It’s estimated that 3.1 billion spoofing emails are sent each day and may be a reason why 90% of cyberattacks originate with an email. A spoofed email is where cybercriminals trick users into thinking a message came from a person or entity they trust. For organizations without proper DMARC protections, that can mean fraudulent emails reaching customers, partners, and employees while appearing to come directly from their company’s domain.
There are a lot of questions organizations ask when it comes to email spoofing, but one we don’t hear often is, what is DMARC and how does DMARC verification work?
Domain-based Message Authentication Reporting & Conformance (DMARC) is an email security protocol. It verifies email senders by building on multiple protocols such as SPF and DKIM. The goal of DMARC is simple. It’s to protect your email domain from being used as one of those 3.1 billion spoofing emails sent each day.
DMARC Explained: How DMARC Verification Works
DMARC began in 2010 where top companies such as Microsoft, Google, and Yahoo, came together to build a protocol to protect against fraudulent emails on the internet. One of the primary goals of DMARC is to provide domain owners with feedback from email providers, helping them identify authentication issues and strengthening their email security. The first publication of DMARC came out in 2012.
Think of DMARC verification like a security guard checking IDs at the entrance to a building. When an email claims to come from your domain, DMARC checks whether the sender can verify its identity using SPF and DKIM. If the credentials match, the email is allowed in. If they don’t, DMARC tells the receiver to whether to let the message through, send it to spam, or reject it entirely.
Google and Yahoo would adopt strict DMARC policies in 2015 and 2016, explaining that people who refused to follow the DMARC trend would have their business affected. Then in 2024, Google and Yahoo made DMARC mandatory for bulk email senders.
DMARC authentication allows domain owners to protect their domains from unauthorized access and usage. This is imperative as cyberattacks such as phishing, spoofing, and business email compromise (BEC) become increasingly more common.
Photo by ClouDNS
What is SPF, DKIM, and BIMI?
SPF, DKIM, and BIMI are email authentication protocols designed to protect your domain from being used by malicious threat actors. When you combine these protocols with DMARC verification, they act as a security stack for your email.
SPF Explained
Sender Policy Framework (SPF) is a protocol designed to prevent email spoofing. SPF enables the receiver mail server to verify if incoming emails are coming from a domain authorized by that domain’s administrators.
By having SPF, businesses can protect their domain from cybercriminals using it maliciously, this in turn enhances their email deliverability and overall reputation.
DKIM Explained
DomainKeys Identified Mail (DKIM) is an email authentication method that relies on a digital signature to let the receiver of an email know that the messages were sent and is authorized by the owner of a domain.
When combining DKIM with SPF and DMARC verification, it enhances email deliverability and supports stronger inbox placement.
BIMI Explained
Brand Indicators for Message Identification (BIMI) is an email specification that lets companies display verified brand logos within supporting email clients. Because SPF, DKIM, and DMARC checks aren’t instantly visible to email recipients, the verified logo makes trust visible and apparent.
Not only does it help in building trust, but it also increases email open rates and helps users identify legitimate messages from malicious ones.
While BIMI is optional, DMARC requires you to have at least SPF or DKIM (though having both is recommended). SPF and DKIM act as building blocks, DMARC verification ties them together as a policy enforced mechanism, and BIMI acts as a visual bonus for the email recipient.
(Example of how BIMI works) – Photo by EmailAuth
Benefits of DMARC for Businesses
DMARC verification is designed to help domain owners avoid phishing and prevent domain spoofing. With major providers like Gmail, Yahoo, and Microsoft requiring DMARC verification, it has become a necessity for organizations.
The benefits DMARC provides include:
- Preventing email spoofing
- Reducing phishing risk
- Improving email deliverability
- Protection of brand reputation
- Providing visibility through reporting
While the benefits of DMARC are clear, many organizations are unaware of whether their DMARC records are properly configured or even enabled at all. Misconfigured email authentication records can leave businesses vulnerable to spoofing attacks, deliverability issues, and gaps in visibility.
That’s why regularly verifying your DMARC records is just as important as implementing them in the first place.
How to Check Your DMARC Verification
According to Proofpoint, 27% of the Forbes Global 2000 have no DMARC record in place at all and 69% are not actively blocking fraudulent emails from reaching their customers. Only around 31% of the companies in this report have implemented the highest level of protection to reject malicious emails from reaching their customers’ inboxes.
While DMARC adoption continues to grow, many organizations still have gaps in their email authentication strategy. To help businesses understand their current email security posture, Kirkham IronTech offers a free Domain Scanner that checks DMARC, SPF, DKIM, and BIMI records for potential configuration issues.
The reality is that many organizations don’t realize there’s a problem until legitimate emails stop reaching inboxes or customers receive fraudulent messages appearing to come from their domain.
Tom Kirkham brings more than three decades of software design, network administration, and cybersecurity knowledge to organizations around the country. During his career, Tom has received multiple software design awards and founded other acclaimed technology businesses.
