How does an email pass or fail DMARC?
An email passes your DMARC policy if at least one of the two is true:
- The email is SPF authenticated and SPF aligned.
- The email is DKIM authenticated and DKIM aligned.
I’ve written posts on each of these terms so you can understand exactly how each of them is achieved as well.
This also means that an email fails DMARC in any other scenario. Is your email is SPF and DKIM authenticated but neither SPF or DKIM aligned? It doesn’t pass DMARC.
What’s the point of DMARC?
The point of DMARC is to better ensure that an email coming from your domain (e.g. the displayed “from” address is @yourdomain.com) is not some sort of malicious attempt by someone else to pretend to be you (spoofing).
SPF and DKIM are two different ways of vetting authenticity.
SPF is about proving the original sender was allowed to send an email using your domain name. Some folks like to use the analogy of the return address on an envelope being an address that you’ve approved of.
Here’s a link on the details of SPF authentication.
DKIM is about proving the email wasn’t somehow tampered in transit to your email server. Those same folks like to use the analogy of ensuring the envelope wasn’t opened and tampered with while it was being delivered.
Here’s a link on the details of DKIM authentication.
SPF and DKIM alignment ensure those authentication checks were granted by you.
SPF and DKIM require DNS records so that inbound email servers can perform these authentication checks. If those DNS records live on someone else’s domain, not yours—it doesn’t prove that you (the one that has access to your domain’s DNS records) authorized those SPF and DKIM checks.
So that’s where “alignment” comes in.
Alignment really is just a fancy word for saying the SPF or DKIM check is using DNS records coming from your domain. If you want to know exactly how alignment is checked, as well as what “relaxed” and “strict” alignment mean, click on these links:
- Here’s a link on the details of SPF alignment (and what “relaxed” and “strict” SPF alignment mean).
- Here’s a link on the details of DKIM alignment (and what “relaxed” and “strict” DKIM alignment mean).
What happens if an email passes or fails DMARC?
If an email passes DMARC, your email should be successfully delivered to the receiving email server, barring other checks it may do on its own (e.g. IP address blocking, custom spam checking, etc.)
If an email fails DMARC, then you can tell the receiving email server what it ought to do via the p directive on your DMARC policy:
- None:
p=none(Don’t do anything differently. Do what you’d do if there was no DMARC policy on your DNS recordset). - Quarantine:
p=quarantine(Send it to the spam folder). - Reject:
p=reject(Don’t send this email at all and send a bounce notification back to you).
I hope this helps!
