Using Domain-based Message Authentication, Reporting and Conformance (DMARC) in your organisation
Updated 15 March 2021
© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/email-security-standards/domain-based-message-authentication-reporting-and-conformance-dmarc
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email standard that:
- confirms the sender’s identity using Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)
- tells the recipient’s email service what to do with emails that fail the check
- asks recipient email services to provide reports of where email comes from
The receiving email service uses SPF and DKIM to confirm the sender’s identity. If the receiving email service confirms the sender’s identity it will forward the email to the receiver’s inbox. If the receiving email service cannot confirm the sender’s identity it will mark the email as spam.
Benefits of DMARC
By using DMARC, you can:
- help protect your users, employees and reputation from cybercrime
- reduce customer support costs relating to email fraud
- improve trust in the emails your organisation sends
- see the legitimate and fraudulent use of your domains via DMARC reports
Setting up DMARC
Publish a text (TXT) record in your DNS like this one:
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@mydomain.gov.uk
This tells anyone receiving email from you that:
- you have a DMARC policy (
v=DMARC1) - any messages that fail DMARC checks should be treated as spam (
p=quarantine) - they should treat 100% of your messages this way (
pct=100) - they should send reports of email received back to you (
rua=mailto:dmarc@mydomain.gov.uk)
Further email security guidance
All public sector organisations must follow guidance on how to set up email services securely.
Dmarc.org has more information on DMARC. You can also read this guide to creating a DMARC record and implementation guides for cloud-based email services like G Suite and Office 365.
Google uses DMARC to show when email is authenticated in Gmail.
Authenticated Receive Chain is a related standard that supports email authentication in indirect email flow.