Best 9 DMARC Solutions For Business (2026)

We reviewed the leading business DMARC solutions on reporting quality for identifying unauthorized senders, ease of moving from monitoring to enforcement, and how well each surfaces domain spoofing attempts before they reach targets.

Last updated on Jul 7, 2026
Joel Witts Written by Joel Witts
Craig MacAlpine Technical Review by Craig MacAlpine
Top 9 DMARC Solutions For Business

DMARC (Domain-Based Message Authentication Reporting and Conformance) is a method used to validate that emails being sent and received by your email domains. DMARC provides organizations with two important security functions. Firstly, it allows organizations to monitor their email channels with greater visibility. Organizations are able to see emails being sent and received, and what the reputation of these emails are. Secondly, organizations are able to block malicious emails being sent via their domains to protect their clients from spoofed domain messages and phishing attacks.

There are a number of DMARC solutions available to businesses to enhance their email security. These tools help organizations to enable and configure DMARC protocols, present digestible DMARC reports that provide visibility into email channels, and allow organizations to set DMARC policies that block malicious emails from being sent from their domains. In this article we’ll take you through the top DMARC email security solutions for businesses. We’ll cover their top features, what their users are saying about them and which organizations they are best suited for. Let’s get into it.

What is DMARC?

DMARC solutions help organizations protect their email domains from being spoofed by attackers. They work by verifying that emails claiming to come from your domain actually originated from authorized senders, using SPF and DKIM authentication records. When emails fail these checks, DMARC policies determine whether they are monitored, quarantined, or rejected. DMARC platforms provide the dashboards, reporting, and guided workflows that make it possible to deploy and maintain these policies without managing raw DNS records manually.

DMARC operates by aligning SPF and DKIM authentication results with the domain in the email's From header. When a receiving mail server gets a message, it checks whether the sending IP is authorized (SPF) and whether the message signature is valid (DKIM), then compares the authenticated domain against the visible From domain. DMARC policies (p=none, p=quarantine, p=reject) instruct receiving servers how to handle messages that fail alignment. Business DMARC platforms aggregate the XML reports that receiving servers send back, translating them into visual dashboards that identify authorized senders, unauthorized sources, and misconfigured services. Key platform differentiators include SPF flattening to work around the 10 DNS lookup limit, hosted DMARC records that eliminate manual DNS edits, BIMI support for brand logo display, and supplier risk analysis that monitors third-party DMARC posture across your vendor ecosystem.

DMARC Solutions for Business Solutions Compared

These 9 platforms cover the full range of business DMARC management approaches, from self-service platforms with guided enforcement to consultant-led enterprise deployments.

Product Best For Hosted DMARC SPF Flattening BIMI Support Supplier Risk
EasyDMARC
SMBs needing managed DMARC without DNS expertise
Yes
Yes
Yes
No
Red Sift OnDMARC
Fast enforcement with Dynamic SPF
Yes
Yes
Yes
No
Barracuda Domain Fraud Protection
Organizations in the Barracuda ecosystem
No
No
No
No
dmarcian
MSPs and resellers managing multi-client DMARC
No
No
No
No
DigiCert ONE
Enterprises needing DMARC within PKI management
No
No
No
No
Fortra Agari DMARC Protection
Complex multi-domain environments
Yes
No
Yes
Yes
Libraesva LetsDMARC
First-time DMARC implementations
Yes
No
No
No
Mimecast DMARC Analyzer
Mimecast customers needing DMARC management
No
No
No
No
Proofpoint Email Fraud Defense
Enterprises with complex supplier ecosystems
Yes
No
No
Yes

How We Tested

We evaluated each DMARC solution on its ability to simplify deployment, provide actionable reporting, and protect domains from spoofing and impersonation. We assessed reporting quality, integration depth, and the onboarding and support experience. This guide was written by Joel Witts and technically reviewed by Craig MacAlpine. Read our full methodology

EasyDMARC Logo
EasyDMARC

Best for SMBs needing managed DMARC without deep DNS expertise

EasyDMARC is a DMARC management platform designed to make email authentication accessible without deep technical expertise. We think it’s one of the most user-friendly and technically capable DMARC products on the market, and a strong fit for SMBs and enterprises that need SPF, DKIM, DMARC, and BIMI management without a dedicated security team.

