Best DMARC Solutions For Business
Discover the top DMARC solutions for business. Examine their features such as phishing protection, enchanced security, and brand reputation protection.
Written by
Joel Witts
Technical Review by
Craig MacAlpine
Quick Summary
For SMBs wanting managed DMARC without DNS expertise, EasyDMARC eliminates manual DNS changes with single-record policy control and visual dashboards, with a dedicated onboarding expert from trial start, though limited subdomain segmentation forces workarounds.
If you’re moving from monitoring to enforce policy in complex sending environments, Red Sift OnDMARC solves the SPF 10 lookup limit with dynamic SPF and provides guided enforcement workflows at a predictable bundled cost, though it adds another point solution to crowded vendor stacks.
For organizations wanting DMARC bundled with broader email security, Barracuda Domain Fraud Protection integrates into Barracuda’s stack with automated reporting that surfaces misconfigured senders, though initial setup involves a steep learning curve.
DMARC has shifted from nice-to-have to mandatory. Phishing and business email compromise hit your domain every day, and bad actors increasingly exploit authenticated-looking messages. Getting DMARC right is no longer optional, it is table stakes for email security.
But DMARC is harder than it looks. SPF record management breaks with complex sending infrastructure. DKIM verification requires coordination across teams. Moving from monitoring to reject policy without breaking legitimate mail demands careful orchestration. And if you have multiple domains or external senders, the operational overhead explodes quickly.
We evaluated nine DMARC solutions across different team sizes and organizational complexity levels. We evaluated them for ease of implementation, automation quality, handling of complex sending scenarios, and the critical measure: whether they actually help you move to reject policy or just create another reporting tool. The gap between what vendors promise and what works in production is substantial.
This guide gives you testing insights to choose the right DMARC platform for your organizational size and complexity, from small teams adding authentication to enterprises protecting complex supplier ecosystems.
Our Recommendations
Your ideal platform depends on whether you prefer managed simplicity, guided enforcement with SPF solutions, or integration with your existing email security stack.
- Best For Managed DMARC Simplicity: EasyDMARC eliminates manual DNS changes with single-record policy control and visual dashboards that turn complex authentication data into actionable reporting.
- Best For Dynamic SPF and Guided Enforcement: Red Sift OnDMARC solves the SPF 10 lookup limit that blocks complex sending environments with dynamic SPF.
- Best For Barracuda Integration: Barracuda Domain Fraud Protection integrates DMARC directly into the broader Barracuda email security stack.
- Best For MSP and Reseller Channels: dmarcian provides fast, clear status checks across all email domains with Domain Overview.
- Best For Unified Certificate and DMARC Management: DigiCert ONE covers PKI, DNS, and DMARC from a single dashboard with automated certificate lifecycle management.
EasyDMARC is a DMARC platform-as-a-service for SMBs and mid-sized organizations that need email authentication handled without a dedicated specialist. It covers DMARC, SPF, DKIM, and BIMI through a single dashboard focused on accessibility.
Managed DMARC Without the DNS Headaches
The standout here is Managed DMARC. It lets you adjust policies directly from the platform through a single DNS record. No more manual DNS edits for every policy change. We found the reporting dashboards particularly clean, breaking complex authentication data into visual formats that make it easy to spot spoofing and misconfigured senders.
EasySPF tackles the common SPF record headache. The platform also bundles deliverability tools through EasySender, including mailbox warmup and inbox placement testing. Automatic alerts flag urgent issues before they become incidents.
What the Day-to-Day Users Are Saying
Customers consistently praise the interface and onboarding experience. Support gets high marks, with users noting fast response times and dedicated experts assigned from day one of the trial. Several long-term customers say EasySPF and Managed DMARC have been reliable workhorses over multiple years.
On the flip side, some customers flag pricing as steep at renewal. Users have also called out limited subdomain segmentation, which forces workarounds for complex domain setups. A few have reported bugs in the Email Investigation tool around DKIM verification that remain unresolved.
Right Fit for Your Team?
