What Is DMARC?

DKIM and SPF help recipients to verify the authenticity of email messages. But many email environments are complex, sending email from many different systems, including third-party providers. Also, systems and third-party providers can change over time. This complexity and variability can make authenticating every legitimate email message through DKIM or SPF challenging.

For example, what if a domain owner sends emails that can’t be authenticated along with others that can? Do you reject all of them in case some are fraudulent? Or, do you accept them all and risk letting spam through to your users? That’s where DMARC comes in.

DMARC is a second layer of authentication after DKIM and SPF. If an email doesn't pass DKIM and SPF authentication, DMARC policy tells the receiver what to do with the message. For example, it can reject some email messages and quarantine others.

DMARC also helps senders and receivers collaborate to improve the sender’s email authentication methods and the receiver’s identification of unauthorized messages. With DMARC, the receiver can report back to the sender when emails fail their DKIM and SPF checks, even if the messages aren’t rejected. This information helps senders determine how many legitimate messages can’t be authenticated. Senders can then work with receivers to authenticate similar messages in the future. These reports can also inform senders of the scope of fraudulent emails spoofing their domain. Senders and receivers can then change their joint approach to handling emails from that domain based on this information.

Salesforce supports and recommends DMARC. It’s up to you whether you implement it for your domain.