Get a Quote
  • Hosted DMARC acts as a redirect so policy changes are automatically updated with your DNS provider, no manual record formatting required.
  • EasySPF works the same way for SPF records, solving the 10 DNS lookup limit through dynamic flattening.
  • BIMI management with VMC support through official partners.
  • Aggregate reports displayed as visual dashboards with geographic data showing where compliant, non-compliant, and threat emails originate.
  • Customizable DMARC alerts at informational, warning, or critical thresholds with bulk domain import.

We think EasyDMARC is a strong fit for small and mid-sized teams that need DMARC enforcement without deep DNS expertise. The Hosted DMARC and EasySPF features mean you can change policies directly from the platform without worrying about formatting errors, which is a real time-saver. The visual dashboards make complex authentication data clear and actionable. Pricing starts with a free plan for one domain and 1,000 emails per month, scaling to Plus at $35.99 per month for two domains, Premium at $71.99 per month with one year of data retention, and Enterprise for unlimited domains with custom pricing. Annual billing saves 20%. With that said, there is no audit log for activity in the portal, which would be useful if sharing access with others. If your organization needs a straightforward DMARC solution that doesn’t require DNS expertise, EasyDMARC is well worth considering.

Strengths
Hosted DMARC eliminates manual DNS changes with automatic policy updates
EasySPF solves the 10 DNS lookup limit through dynamic flattening
Visual dashboards turn complex authentication data into clear, actionable reporting
BIMI management and VMC support through official partners
Cautions
No audit log for portal activity
Red Sift OnDMARC Logo
Red Sift

Best for fast enforcement with Dynamic SPF for complex sending environments

Red Sift OnDMARC helps organizations stop phishing attacks and email impersonation attempts. It helps customers deploy and maintain DMARC across their organization, with simplified DKIM and SPF management. The platform is built to get organizations from monitoring to reject policy fast, with a guided enforcement workflow that reduces the need for heavy professional services overhead. Red Sift OnDMARC is used by customers across the government, legal, marketing, and charity sectors.

Start A Free Trial
  • Dynamic SPF works around the 10 DNS lookup limit by flattening records at query time with no manual DNS updates or macros required.
  • Streamlined DMARC implementation process with a customer success team focused on improving email deliverability.
  • Investigate tool verifies DKIM and SPF setups with configuration checklists and next steps.
  • DNSGuardian blocks malicious email threats including spam from domain takeovers.
  • Hosted BIMI with integrated VMC provisioning for verified logo display, plus Slack integration for real-time DMARC updates.

Customers consistently highlight speed to reject policy. Users say the platform simplifies what normally feels overwhelming, and that non-technical staff have successfully managed implementations. Support gets strong praise, with customers noting fast, substantive replies rather than holding responses. Pricing bundles setup, support, and licensing into a single predictable cost, which is good to see.

We think Red Sift OnDMARC is a strong solution for organizations looking to configure DMARC-compliant sending with guided steps and automated domain monitoring. The Dynamic SPF feature alone solves one of the most common blockers in complex sending environments. If your sending infrastructure is already tightly configured, the value of the guided enforcement workflow may be less significant.

Strengths
Dynamic SPF solves the 10 lookup limit without manual flattening or macros
Guided enforcement workflow accelerates the path from monitoring to reject policy
Slack integration provides real-time DMARC updates without logging into the platform
Investigate tool enables real-time SPF and DKIM testing for quick triage
Cautions
Pricing for some packages is not publicly available
3.

Barracuda Domain Fraud Protection

Barracuda Domain Fraud Protection Logo
Barracuda Networks

Best for organizations already in the Barracuda email security ecosystem

Barracuda Domain Fraud Protection is an email security service designed to protect email platforms from fraud and phishing attacks. It sits within Barracuda’s broader email security stack for Microsoft 365, combining post-delivery protection with automated DMARC reporting, aggregation, and visualization. The solution deploys directly into Office 365, using machine learning algorithms to learn communication patterns in the enterprise and detect abnormal or malicious email activity.