We think EasyDMARC hits its mark for small and mid-sized teams that need DMARC enforcement without deep in-house DNS expertise. If your organization runs complex subdomain architectures, ask hard questions during the evaluation about segmentation limits.
Strengths
- Managed DMARC eliminates manual DNS changes with single-record policy control
- Visual dashboards turn complex authentication data into clear, actionable reporting
- Dedicated onboarding expert assigned from trial start helps teams ramp quickly
- EasySPF solves SPF record management pain that trips up most organizations
Cautions
- According to some user reviews, limited subdomain segmentation forces workarounds for complex domain architectures
- Some users have noted that pricing lacks loyalty incentives and can feel steep at renewal time
Red Sift OnDMARC is a software-led DMARC platform built to get organizations from monitoring to reject policy fast. It targets mid-market and enterprise teams that want guided enforcement without heavy professional services overhead.
Dynamic SPF and Guided Enforcement
The Dynamic SPF feature stands out. It works around the 10 DNS lookup limit that trips up organizations with multiple sending services. We found the platform takes a deliberate approach to DMARC enforcement, surfacing actionable guidance based on your actual traffic rather than leaving you to interpret raw data.
Hosted BIMI with integrated VMC provisioning handles verified logo display in recipient inboxes. DNSGuardian adds a layer for blocking malicious email threats. The investigate tool lets you test sending sources for SPF and DKIM on the spot, speeding up triage.
What Long-Term Users Are Saying
Customers consistently highlight speed to reject policy. Users say the platform simplifies what normally feels overwhelming, and that non-technical staff have successfully managed implementations. Support gets strong praise, with customers noting fast, substantive replies rather than holding responses.
The main criticism customers raise is not about the platform itself.
Where OnDMARC Fits Your Stack
We think OnDMARC is a strong fit if your priority is getting to reject policy quickly with minimal services cost. Pricing includes setup and support alongside licensing, so your total cost of ownership stays predictable.
Strengths
- Dynamic SPF solves the 10 lookup limit that blocks complex sending environments
- Guided enforcement workflow accelerates the path from monitoring to reject policy
- Pricing bundles setup, support, and licensing into a single predictable cost
- Investigate tool enables real-time SPF and DKIM testing for quick issue triage
Cautions
- Some users mention that the platform adds another point solution to organizations with already crowded vendor stacks
- According to customer feedback, value diminishes if your sending infrastructure is already tightly configured
Barracuda Domain Fraud Protection
Barracuda Domain Fraud Protection is a DMARC solution designed to slot into Barracuda’s broader email security stack for Microsoft 365. It targets organizations that want DMARC enforcement bundled with their existing gateway and threat protection rather than managed standalone.
DMARC as Part of a Bigger Picture
The core value here is integration. Barracuda ties DMARC reporting and analytics into its email gateway and Sentinel product, which uses machine learning for threat detection inside Office 365. We found the automated reporting useful for surfacing misconfigured legitimate senders and identifying spoofing sources without manual log analysis.
SPF and DKIM policy configuration is built in.
What Customers Are Saying
Customers praise the monitoring and alerting once everything is running. Users say alerts are clear and timely, and long-term customers report that domain impersonation problems dropped off significantly after deployment. Support gets positive marks for responsiveness.
The consistent criticism is initial setup complexity.
Best Fit for Barracuda Shops
We think this is the right pick if your organization already runs Barracuda email security products. The integration keeps your DMARC management inside a single vendor ecosystem, which simplifies procurement and operational overhead.
Strengths
- Integrates DMARC directly into the broader Barracuda email security stack
- Automated reporting surfaces misconfigured senders and spoofing sources without manual effort
- Clear, timely alerts help teams respond quickly to suspicious domain activity
- Single vendor relationship simplifies procurement for existing Barracuda customers
Cautions
- Based on customer feedback, initial setup and configuration involves a steep learning curve for new users
- Best value requires commitment to the wider Barracuda ecosystem for Microsoft 365
dmarcian
dmarcian is a DMARC SaaS platform focused on processing authentication data and giving organizations visibility into who is sending email on their behalf. It has a strong MSP and reseller channel presence, making it a popular pick for providers handling DMARC across multiple clients.
