How Does DMARC Work?

DMARC, or Domain-based Message Authentication Reporting and Conformance, is an email authentication protocol created with the objective of securing business domains and brands from spoofing attacks. 

Attackers can impersonate your organization to send phishing emails to your customers, business partners and even your own employees. Email fraud is one of the most common ways that organizations lose sensitive data and money to cybercriminals. 

DMARC is designed to combat domain spoofing by acting as a way for receiving email servers to check if an incoming message is genuine or not. Let’s understand how exactly it works.

secure email powerdmarc

How Does DMARC Work?

DMARC combines two existing technologies to authenticate email coming from your domain. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are the two building blocks of DMARC. Let’s take a look at both.


When you implement SPF for your domain, you publish an SPF record to your DNS. When a receiver gets an email from your domain, it will compare the sender’s IP address with the list of authorized IPs stored in your SPF record. If the receiving server encounters an email from an IP not in this list, the message will fail SPF.

While SPF can be quite effective, it has certain limitations that make it an incomplete authentication solution.

PowerDMARC MSSP is Different
  • SPF is an IP-based whitelist, which means if someone forwards the email, it will not contain the original sender’s authorized IP address.
  • SPF doesn’t provide feedback. Unlike DMARC, there’s no way to know if an email has failed SPF authentication.
  • SPF authenticates the hidden “mailfrom” domain, not the “from” domain receivers will see when they read the email. Hence attackers can still spoof an email. 
  • SPF failing emails can still make it to the receiver’s inbox, the way SPF failing emails are processed vary depending on the receiving MTA 


DMARC Authentication Process

To describe email without DMARC authentication, let’s first examine email without DMARC:

  • An email is sent from to

  •’s Mail Transfer Agent (MTA) has no mechanism to authenticate the email sender (

  • All emails sent from are delivered to the recipients’ inboxes without being validated.

  • If any of the emails from were sent by an attacker impersonating them, these fraudulent emails have also been delivered to

Now let’s take a look at how email with DMARC works:

  • An email is sent from to

  •’s Mail Transfer Agent (MTA) looks up the SPF, DKIM and DMARC records of (on their DNS) to authenticate the sender

  • If the sender is authenticated, the email is delivered to the recipient. Otherwise, the email is either quarantined (sent to spam) or rejected (not delivered).

  • DMARC reports are generated by the receiving MTA and are sent to PowerDMARC

Wondering if your domain is protected against spoofing? Run this test to see the health of your domain.

Benefits of DMARC

Eliminate Threats

Detect and address spoofing attacks early, find and blacklist abusive IPs 

Maximize Delivery

Immediately understand where you’re having deliverability issues and fix them fast

Boost Your Brand

When you protect them from phishing, your customers will put more trust in your brand

Why is DMARC Good For Your Brand?

  • So far, it’s pretty clear how DMARC helps you protect your email channels from domain spoofing and phishing. But does it really provide enough major benefits for your organization to justify implementing it?

  • Imagine a scenario where a hacker impersonates your brand to send phishing emails to all your customers. When hundreds of customers end up disclosing sensitive personal data to a cybercriminal, they start associating your brand with that phishing scam. Now it’s your name all over the news for a crime you had nothing to do with, and legal trouble could follow.

  • You could never stop every single employee or customer from opening a fake email. But that’s exactly what DMARC does.

  • By eliminating fraudulent email before it even enters people’s inboxes, it stops a phishing scam from ever occurring. And consequently, you’re always in control of what emails people see. You’re always in control of your brand.