  • DMARC reporting and analytics tied into Barracuda’s email gateway and Impersonation Protection product with ML-based threat detection inside Office 365.
  • Contextual detection learns communication patterns to detect abnormal and malicious email attacks, removing them before delivery.
  • Automatic DMARC reports with insights on IPs passing and failing DMARC, domain misalignment, and spoofing samples.
  • SPF and DKIM configuration and troubleshooting built in.
  • Available standalone or fully integrated into all Barracuda Email Protection plans.

Customers praise the monitoring and alerting once everything is running. Users say alerts are clear and timely, and long-term customers report that domain impersonation problems dropped off significantly after deployment. Support gets positive marks for responsiveness. Something to be aware of is that the consistent criticism is initial setup complexity, with a steep learning curve for new users.

We think Barracuda Domain Fraud Protection is a good option for organizations using Office 365 that want DMARC alongside phishing and account compromise protection within a single vendor ecosystem. The integration keeps your DMARC management inside the broader Barracuda stack, simplifying procurement and operational overhead. The solution is easy to deploy and does not require any changes to your MX records. If you don’t already use Barracuda, the value proposition is harder to justify compared to standalone DMARC platforms.

Strengths
Integrates DMARC directly into the broader Barracuda email security stack
Machine learning detects abnormal communication patterns inside Office 365
Clear, timely alerts help teams respond quickly to suspicious domain activity
Available standalone or bundled with Barracuda Email Protection plans
Cautions
Customers note initial setup and configuration involves a steep learning curve
Best value requires commitment to the wider Barracuda ecosystem
4.

dmarcian

dmarcian Logo
dmarcian

Best for MSPs and resellers managing multi-client DMARC

dmarcian is a DMARC SaaS platform that helps secure domains from email impersonation and phishing attacks. It processes DMARC data to provide greater visibility into authentication gaps and malicious actors impersonating your domains. The platform visualizes DMARC data to help you quickly identify unauthorized use of your domains. dmarcian has a strong MSP and reseller channel presence, making it a popular pick for providers handling DMARC across multiple clients.

  • Domain Overview provides fast status checks across all email domains including geographical location of abuse sources.
  • Detail Viewer shows a timeline of data with contextual email information, breaking data into DMARC-capable, non-compliant, forwarding, and threat/unknown groups.
  • Source cataloguing tracks legitimate and suspicious senders by name rather than raw IP addresses.
  • Toolset includes domain checker, DKIM Investigator, and phishing scorecard for benchmarking against open standards.

Customers who like dmarcian praise its mission-driven approach to email security and helpful support team. Users say pricing is competitive, and long-term customers report reliable domain protection over time. Something to be aware of is that API integration issues make connecting with existing infrastructure a reported pain point, and the interface has a learning curve for new users.

We think dmarcian is a good option for organizations looking for detailed reports and visualizations into their DMARC posture. The partner channel makes it accessible through providers who handle configuration on your behalf. dmarcian also offers a number of free DMARC tools including a domain checker, DKIM Investigator, and a phishing scorecard, which allow organizations to benchmark their email security against open standards. It is worth noting that dmarcian does not currently offer white-labeling or AI-assisted analysis, which some newer platforms have added.

Strengths
Domain Overview provides fast, clear status checks across all email domains
Geographic abuse mapping adds useful context when investigating spoofing sources
Strong MSP and reseller channel makes it accessible through managed providers
Competitive pricing with an education-first approach to DMARC
Cautions
Reviews flag that API integration issues make connecting with existing infrastructure difficult
Users report the interface is difficult to navigate without a learning curve
5.

DigiCert ONE

DigiCert ONE Logo
DigiCert

Best for enterprises needing DMARC within broader PKI and certificate management

DigiCert ONE is a unified platform covering PKI, DNS, and DMARC from a single dashboard. It targets enterprises in finance, healthcare, manufacturing, and government that need automated certificate lifecycle management alongside email authentication enforcement. We think it makes the most sense if your organization needs DMARC as part of a wider PKI and certificate management strategy.

  • Trust Lifecycle Manager handles certificate management across TLS, SSL, S/MIME, and code signing from a centralized console.
  • Single sign-on across all DigiCert ONE services keeps access management clean for multiple teams.
  • Supports cloud, hybrid, and air-gapped deployments.
  • AI Assist provides contextual guidance for PKI configuration, integrations, and admin tasks.

