common ways that organizations lose sensitive data and money to cybercriminals. 

DMARC is designed to combat domain spoofing by acting as a way for receiving email servers to check if an incoming message is genuine or not. Let’s understand how exactly it works.

secure email powerdmarc

How Does DMARC Work?

DMARC combines two existing technologies to authenticate email coming from your domain. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are the two building blocks of DMARC. Let’s take a look at both.


When you implement SPF for your domain, you publish an SPF record to your DNS. When a receiver gets an email from your domain, it will compare the sender’s IP address with the list of authorized IPs stored in your SPF record. If the receiving server encounters an email from an IP not in this list, the message will fail SPF.

While SPF can be quite effective, it has certain limitations that make it an incomplete authentication solution.

PowerDMARC MSSP is Different
  • SPF is an IP-based whitelist, which means if someone forwards the email, it will not contain the original sender’s authorized IP address.
  • SPF doesn’t provide feedback. Unlike DMARC, there’s no way to know if an email has failed SPF authentication.
  • SPF authenticates the hidden “mailfrom” domain, not the “from” domain receivers will see when they read the email. Hence attackers can still spoof an email. 
  • SPF failing emails can still make it to the receiver’s inbox, the way SPF failing emails are processed vary depending on the receiving MTA