Deep DMARC Data, Well Organized
The Domain Overview gives you a fast status check across all your email domains. We found the Detail Viewer useful for digging into specific authentication gaps. The platform also maps geographic locations of abuse sources, adding context when investigating spoofing patterns.
The toolset includes a domain checker, DKIM Investigator, and a phishing scorecard for benchmarking against open standards. We saw the dashboards turn raw DMARC report data into clear visualizations. Source cataloguing tracks legitimate and suspicious senders across your domains.
What Customers Are Saying
Customers who like dmarcian praise its mission-driven approach to email security and helpful support team. Users say pricing is competitive, and long-term customers report reliable domain protection over time.
The criticism is harder to ignore.
Who Should Look at Dmarcian
We think dmarcian is worth evaluating if you need strong DMARC reporting and visualization, especially if your MSP already offers it. The partner channel makes it accessible through providers who handle configuration on your behalf.
Strengths
- Domain Overview provides fast, clear status checks across all email domains
- Geographic abuse mapping adds useful context when investigating spoofing sources
- Strong MSP and reseller channel makes it accessible through managed providers
- Phishing scorecard benchmarks your posture against open email security standards
Cautions
- Some customer reviews highlight that API integration issues make connecting with existing infrastructure a reported pain point
- According to some user reviews, the interface is difficult to navigate without a learning curve
DigiCert ONE
DigiCert ONE is a unified platform covering PKI, DNS, and DMARC from a single dashboard. It targets enterprises in finance, healthcare, alongside manufacturing and government that need automated certificate lifecycle management alongside email authentication enforcement.
Certificate Lifecycle and DMARC Under One Roof
The Trust Lifecycle Manager handles certificate management across TLS, SSL, S/MIME, and code signing from a centralized console. We found the single sign-on across all DigiCert ONE services keeps access management clean when multiple teams need different certificate types. It supports cloud, hybrid, and air-gapped deployments.
AI Assist provides contextual guidance for PKI configuration, integrations, and admin tasks. Centralized policy and governance controls let you enforce standards without chasing individual teams. We saw the DMARC capabilities sit within a broader trust infrastructure rather than operating as a standalone email authentication tool.
What Customers Are Saying
Customers managing thousands of certificates praise the interface and navigation. Users say CertCentral is one of the most intuitive platforms for large-scale cert management. Support gets high marks for speed and quality across organizations of all sizes.
The friction shows up during initial configuration.
Right Fit for Trust at Scale
We think DigiCert ONE makes the most sense if your organization needs DMARC as part of a wider PKI and certificate management strategy. If you just need standalone DMARC enforcement, this platform is more than you need.
Strengths
- Unified platform covers PKI, DNS, DMARC, and certificate management in one console
- Intuitive interface scales well for organizations managing thousands of certificates
- Support team is consistently fast and knowledgeable across enterprise deployments
- Supports cloud, hybrid, and air-gapped environments for flexible deployment
Cautions
- Some customer reviews note that multi-domain setup and initial configuration can be confusing without guided support
- According to customer feedback, certificate renewal and installation workflows feel clunky for some users
Fortra Agari DMARC Protection
Fortra Agari DMARC Protection is a cloud-based DMARC solution that uses machine learning to counter spear-phishing and business email compromise. It targets mid-sized and large organizations running complex sending environments with multiple domains that need guided DMARC enforcement.
Automated DMARC With ML-Backed Threat Detection
The platform automates DMARC implementation including auto-generating and hosting DNS records. We found this takes significant operational burden off teams managing records manually across dozens of domains. DMARC record accuracy checks run continuously, reducing the risk of misconfigurations going unnoticed.
Machine learning underpins the threat detection layer, identifying sophisticated phishing and social engineering attempts. We saw enhanced visibility into DMARC reports that makes it easier to identify which sources are failing authentication and move toward reject policies with confidence.
What Customers Are Saying
Customer feedback for Agari DMARC Protection is limited in volume, which is worth noting during your evaluation. Users who have adopted it highlight the added security layer for Office 365 environments and praise the notification system for catching threats that native filtering misses.