Customers managing thousands of certificates praise the interface and navigation. Users say CertCentral is one of the most intuitive platforms for large-scale certificate management. Support gets high marks for speed and quality across organizations of all sizes. Something to be aware of is that multi-domain setup and initial configuration can be confusing without guided support.

We think DigiCert ONE is a strong fit if your organization already manages a large certificate estate and wants DMARC enforcement under the same roof. If you just need standalone DMARC enforcement, this platform is more than you need, and the cost will reflect that.

Strengths
Unified platform covers PKI, DNS, DMARC, and certificate management in one console
Intuitive interface scales well for organizations managing thousands of certificates
Support team is consistently fast and knowledgeable across enterprise deployments
Supports cloud, hybrid, and air-gapped environments
Cautions
Reviews mention multi-domain setup and initial configuration can be confusing without guided support
Customers note certificate renewal and installation workflows feel clunky for some users
6.

Fortra Agari DMARC Protection

Fortra Agari DMARC Protection Logo
Fortra

Best for complex multi-domain environments with ML-driven threat intelligence

Fortra Agari provides cloud email security solutions designed to protect organizations from sophisticated email threats, provide rapid detection and response, and prevent brand abuse. Agari DMARC Protection automates DMARC email authentication and enforcement to protect your brand and improve digital engagement. The platform uses machine learning to counter spear-phishing and business email compromise, targeting mid-sized and large organizations running complex sending environments with multiple domains.

  • Automated DMARC implementation with auto-generated and hosted DNS records and automated accuracy workflows.
  • Greater visibility into DMARC reports with easier reject policy implementation across complex multi-domain environments.
  • Machine learning identifies sophisticated phishing and social engineering attempts.
  • Look-alike domain defense uses real-time feeds to identify malicious domains impersonating your brand with fast remediation.
  • BIMI support and preconfigured SIEM/SOAR integrations.

Customer feedback for Agari DMARC Protection is limited in volume, which is worth noting during your evaluation. Users who have adopted it highlight the added security layer for Office 365 environments and praise the notification system for catching threats that native filtering misses. Something to be aware of is that policy configuration is difficult for non-technical staff without DMARC expertise.

We think Fortra Agari DMARC Protection belongs on your shortlist if you manage a complex multi-domain environment and want ML-driven threat intelligence layered into your DMARC enforcement. Agari were one of the original DMARC working group, and they have since helped many large businesses to implement DMARC across complex environments. The automated DNS record management reduces operational friction at scale. The limited customer feedback volume is worth factoring into your evaluation.

Strengths
Automated DNS record generation and hosting removes manual overhead across multiple domains
Machine learning adds an active threat detection layer beyond basic DMARC reporting
Continuous DMARC record accuracy checks reduce misconfiguration risk
Look-alike domain defense identifies brand impersonation in real time
Cautions
Customers note policy configuration is difficult for non-technical staff
Users report support response times are slower than expected
7.

Libraesva LetsDMARC

Libraesva LetsDMARC Logo
Libraesva

Best for first-time DMARC implementations without dedicated DNS expertise

Libraesva LetsDMARC simplifies DMARC, DKIM, and SPF policy setup for organizations without dedicated DNS expertise. It sits alongside Libraesva’s broader email security gateway, targeting businesses that need domain protection without deep technical overhead. We found the guided configuration approach is the main draw.

  • Guided DMARC, DKIM, and SPF setup without requiring your team to manage DNS records directly.
  • Real-time visibility into email sources helps identify unauthorized senders and track authentication pass/fail rates.
  • Integrates with existing email systems and focuses on improving deliverability by authenticating legitimate senders alongside blocking spoofed traffic.
  • Accessible entry point for organizations adding DMARC enforcement for the first time.

Direct customer feedback for LetsDMARC specifically is limited. However, Libraesva’s broader email security products give insight into the vendor experience. Customers praise the support team for fast, knowledgeable responses and smooth onboarding. Users say pricing is competitive, especially for MSPs and resellers. Something to be aware of is that SPF and DKIM edge cases may require custom filter rules beyond basic configuration.

We think LetsDMARC is worth a close look if your organization already uses Libraesva ESG or needs a low-barrier entry into DMARC enforcement. The guided setup removes the DNS expertise requirement that stalls many first-time projects. The limited LetsDMARC-specific customer feedback makes independent validation harder, which is worth factoring in.

