D
DMARC Record Checker

How DMARC Works: The Complete Authentication Flow

Understand how DMARC authenticates email step by step, including how it uses SPF and DKIM results, alignment checks, and policy enforcement.

DMARC can seem complicated, but it follows a logical sequence. When an email arrives claiming to be from your domain, the receiving server runs a series of checks to decide whether to trust it.

Here's exactly what happens, step by step.

The DMARC Authentication Flow

When an email arrives at a receiving mail server, DMARC authentication happens in this order:

  1. The server extracts the domain from the From header
  2. It looks up the DMARC record for that domain
  3. It checks SPF and DKIM results
  4. It evaluates alignment
  5. It applies the policy
  6. It sends a report (if configured)

Let's walk through each step.

Step 1: Extract the From Domain

The receiving server looks at the email's From header to determine whose DMARC policy to check. This is the address recipients see, like:

From: sender@example.com

The domain here is example.com, so that's where the server will look for DMARC instructions.

This is important because it means DMARC protects the visible From address, the one recipients actually see and trust.

Step 2: Look Up the DMARC Record

The server performs a DNS query for the DMARC record at _dmarc.example.com. This is a TXT record containing your policy:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

If no DMARC record exists, the server skips DMARC checks entirely. The email proceeds without DMARC protection.

Step 3: Check SPF and DKIM

Before DMARC can make a decision, SPF and DKIM must run their own checks.

SPF Check

SPF (Sender Policy Framework) verifies that the email came from an authorized server. The receiving server:

  1. Looks at the envelope sender domain (Return-Path)
  2. Queries DNS for that domain's SPF record
  3. Checks if the sending IP is listed as authorized

The result is either pass, fail, or other statuses like softfail or neutral.

You can check your SPF record to see what servers are authorized for your domain.

DKIM Check

DKIM (DomainKeys Identified Mail) verifies the email's integrity and authenticity. The receiving server:

  1. Extracts the DKIM signature from the email headers
  2. Uses the selector and domain in the signature to find the public key in DNS
  3. Verifies the signature using that public key

If the signature validates, DKIM passes. If it's missing, invalid, or can't be verified, DKIM fails.

You can test your DKIM setup to verify your keys are working.

Step 4: Evaluate Alignment

This is where DMARC adds its unique value. It's not enough for SPF or DKIM to pass. The domain that passed must also align with the From domain.

SPF Alignment

For SPF alignment, the envelope sender domain (Return-Path) must match the From header domain.

Example that aligns:

  • From: sender@example.com
  • Return-Path: bounces@example.com
  • Both use example.com, so SPF aligns

Example that doesn't align:

  • From: sender@example.com
  • Return-Path: bounces@emailservice.com
  • Different domains, so SPF doesn't align (even if SPF passes for emailservice.com)

DKIM Alignment

For DKIM alignment, the domain in the DKIM signature (d= tag) must match the From header domain.

Example that aligns:

  • From: sender@example.com
  • DKIM signature: d=example.com
  • Same domain, so DKIM aligns

Example that doesn't align:

  • From: sender@example.com
  • DKIM signature: d=emailservice.com
  • Different domains, so DKIM doesn't align

Relaxed vs Strict

Alignment can be relaxed or strict:

Relaxed (default): Domains must share the same organizational domain. mail.example.com aligns with example.com.

Strict: Domains must match exactly. mail.example.com does NOT align with example.com.

Your DMARC record controls this with aspf= (for SPF) and adkim= (for DKIM). Most domains use relaxed alignment.

DMARC needs one aligned pass

For DMARC to pass, you need either SPF to pass AND align, OR DKIM to pass AND align. You don't need both, just one.

Step 5: Apply the Policy

Based on the authentication results, the receiving server now knows:

  • Did SPF pass? Did it align?
  • Did DKIM pass? Did it align?
  • What's the published DMARC policy?

If either SPF or DKIM passed with alignment, DMARC passes. The email is delivered normally.

If both fail (or pass but don't align), DMARC fails. The server applies the policy:

p=none: Deliver the email anyway. No action taken.

p=quarantine: Mark the email as suspicious. Usually goes to spam.

p=reject: Block the email. It's not delivered at all.

The pct= tag can modify this. If pct=50, only 50% of failing emails get the policy applied. The other 50% are treated as if the policy were p=none.

Step 6: Send a Report

After processing, the receiving server generates report data. If your DMARC record includes a rua= address, the server will send aggregate reports (usually daily) summarizing what it saw.

These reports include:

  • How many emails it received
  • Which IPs sent them
  • SPF and DKIM results
  • What policy was applied

This feedback loop is essential for monitoring your email authentication health. Learn more about DMARC reports.

Example: Complete DMARC Flow

Let's trace through a real example:

Scenario: You send an email from sales@example.com using your company's mail server.

  1. From domain extracted: example.com

  2. DMARC lookup: Server queries _dmarc.example.com, finds:

    v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com

  3. SPF check:

    • Return-Path: bounces@example.com
    • Sending IP: 192.0.2.1
    • SPF record for example.com includes 192.0.2.1
    • Result: SPF pass

  4. DKIM check:

    • Signature present with d=example.com
    • Public key found at selector._domainkey.example.com
    • Signature validates
    • Result: DKIM pass

  5. Alignment check:

    • SPF: Return-Path domain (example.com) matches From domain (example.com) → Aligned
    • DKIM: Signature domain (example.com) matches From domain (example.com) → Aligned

  6. DMARC result: Both SPF and DKIM pass with alignment → DMARC pass

  7. Action: Email delivered normally.

  8. Report: Data recorded, will be included in next aggregate report to dmarc@example.com.

What Happens When DMARC Fails

Using the same scenario, but now the email is sent by a spoofer:

  1. From domain extracted: example.com (spoofer is impersonating you)

  2. DMARC lookup: Same record found

  3. SPF check:

    • Return-Path: attacker@malicious.com
    • Sending IP: not in example.com's SPF
    • Result: SPF fail (and no alignment even if it passed)

  4. DKIM check:

    • No valid DKIM signature for example.com
    • Result: DKIM fail

  5. Alignment check: Neither passes, so alignment doesn't matter

  6. DMARC result: DMARC fail

  7. Action: Policy is p=quarantine, so email goes to spam

  8. Report: Failure recorded, you'll see this IP in your reports

This is DMARC working exactly as intended, blocking email that can't prove it's legitimately from your domain.

Key Takeaways

  • DMARC builds on SPF and DKIM, it doesn't replace them
  • Alignment is the key concept: the authenticated domain must match the From domain
  • Only one method needs to pass and align for DMARC to pass
  • Your policy controls what happens to failures
  • Reports tell you what's happening with your email

Understanding this flow helps you diagnose problems. If DMARC is failing, you can trace through each step to find where things break down.

Monitor Your DMARC Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring

Related Articles