On the downside, customers say policy configuration is difficult for non-technical staff.
Where Agari Fits Your Shortlist
We think Agari DMARC Protection belongs on your shortlist if you manage a complex multi-domain environment and want ML-driven threat intelligence layered into your DMARC enforcement. The automated DNS record management reduces operational friction at scale.
Strengths
- Automated DNS record generation and hosting removes manual overhead across multiple domains
- Machine learning adds an active threat detection layer beyond basic DMARC reporting
- Continuous DMARC record accuracy checks reduce misconfiguration risk at scale
- Enhanced report visibility helps teams move toward reject policies with clarity
Cautions
- Based on customer reviews, Policy configuration is difficult for non-technical staff without DMARC expertise
- Some users have noted that support response times are flagged as slower than expected by early adopters
Libraesva LetsDMARC
Libraesva LetsDMARC simplifies DMARC, DKIM, and SPF policy setup for organizations without dedicated DNS expertise. It sits alongside Libraesva’s broader email security gateway (ESG), targeting businesses that need domain protection without deep technical overhead.
Guided Authentication Without DNS Expertise
We found the guided configuration approach is the main draw. The platform walks you through DMARC, DKIM, and SPF setup without requiring your team to manage DNS records directly. Real-time visibility into email sources helps identify unauthorized senders and track which services are passing or failing authentication.
The solution integrates with existing email systems and focuses on improving deliverability by authenticating legitimate senders alongside blocking spoofed traffic. We saw this as an accessible entry point for organizations adding DMARC enforcement for the first time.
Vendor Track Record Over Product-Specific Reviews
Direct customer feedback for LetsDMARC is limited. However, Libraesva’s broader email security products give insight into the vendor experience. Customers praise the support team for fast, knowledgeable responses and smooth onboarding. Users say pricing is competitive, especially for MSPs and resellers.
Some customers note that SPF and DKIM edge cases across Libraesva products require custom filter rules beyond simple allowlisting.
A Fit for the Libraesva Ecosystem
We think LetsDMARC is worth a close look if your organization already uses Libraesva ESG or needs a low-barrier entry into DMARC enforcement. The guided setup removes the DNS expertise requirement that stalls many first-time projects.
Strengths
- Guided configuration removes the need for in-house DNS expertise during setup
- Real-time email source visibility helps identify unauthorized senders quickly
- Competitive pricing makes it accessible for SMBs and MSP channel partners
- Libraesva's support reputation carries over with fast, knowledgeable responses
Cautions
- Some users report that limited LetsDMARC-specific customer feedback makes independent validation harder
- Based on customer reviews, SPF and DKIM edge cases may require custom filter rules beyond basic configuration
Mimecast DMARC Analyzer
Mimecast DMARC Analyzer is a SaaS solution providing visibility and governance across email channels. It targets mid-sized organizations and enterprises already in the Mimecast ecosystem that need simplified DMARC deployment and monitoring.
Automated Discovery and Ongoing Governance
Automatic subdomain discovery is a standout feature. It catches domains you may not be tracking, which matters when shadow IT or forgotten services create authentication blind spots. We found the DNS timeline useful for tracking changes over time and understanding how your DMARC posture has evolved.
Aggregate DMARC reports and automated alerts keep you informed without daily manual checks. The platform includes a knowledge base and support team to help with implementation. For existing Mimecast customers, we saw the integration is straightforward since it sits within the broader security stack.
Strong on Visuals, Rough Around the Edges
Existing Mimecast customers say implementation was smooth and support helpful throughout onboarding. Users highlight reporting visuals as a strength, turning raw DMARC data into presentable formats. The anti-spoofing capabilities get particular praise from organizations protecting high-profile users.
The admin interface draws consistent criticism.
Best as Part of the Mimecast Stack
We think DMARC Analyzer makes the most sense if your organization already runs Mimecast for email security. The integration is natural, and you avoid adding another vendor to your stack.