Strengths
Guided configuration removes the need for in-house DNS expertise during setup
Real-time email source visibility helps identify unauthorized senders quickly
Competitive pricing makes it accessible for SMBs and MSP channel partners
Libraesva's support reputation carries over with fast, knowledgeable responses
Cautions
Limited LetsDMARC-specific customer feedback makes independent validation harder
Reviews mention SPF and DKIM edge cases may require custom filter rules beyond basic configuration
8.

Mimecast DMARC Analyzer

Mimecast DMARC Analyzer Logo
Mimecast

Best for Mimecast customers needing integrated DMARC management

Mimecast DMARC Analyzer provides organizations with greater visibility and governance across email channels, and allows organizations to stop email attacks and protect brands against abuse. DMARC Analyzer is deployed as a SaaS, which makes it easier for organizations to manage complex DMARC deployment, and more easily monitor and govern DMARC insights. Mimecast acquired DMARC Analyzer in 2019, and the platform is now fully integrated into Mimecast’s email security stack. Mimecast released DMARC Analyzer 2.0 in January 2026 with significant updates to reporting and domain management.

  • Automatic subdomain discovery catches domains you may not be tracking from shadow IT or forgotten services.
  • DNS timeline tracks changes over time to show how your DMARC posture has evolved.
  • 2.0 release added centralized domain management with domain groups, TLS reporting, compliance-style reporting for management audits, and a timeline view for correlating events.
  • Automated alerts and reporting with full knowledge base and support team.

Existing Mimecast customers say implementation was smooth and support was helpful throughout onboarding. Users highlight reporting visuals as a strength, turning raw DMARC data into presentable formats. The anti-spoofing capabilities get particular praise from organizations protecting high-profile users. Something to be aware of is that the admin interface draws consistent criticism as confusing and hard to navigate.

We think Mimecast DMARC Analyzer makes the most sense if your organization already runs Mimecast for email security. The integration is natural, and you avoid adding another vendor to your stack. DMARC Analyzer was one of the first solutions offering DMARC management and reporting, and the January 2026 update to version 2.0 is good to see, adding centralized domain management and TLS reporting that were previously missing. It is a strong DMARC option for mid-sized organizations and enterprises looking to integrate DMARC more efficiently.

Strengths
Automatic subdomain discovery catches authentication blind spots from shadow IT
DNS timeline tracks DMARC posture changes over time for clear audit trails
Smooth integration for organizations already running the Mimecast stack
DMARC Analyzer 2.0 adds centralized domain management and TLS reporting
Cautions
Reviews flag the admin interface as confusing and hard to navigate
Users report API integration lacks flexibility for connecting with third-party tools
9.

Proofpoint Email Fraud Defense

Proofpoint Email Fraud Defense Logo
Proofpoint

Best for enterprises with complex supplier ecosystems needing vendor DMARC visibility

Proofpoint Email Fraud Defense is a cloud-based DMARC solution with dedicated consultant support, targeting medium to large enterprises managing multiple domains and complex supplier networks. It provides visibility across your entire email ecosystem including third-party senders. We think the Nexus Supplier Risk Explorer is the standout feature that separates this from the rest of the market.

  • Nexus Supplier Risk Explorer analyzes supplier DMARC posture and fraud risks across your vendor ecosystem.
  • Dashboard provides actionable visibility into all messages sent using your domains including unauthorized and lookalike sources.
  • Automated hosting for SPF, DKIM, and DMARC simplifies ongoing record management.
  • Gateway integration enables inbound DMARC enforcement, creating a closed loop between outbound authentication and inbound threat blocking.
  • Lookalike domain detection adds brand protection beyond basic DMARC.

Enterprise customers praise the dedicated team that drives implementation. Users say having assigned consultants who automate tasks and guide configuration makes DMARC projects manageable for lean security teams. The cloud-hosted model and setup process get positive marks. Something to be aware of is that support responsiveness outside the dedicated consultant team can require repeated follow-ups, and pricing sits at the premium end of the DMARC market.

We think Email Fraud Defense is the right choice if your organization manages a large supplier ecosystem and needs visibility into third-party DMARC posture. The consultant-led model works for enterprises that want guided implementation over self-service. If you don’t have complex supplier risk requirements, the premium pricing is harder to justify.

