The ‘Quick and Dirty’ Guide to DMARC

Earlier this year, we implemented DMARC records and reporting for In this blog post, we look at what DMARC is, and the benefits it can provide.


DMARC is a free system which helps reduce email spoofing of your domain, using a combination of authentication and verification technologies. In short, it's a way of protecting your brand.

Essentially, DMARC instructs recipients which actions should be taken upon receipt of a spoofed email for your domain. SPF, DKIM, and DMARC work together to do this. There’s a great explanation of what these are, from the UK National Cyber Security Centre (NCSC):

(From 'Making email mean something again' by the NCSC)


As a managed cyber security services provider, we need to ensure isn't spoofed in emails!

One such organisation having great success with DMARC is HMRC. Previously one of the most spoofed and phished brands in the world, HMRC are now using DMARC – stopping around half a billion spoofed emails a year – detailed on their blog post 'Combating phishing – a (very) big milestone'.

Almost every company wants (and needs) to protect their brand – and you don't need to be as big as HMRC to benefit from using DMARC.
After implementing SPF, DKIM, and DMARC, we've seen around 30 spoofed emails a week being scuppered by our DMARC policy.

Then What?

First, you need to implement your SPF and DKIM records – added in your DNS records (and for DKIM, using a key from your mailserver). After these are in place, it's time to move onto formulating your DMARC record (we used the awesome guide from Global Cyber Alliance).

After a period of 'soft fail' DMARC enforcement (enabling information to be gathered on any additional sending sources), it's time to move to 'hard fail'. This involves setting if emails should be quarantined (marked as junk) or blocked (not delivered at all).

Most recipient email providers also provide DMARC compliance reports in XML format – like so:

(images courtesy of Return Path)

These can be sent to a DMARC report aggregator to provide collated reports, provising useful insights over time. There's both free and paid-for report aggregators – we've been using the excellent DMARC reporting tool from Postmark.

For public sector organisations, the NCSC will be providing a free aggregator – MailCheck – which they have also open-sourced on GitHub.


So, in conclusion: why should your organisation use DMARC?

  • It helps protect recipients from phishing attacks
  • It ensures you know who is sending on behalf of you (including without permission!)
  • It helps protect your brand and reputation

Stay up to date with our latest threat briefings

Stay up-to-date on the latest in cyber security with e2e-assure’s threat briefings. Our briefings feature the latest news and trends in cyber security, as well as updates on our services and solutions. By signing up, you’ll be among the first to know about new cyber threats and how to protect your business against them. You’ll also receive exclusive content, such as whitepapers and case studies, that can help you stay informed about best practices for cyber security.

Don’t miss out on this valuable resource – sign up for our threat briefings today and stay one step ahead of cyber threats.