Strengths
- Automatic subdomain discovery catches authentication blind spots from shadow IT
- DNS timeline tracks DMARC posture changes over time for clear audit trails
- Smooth integration for organizations already running the Mimecast email security stack
- Visual reporting turns raw DMARC data into clear, presentable formats
Cautions
- Some customer reviews flag that admin interface is consistently criticized as confusing and hard to navigate
- Some users report that API integration lacks flexibility for connecting with third-party tools
Proofpoint Email Fraud Defense
Proofpoint Email Fraud Defense is a cloud-based DMARC solution with dedicated consultant support, targeting medium to large enterprises managing multiple domains and complex supplier networks. It provides visibility across your entire email ecosystem including third-party senders.
Consultant-Led DMARC With Supplier Risk Visibility
The Nexus Supplier Risk Explorer is the standout feature. It analyzes supplier DMARC posture and fraud risks across your vendor ecosystem, something most standalone DMARC tools skip entirely. We found the dashboard provides actionable visibility into all messages sent using your domains, including unauthorized and lookalike sources.
Automated hosting for SPF, DKIM, and DMARC simplifies ongoing record management. The gateway integration enables inbound DMARC enforcement, creating a closed loop between outbound authentication and inbound threat blocking. Lookalike domain detection adds another layer for brand protection beyond what basic DMARC tools offer.
Enterprise Users Value the Guidance
Enterprise customers praise the dedicated team that drives implementation. Users say having assigned consultants who automate tasks and guide configuration makes DMARC projects manageable for lean security teams. The cloud-hosted model and setup process get positive marks.
The criticism centers on support responsiveness outside the dedicated team.
Built for Complex Enterprise Environments
We think Email Fraud Defense is the right choice if your organization manages a large supplier ecosystem and needs visibility into third-party DMARC posture. The consultant-led model works for enterprises that want guided implementation over self-service.
Strengths
- Nexus Supplier Risk Explorer analyzes vendor DMARC posture across your supply chain
- Dedicated consultant team guides implementation and automates configuration tasks
- Lookalike domain detection adds brand protection beyond standard DMARC enforcement
- Gateway integration creates a closed loop between outbound authentication and inbound blocking
Cautions
- According to customer feedback, the platform requires significant upfront investment in consultant-led onboarding, making it less accessible for teams wanting a self-service DMARC tool.
- Based on customer reviews, pricing sits at the premium end of the DMARC market, which can be hard to justify for organizations without complex supplier ecosystems.
- Some users mention that support responsiveness outside the dedicated consultant team requires repeated follow-ups
- Some customer reviews flag that configuration complexity is typical of the broader Proofpoint product family
Other Email Security Services
Provides a user-friendly DMARC monitoring solution.
Provides visibility into email sources and impersonations.
DMARC Analyzer and DMARC monitoring service allow organizations to monitor and analyze DMARC protecting their email from spoofing and phishing.
What To Look For: DMARC Solutions Checklist
When evaluating DMARC solutions, we have identified seven essential criteria. Here is the checklist of questions you should be asking:
- Configuration Complexity: Does the platform require DNS expertise, or can non-technical staff configure it? Does it handle managed DMARC through the platform, or must you edit DNS records manually? How often do you need to touch configuration as sending infrastructure changes?
- SPF Record Handling: Does it solve the 10 DNS lookup limit problem with Dynamic SPF or alternative approaches? How does it handle complex sending infrastructure with multiple third-party services? Will your configuration work out of the box or require workarounds?
- Multi-Domain Management: Can you manage dozens or hundreds of domains from a single console? How does subdomain segmentation work? Can you apply policies across domain groups or must you configure each separately?
- Reporting And Visibility: Do dashboards actually help you understand email authentication, or just dump raw DMARC data? Can you identify which senders are failing and why? Does reporting help you move from monitoring to reject policy, or leave you guessing?
- Support And Guidance: Is support included or extra cost? Do you get assigned specialists or self-serve chat? Does the vendor help you move to reject policy or leave you on your own?
- Integration With Existing Stack: Does it integrate with your email gateway, if you have one? Can it connect to your identity provider for single sign-on? Are APIs available and documented for custom integrations?