Strengths
Nexus Supplier Risk Explorer analyzes vendor DMARC posture across your supply chain
Dedicated consultant team guides implementation and automates configuration
Lookalike domain detection adds brand protection beyond standard DMARC enforcement
Gateway integration creates a closed loop between outbound authentication and inbound blocking
Cautions
Premium pricing can be hard to justify without complex supplier ecosystem requirements
Users report support responsiveness outside the dedicated consultant team requires follow-ups

Other DMARC Solutions for Business Services

Beyond our top 9, these platforms are worth considering for business DMARC management.

10
DMARC Sentry

Provides a user-friendly DMARC monitoring solution.

11
DMARC360

Provides visibility into email sources and impersonations.

12
PowerDMARC

DMARC analyzer and monitoring service allowing organizations to monitor and analyze DMARC protecting their email from spoofing and phishing.

DMARC Solutions for Business Pricing

Business DMARC pricing varies by platform, domain count, and whether consultant-led implementation is included. Several platforms offer free tiers for basic monitoring, with paid plans scaling based on features and domain volume.

Product Starting Price Billing Link
EasyDMARC
Free plan available; Plus from $35.99/month
Monthly
Red Sift OnDMARC
Contact for quote
Barracuda Domain Fraud Protection
Contact for quote
dmarcian
Contact for quote
DigiCert ONE
Contact for quote
Fortra Agari DMARC Protection
Contact for quote
Libraesva LetsDMARC
Contact for quote
Mimecast DMARC Analyzer
Contact for quote
Proofpoint Email Fraud Defense
Contact for quote

DMARC Solutions for Business Checklist

These are the criteria we recommend evaluating when selecting a DMARC solution for your organization.

DMARC projects stall when teams lack DNS expertise or clear next steps; guided workflows with sender identification at each stage accelerate the path to full enforcement.

Organizations with multiple sending services quickly hit the 10 DNS lookup limit, which breaks SPF validation entirely and stalls DMARC projects.

Manual DNS formatting errors are the most common cause of DMARC misconfiguration; hosted records eliminate this risk.

Raw DMARC XML data is unusable for most teams; visual dashboards with source identification by name rather than IP address make reports actionable.

Barracuda and Mimecast customers benefit from native DMARC integration; standalone platforms avoid vendor lock-in but add another point solution.

BIMI displays your verified brand logo in recipient inboxes, adding a visible trust signal alongside the authentication enforcement.

Supply chain BEC exploits weak vendor DMARC posture; platforms like Proofpoint Email Fraud Defense monitor third-party authentication status.

DMARC policies drift as sending services change; platforms with automated alerting and continuous monitoring prevent regression to permissive policies.

The Bottom Line

The right DMARC solution depends on your organization’s technical maturity, existing vendor stack, and the complexity of your sending environment. For most mid-sized teams, a platform with guided enforcement and automated SPF management will deliver the fastest path to a reject policy. Enterprises with complex supplier ecosystems or multi-domain environments should prioritize solutions with dedicated support and advanced threat intelligence.

Everything You Need To Know About DMARC Solutions (FAQs)

Domain-Based Message Authentication Reporting and Conformance (DMARC) is a method of verifying the authenticity of email communication by confirming that emails are sent from legitimate domains. Its purpose is to prevent cyber-criminals from impersonating your company’s domain through email, a tactic known as domain spoofing. Email service providers, such Google and Microsoft, generate reports for all incoming emails, providing valuable information about the IP addresses used.

DMARC works by using “identifier alignment” to corroborate an email’s authenticity. In order to do this, it will use SPF and/or DKIM to decide if an email should be accepted or rejected. DMARC does not require both SPF and DKIM to return a verified identification – one approved verification is enough. By combining the two protocols, DMARC can reduce the number of false negatives – this is where a valid email is identified as being fraudulent. Simply put, DMARC gives two opportunities for an email to prove that it is genuinely from whom it appears to be.

DMARC incorporates two email authentication techniques: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).

There are multiple DMARC vendors that can help organizations to gain greater insights from their DMARC reports, deploy DMARC more easily, and gain more control over DMARC policies. These tools are used by organizations of all sizes to make implementing DMARC easier, and to better manage DMARC policies and reporting. There are a number of different tools and use cases for DMARC. This includes free tools that will generate DMARC reports for your organization, and enterprise solutions that offer email visibility and governance across email channels.

