DDMARC

Documentation

Learn how to integrate and use DDMARC

Docs/Key Concepts
15 min readFundamentals

Key Concepts

Understanding the fundamentals of email authentication protocols and how they work together to protect your domain from spoofing and phishing attacks.

Why Email Authentication Matters

Without email authentication, anyone can send emails that appear to come from your domain. This enables phishing attacks, business email compromise, and damages your brand reputation. Email authentication verifies that emails genuinely originate from authorized sources.

91%
of cyberattacks start with email
$2.4B
lost annually to BEC attacks
3.4B
phishing emails sent daily

How Protocols Work Together

Email authentication uses a layered approach. SPF and DKIM provide the foundation, DMARC unifies them with policy and reporting, while MTA-STS and BIMI add transport security and brand visibility.

BIMI (Brand Display)
DMARC (Policy & Reporting)
SPF
DKIM
MTA-STS (Transport Security)

Authentication Flow

  1. 1
    Email Sent: Your server sends an email signed with DKIM over TLS (enforced by MTA-STS)
  2. 2
    SPF Check: Receiver verifies the sending IP is authorized in your SPF record
  3. 3
    DKIM Check: Receiver verifies the DKIM signature using your public key
  4. 4
    DMARC Evaluation: Receiver checks if SPF or DKIM pass AND align with the From domain
  5. 5
    Policy Applied: Based on your DMARC policy, the email is delivered, quarantined, or rejected
  6. 6
    BIMI Display: If DMARC passes with p=quarantine or p=reject, your logo is shown

Protocol Deep Dive

SPF

Sender Policy Framework

Purpose

Authorizes which servers can send email for your domain

How It Works

SPF defines a list of IP addresses and hostnames authorized to send email on behalf of your domain. When an email is received, the receiver checks if the sending server's IP is listed in your SPF record.

Example Record

v=spf1 include:_spf.google.com include:sendgrid.net -all

TXT record at your domain root

Advantages

  • Easy to implement
  • Widely supported
  • Blocks unauthorized servers

Considerations

  • Breaks with email forwarding
  • 10 DNS lookup limit
  • Doesn't verify From header

DKIM

DomainKeys Identified Mail

Purpose

Cryptographically signs emails to verify integrity and authenticity

How It Works

DKIM adds a digital signature to email headers using a private key. Receivers verify the signature using your public key published in DNS. This proves the email wasn't modified in transit.

Example Record

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ...

TXT record at selector._domainkey.yourdomain.com

Advantages

  • Survives forwarding
  • Verifies message integrity
  • Proves domain ownership

Considerations

  • More complex setup
  • Requires signing infrastructure
  • Key rotation needed

DMARC

Domain-based Message Authentication, Reporting & Conformance

Purpose

Unifies SPF and DKIM, adds policy enforcement and reporting

How It Works

DMARC builds on SPF and DKIM by checking that the 'From' domain aligns with authenticated domains. It tells receivers what to do with failing emails (none/quarantine/reject) and sends you reports.

Example Record

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

TXT record at _dmarc.yourdomain.com

Advantages

  • Policy enforcement
  • Aggregate reports
  • Protects visible From address

Considerations

  • Requires SPF and/or DKIM first
  • Gradual deployment needed
  • Complex third-party setup

MTA-STS

Mail Transfer Agent Strict Transport Security

Purpose

Enforces TLS encryption for email in transit

How It Works

MTA-STS tells sending servers that your domain requires encrypted connections. It publishes a policy file that mandates TLS, preventing downgrade attacks and man-in-the-middle interception.

Example Record

version: STSv1\nmode: enforce\nmx: mail.yourdomain.com\nmax_age: 604800

DNS TXT record + HTTPS-hosted policy file

Advantages

  • Prevents eavesdropping
  • Stops downgrade attacks
  • Free with DDMARC

Considerations

  • Requires valid TLS certificates
  • Policy hosting needed
  • Not universally supported yet

BIMI

Brand Indicators for Message Identification

Purpose

Displays your brand logo next to authenticated emails

How It Works

BIMI allows you to publish a logo that email clients display next to your emails when they pass DMARC. This increases brand visibility and recipient trust in legitimate emails.

Example Record

v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem

TXT record at default._bimi.yourdomain.com

Advantages

  • Brand visibility
  • Increases trust
  • Marketing benefit

Considerations

  • Requires p=quarantine or p=reject
  • VMC certificate recommended
  • Limited client support

Understanding DMARC Alignment

Alignment is the key concept that makes DMARC effective. It ensures that the domain in the visible "From" header matches the domains authenticated by SPF and/or DKIM.

What is Alignment?

SPF Alignment

The domain in the MAIL FROM (envelope sender) must match or be a subdomain of the From header domain.

DKIM Alignment

The domain in the DKIM signature (d= tag) must match or be a subdomain of the From header domain.

DMARC Pass Requirements

For an email to pass DMARC, it needs:

  • SPF pass AND SPF alignment
  • — OR —
  • DKIM pass AND DKIM alignment
adkim=r / aspf=rRecommended

Relaxed Alignment

Allows subdomains to pass alignment

Example: email from mail.example.com passes for example.com

adkim=s / aspf=s

Strict Alignment

Exact domain match required

Example: email from mail.example.com fails for example.com

DMARC Policies Explained

The DMARC policy (p=) tells receivers what to do with emails that fail authentication.

p=noneMonitor

No action taken on failing emails. Use this to gather data before enforcement.

Best for: Starting DMARC deployment, identifying all email sources

p=quarantineQuarantine

Failing emails are marked as suspicious (typically sent to spam/junk folder).

Best for: Intermediate step, testing enforcement before full reject

p=rejectReject

Failing emails are rejected outright and not delivered.

Best for: Full protection, maximum domain security

Understanding DMARC Reports

DMARC provides two types of reports to help you monitor your email authentication.

Aggregate Reports (RUA)

rua=mailto:...
  • Sent daily by email receivers
  • XML format with statistical data
  • Shows pass/fail rates by source IP
  • Essential for monitoring deployment

Forensic Reports (RUF)

ruf=mailto:...
  • Sent per failing email (real-time)
  • Contains redacted email samples
  • Helpful for debugging specific failures
  • Not sent by all providers (privacy)

Key Takeaways

  • SPF authorizes sending servers, DKIM verifies message integrity
  • DMARC unifies SPF and DKIM with policy enforcement and reporting
  • Start with p=none to monitor, then gradually move to p=reject
  • Alignment ensures the visible From domain matches authenticated domains
  • MTA-STS adds transport encryption, BIMI adds brand visibility
  • Use DDMARC to automatically collect, parse, and visualize reports

Next Steps

Quickstart Guide

Set up DDMARC in under 5 minutes

DMARC Setup

Step-by-step DMARC configuration