- Pricing And Loyalty: Is pricing transparent or require direct engagement? What is the renewal experience, do you get loyal customer discounts or face price increases? Is it per-domain, per-user, or flat-rate? Do you understand total cost of ownership upfront?
Weight these criteria based on your team’s expertise and infrastructure complexity. Teams without DNS specialists should prioritize guided configuration or managed DMARC. Organizations with complex sending infrastructure should focus on SPF handling and multi-domain management. If you are just starting DMARC, prioritize support quality and clear guidance. Enterprises managing supplier ecosystems should evaluate risk analysis capabilities alongside basic enforcement.
How We Compared The Best DMARC Solutions For Business
Expert Insights is an independent editorial team that researches, tests, and reviews cybersecurity and IT solutions. No vendor can pay to influence our review of their products. Our assessments are based solely on product quality and operational effectiveness.
We evaluated nine DMARC solutions across different team sizes and organizational complexity. Testing included ease of configuration, multi-domain management, handling of complex SPF scenarios, quality of guidance toward reject policy, and real-world operational overhead. We assessed each solution’s ability to actually help organizations move from monitoring mode to policy enforcement rather than just adding another reporting tool.
Beyond hands-on testing, we reviewed customer feedback from SMBs, mid-market, and enterprise deployments. We analyzed feedback on configuration experience, support quality, and whether platforms actually accelerated the path to reject policy. Our testing prioritizes operational effectiveness and whether the platform reduces overhead rather than feature count.
This guide is updated quarterly. For complete details on our evaluation methodology, visit our How We Test & Review Products.
The Bottom Line
DMARC solutions are not one size fits all.
If you need DMARC without in-house DNS expertise, EasyDMARC delivers Managed DMARC with clean reporting and strong support. Expect to negotiate pricing at renewal.
If you manage multiple domains and want to move from monitoring to reject policy quickly, Red Sift OnDMARC provides guided enforcement with Dynamic SPF solving the lookup limit problem. Pricing bundles setup and support predictably.
If you already run Barracuda for email security, Barracuda Domain Fraud Protection integrates directly. Mimecast customers should evaluate Mimecast DMARC Analyzer for natural ecosystem fit.
For strong DMARC reporting and visualization with MSP availability, dmarcian delivers solid depth. Test API integration with your stack carefully.
For enterprises managing complex supplier ecosystems with multiple domains, Proofpoint Email Fraud Defense provides consultant-led implementation with Nexus Supplier Risk Explorer for vendor visibility. Worth the premium when supplier risk is a real threat.
Read the individual reviews above to dig into configuration requirements, SPF handling, reporting capabilities, and the support model that fits your team’s expertise and timeline.
FAQs
Everything You Need To Know About DMARC Solutions (FAQs)
Domain-Based Message Authentication Reporting and Conformance (DMARC) is a method of verifying the authenticity of email communication by confirming that emails are sent from legitimate domains. Its purpose is to prevent cyber-criminals from impersonating your company’s domain through email, a tactic known as domain spoofing. Email service providers, such Google and Microsoft, generate reports for all incoming emails, providing valuable information about the IP addresses used.
DMARC works by using “identifier alignment” to corroborate an email’s authenticity. In order to do this, it will use SPF and/or DKIM to decide if an email should be accepted or rejected. DMARC does not require both SPF and DKIM to return a verified identification – one approved verification is enough. By combining the two protocols, DMARC can reduce the number of false negatives – this is where a valid email is identified as being fraudulent. Simply put, DMARC gives two opportunities for an email to prove that it is genuinely from whom it appears to be.
DMARC incorporates two email authentication techniques: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).
There are multiple DMARC vendors that can help organizations to gain greater insights from their DMARC reports, deploy DMARC more easily, and gain more control over DMARC policies. These tools are used by organizations of all sizes to make implementing DMARC easier, and to better manage DMARC policies and reporting. There are a number of different tools and use cases for DMARC. This includes free tools that will generate DMARC reports for your organization, and enterprise solutions that offer email visibility and governance across email channels.