Sender Policy Framework (SPF) is an email-authentication technique employed to prevent cyber-criminals from using your domain to send mass spam emails. By implementing SPF, organizations can designate authorized mail servers, which inform receiving systems about the trustworthiness of the email’s origin. SPF leverages Domain Name Service (DNS) to enable users to specify which email servers are permitted to send emails from their domains.

Domain Keys Identified Mail (DKIM) is an email authentication technique that allows recipients to verify that emails were sent and authorized by the domain owner. This safeguard helps users avoid falling victim to phishing scams that impersonate well-known email domains. DKIM assigns a digital signature to legitimate email messages, which is encrypted and attached to the emails.

Without going into the specific details of how to code for a specific DMARC policy option, it is worth explaining the options that are on offer. The protocol was designed to be easy to be implement by the registered owner of the domain – it is therefore versatile and simple to implement.

Monitoring (p=none)

This policy option is purely for monitoring email traffic and collecting data on the validation rates. This information is fed into a report for admins and domain owners to decide if their SPF and DKIM identifiers should be more specific. If an email fails the DMARC validation, there will be no remediation action; the email will be allowed to enter the intended inbox without being blocked or sent to spam. This type of policy would be used when first setting up DMARC to understand positive and false positive rates before implementing a remediation policy (this prevents too many valid emails being regarded as fraudulent and rejected).

Quarantine (p=quarantine)

With this policy enabled, any emails that fails the DMARC check will be automatically placed in the recipient’s spam folder. By quarantining the emails in this way, emails that cannot be verified will not enter the user’s main inbox, thereby reducing the risk of engaging with malicious content. Users are still able to access the emails via their spam folder, yet they will be acutely aware of the risk associated with the content of these emails.

Reject (p=reject)

Any email that fails the DMARC validation will be rejected and will not end up in the recipient’s inbox. This is the tightest level of control offered by DMARC and can further reduce the risk of your domain being used to disseminate spoofing emails. The potential downside to this policy is that any email that fails the test will be removed; this does not, however, mean that the test is always 100% accurate. It is through analysis gained from a p=none policy that admin can understand the pass/fail rates and decide if they want to enact a reject policy. If the pass/fail rate is incorrect, valid emails could automatically be rejected without the user’s knowledge. Analysis reports will still be produced while a p=reject policy is operational; this allows the admin to make ongoing tweaks and changes.

Percentage Tag (pct=%)

A percentage tag can be added to any of the actionable policies already listed (p=none, p=quarantine, or p=reject). For example, if a pct=25 tag is added to a p=quarantine policy, only 25% of the emails that fail the DMARC check will be quarantined. The other 75% can either be rejected or face no remediation. The benefit of this tag is that you can gradually roll out newer policies (by adjusting the percentage of emails that are affected) while monitoring the reject/accept rates. You can continue to monitor rejection rates, while shifting to more robust remediation, without the risk of many of your emails being incorrectly identified, and therefore having the wrong remediation enacted.

DMARC benefits both the domain owner and the email recipients by coordinating the methods for verifying email authenticity. Here are some of the main reasons your organization might want to consider implementing a DMARC solution:

Standardized Remediation

DMARC allows organizations to play a proactive role in deciding how failed authentications should be treated. Admins have an insight into email acceptance rates and can therefore adjust their policies and identifiers to achieve the balance between security and email acceptance.

Maintain Brand Identity

By reducing a malicious actor’s ability to impersonate your brand, you can ensure that only valid messages are associated with your company. You can be sure that any time a user thinks they are interacting with your brand, they actually are. This ensures that users are engaged and confident in responding to your emails, rather than having to worry about the risk of phishing.

Enhance DKIM And SPF

DKIM and SPF alone offer specific, but not comprehensive email authentication. For example, DKIM does not analyze the “from” domain – this is the address that will appear to the user. Just because this address appears to be from a specific domain, there are no checks, and this address can be spoofed. DMARC resolves this issue by checking that the visible domain address is the same as the domains that have already been verified as part of the DMARC checks (SPF or DKIM). This ensures that an email’s advertized identity is verified and is consistent with its origin.