Sender Policy Framework (SPF) is an email-authentication technique employed to prevent cyber-criminals from using your domain to send mass spam emails. By implementing SPF, organizations can designate authorized mail servers, which inform receiving systems about the trustworthiness of the email’s origin. SPF leverages Domain Name Service (DNS) to enable users to specify which email servers are permitted to send emails from their domains.
Domain Keys Identified Mail (DKIM) is an email authentication technique that allows recipients to verify that emails were sent and authorized by the domain owner. This safeguard helps users avoid falling victim to phishing scams that impersonate well-known email domains. DKIM assigns a digital signature to legitimate email messages, which is encrypted and attached to the emails.
Without going into the specific details of how to code for a specific DMARC policy option, it is worth explaining the options that are on offer. The protocol was designed to be easy to be implement by the registered owner of the domain – it is therefore versatile and simple to implement.
Monitoring (p=none)
This policy option is purely for monitoring email traffic and collecting data on the validation rates. This information is fed into a report for admins and domain owners to decide if their SPF and DKIM identifiers should be more specific. If an email fails the DMARC validation, there will be no remediation action; the email will be allowed to enter the intended inbox without being blocked or sent to spam. This type of policy would be used when first setting up DMARC to understand positive and false positive rates before implementing a remediation policy (this prevents too many valid emails being regarded as fraudulent and rejected).
Quarantine (p=quarantine)
With this policy enabled, any emails that fails the DMARC check will be automatically placed in the recipient’s spam folder. By quarantining the emails in this way, emails that cannot be verified will not enter the user’s main inbox, thereby reducing the risk of engaging with malicious content. Users are still able to access the emails via their spam folder, yet they will be acutely aware of the risk associated with the content of these emails.
Reject (p=reject)
Any email that fails the DMARC validation will be rejected and will not end up in the recipient’s inbox. This is the tightest level of control offered by DMARC and can further reduce the risk of your domain being used to disseminate spoofing emails. The potential downside to this policy is that any email that fails the test will be removed; this does not, however, mean that the test is always 100% accurate. It is through analysis gained from a p=none policy that admin can understand the pass/fail rates and decide if they want to enact a reject policy. If the pass/fail rate is incorrect, valid emails could automatically be rejected without the user’s knowledge. Analysis reports will still be produced whilst a p=reject policy is operational; this allows the admin to make ongoing tweaks and changes.
Percentage Tag (pct=%)
A percentage tag can be added to any of the actionable policies already listed (p=none, p=quarantine, or p=reject). For example, if a pct=25 tag is added to a p=quarantine policy, only 25% of the emails that fail the DMARC check will be quarantined. The other 75% can either be rejected or face no remediation. The benefit of this tag is that you can gradually roll out newer policies (by adjusting the percentage of emails that are affected) whilst monitoring the reject/accept rates. You can continue to monitor rejection rates, whilst shifting to more robust remediation, without the risk of many of your emails being incorrectly identified, and therefore having the wrong remediation enacted.
DMARC benefits both the domain owner and the email recipients by coordinating the methods for verifying email authenticity. Here are some of the main reasons your organization might want to consider implementing a DMARC solution:
Standardized Remediation
DMARC allows organizations to play a proactive role in deciding how failed authentications should be treated. Admins have an insight into email acceptance rates and can therefore adjust their policies and identifiers to achieve the balance between security and email acceptance.
Maintain Brand Identity
By reducing a malicious actor’s ability to impersonate your brand, you can ensure that only valid messages are associated with your company. You can be sure that any time a user thinks they are interacting with your brand, they actually are. This ensures that users are engaged and confident in responding to your emails, rather than having to worry about the risk of phishing.
Enhance DKIM And SPF
DKIM and SPF alone offer specific, but not comprehensive email authentication. For example, DKIM does not analyze the “from” domain – this is the address that will appear to the user. Just because this address appears to be from a specific domain, there are no checks, and this address can be spoofed. DMARC resolves this issue by checking that the visible domain address is the same as the domains that have already been verified as part of the DMARC checks (SPF or DKIM). This ensures that an email’s advertized identity is verified and is consistent with its origin.
The DMARC standard is based on SPF and DKIM, existing email standards. These standards were initially used to protect domains from domain spoofing, but they became increasingly easy for cyber-criminals to circumvent.
To better protect domains, DMARC combines the authentication mechanisms for SPF & DKIM. To pass DMARC validation, an email must pass either SPF authentication and alignment or DKIM authentication and alignment. If an email doesn’t fully pass one of these checks, it will fail DMARC validation.
The DMARC record is where you decide variables, like your preferred policy, which decides how your emails that fail DMARC validation will be handled. The DMARC record tells email receivers that you have implemented DMARC, and the desired policy you with you use. Once the DMARC record is implemented, you will be also be able receive reports, which we will cover in more detail in the next section. In the DNS Record, you will choose where you want the reports to be sent.
Once your DMARC Record has been set up, your ISP will provide Aggregate (RUA) and Forensic (RUG) DMARC reports daily. Here is a brief rundown of these reports:
Aggregate DMARC Reports
Aggregate reports provide information about the authentication status of emails sent by your domains. They are sent daily, in an XML file-format. These reports don’t contain any information about the emails themselves, but instead give information about who sent email messages. This includes the sender’s IP address, the number of messages sent, DKIM/SPG authentication and more. This helps you to identify if malicious emails are being sent from their domains.
Forensic DMARC Reports
Forensic DMARC reports are generated by ISPs when an email fails DMARC authentication, so it could potentially be malicious. They are more detailed than daily Aggregate Reports. The DMARC forensic reports include additional information to the aggregate reports, including information like the subject line and header information of sent emails. This also includes who the email was sent from and to, any included links and attachment information. It is also possible to see the entire email message. Forensic reports are useful for understanding your security risks and real-world issues.
Once you have set up your SPF and DKIM, you are ready to set up DMARC. To get started with DMARC, you must implement a DMARC Record. Here is a quick guide to implementing a DMARC record.
Step One) Find the business domain/domains that you wish to implement DMARC.
Find the domain with which you want to implement DMARC. If your company email address is [email protected], than your domain is yourcompany.com.
Step Two) Generate a DMARC record.
If you are using Office 365, you can find out more about setting up DMARC here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
Alternatively, there are a number of DMARC tools available that allow organizations to quickly create a DMARC record. In the next section, we’ll outline some of these vendors and the approaches that they take.
Step Three) Publish the DMARC Record
To publish the DMARC record, you must publish it to the Domain Name System (DNS). Take these steps:
Step One:
Log in to the DNS management console, and select your domain.
Step Two:
Create a TXT entry on your domain with these settings:
Type: TXT Host: _DMARC TXT Value: (The DMARC record you have already generated) TTL: 1 hour
Written By
Joel is the Director of Content and a co-founder at Expert Insights; a rapidly growing media company focussed on covering cybersecurity solutions.
He’s an experienced journalist and editor with 8 years’ experience covering the cybersecurity space. He’s reviewed hundreds of cybersecurity solutions, interviewed hundreds of industry experts and produced dozens of industry reports read by thousands of CISOs and security professionals in topics like IAM, MFA, zero trust, email security, DevSecOps and more.
He also hosts the Expert Insights Podcast and co-writes the weekly newsletter, Decrypted. Joel is driven to share his team’s expertise with cybersecurity leaders to help them create more secure business foundations.
Technical Review
Craig MacAlpine is CEO and Founder of Expert Insights. Before founding Expert Insights in August 2018, Craig spent 10 years as CEO of EPA Cloud, an email security provider that rebranded as VIPRE Email Security following its acquisition by Ziff Davies, formerly J2Global (NASQAQ: ZD) in 2013.
Craig is a passionate security innovator with over 20 years of experience helping organizations to stay secure with cutting-edge information security and cybersecurity solutions.
Using his extensive experience in the email security industry, he founded Expert Insights with the singular goal of helping IT professionals and CISOs to cut through the noise and find the right cybersecurity solutions they need to protect their organizations.