The DMARC standard is based on SPF and DKIM, existing email standards. These standards were initially used to protect domains from domain spoofing, but they became increasingly easy for cyber-criminals to circumvent.

To better protect domains, DMARC combines the authentication mechanisms for SPF & DKIM. To pass DMARC validation, an email must pass either SPF authentication and alignment or DKIM authentication and alignment. If an email doesn’t fully pass one of these checks, it will fail DMARC validation.

The DMARC record is where you decide variables, like your preferred policy, which decides how your emails that fail DMARC validation will be handled. The DMARC record tells email receivers that you have implemented DMARC, and the desired policy you with you use. Once the DMARC record is implemented, you will be also be able receive reports, which we will cover in more detail in the next section. In the DNS Record, you will choose where you want the reports to be sent.

Once your DMARC Record has been set up, your ISP will provide Aggregate (RUA) and Forensic (RUG) DMARC reports daily. Here is a brief rundown of these reports:

Aggregate DMARC Reports

Aggregate reports provide information about the authentication status of emails sent by your domains. They are sent daily, in an XML file-format. These reports don’t contain any information about the emails themselves, but instead give information about who sent email messages. This includes the sender’s IP address, the number of messages sent, DKIM/SPG authentication and more. This helps you to identify if malicious emails are being sent from their domains.

Forensic DMARC Reports

Forensic DMARC reports are generated by ISPs when an email fails DMARC authentication, so it could potentially be malicious. They are more detailed than daily Aggregate Reports. The DMARC forensic reports include additional information to the aggregate reports, including information like the subject line and header information of sent emails. This also includes who the email was sent from and to, any included links and attachment information. It is also possible to see the entire email message. Forensic reports are useful for understanding your security risks and real-world issues.

Once you have set up your SPF and DKIM, you are ready to set up DMARC. To get started with DMARC, you must implement a DMARC Record. Here is a quick guide to implementing a DMARC record.

Step One) Find the business domain/domains that you wish to implement DMARC.

Find the domain with which you want to implement DMARC. If your company email address is [email protected], than your domain is yourcompany.com.

Step Two) Generate a DMARC record.

If you are using Office 365, you can find out more about setting up DMARC here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide

Alternatively, there are a number of DMARC tools available that allow organizations to quickly create a DMARC record. In the next section, we’ll outline some of these vendors and the approaches that they take.

Step Three) Publish the DMARC Record

To publish the DMARC record, you must publish it to the Domain Name System (DNS). Take these steps:

Step One:

Log in to the DNS management console, and select your domain.

Step Two:

Create a TXT entry on your domain with these settings:

Type: TXT Host: _DMARC TXT Value: (The DMARC record you have already generated) TTL: 1 hour

Email Security Resources

Further reading on email security from Expert Insights — buyers' guides, comparison articles, and platform-specific shortlists.

Written By Written By
Joel Witts
Joel Witts Content Director

Joel is the Director of Content and a co-founder at Expert Insights; a rapidly growing media company focussed on covering cybersecurity solutions.

He’s an experienced journalist and editor with 8 years’ experience covering the cybersecurity space. He’s reviewed hundreds of cybersecurity solutions, interviewed hundreds of industry experts and produced dozens of industry reports read by thousands of CISOs and security professionals in topics like IAM, MFA, zero trust, email security, DevSecOps and more.

He also hosts the Expert Insights Podcast and co-writes the weekly newsletter, Decrypted. Joel is driven to share his team’s expertise with cybersecurity leaders to help them create more secure business foundations.

Technical Review Technical Review
Craig MacAlpine CEO and Founder

Craig MacAlpine is CEO and Founder of Expert Insights. Before founding Expert Insights in August 2018, Craig spent 10 years as CEO of EPA Cloud, an email security provider that rebranded as VIPRE Email Security following its acquisition by Ziff Davis, formerly J2Global (NASDAQ: ZD) in 2013.

Craig is a passionate security innovator with over 20 years of experience helping organizations to stay secure with cutting-edge information security and cybersecurity solutions.

Using his extensive experience in the email security industry, he founded Expert Insights with the singular goal of helping IT professionals and CISOs to cut through the noise and find the right cybersecurity solutions they need to protect their organizations.