DMARC Authentication

Question

DMARC Authentication

Handian Sudianto 6,096

Hello,

I have several question about DMRAC :

Before we enable DMRAC should we enable SPF and DKIM or can enable SPF only?
When DMRAC will make decision if the message will be delivered or not? As i know if SPF checking is failed the message will be rejected and if pass the email will be delivered. So, when DMRAC will do the check?

1 answer

Your answer

Answer 1

Aholic Liang-MSFT 13,886 Microsoft External Staff

Hi @ Handian Sudianto,

It is recommended that you use SPF, DKIM and DMARC records together.

DMARC helps incoming mail systems decide what to do with messages from your domain that fail SPF or DKIM checks. The decision to send or reject an email is made by the receiving mail server after performing the necessary checks.

The order of inspection is as follows:

The receiving mail server checks if the email passes SPF authentication.
If the email passes SPF authentication, the receiving mail server checks if the email passes DKIM authentication.
If the email is SPF and DKIM authenticated, the receiving mail server checks the sender's domain's DMARC policy to decide whether to accept, block, or quarantine the email.

Therefore, if the SPF and DKIM results pass, the DMARC results will pass and accept this mail.

If a message doesn't pass SPF or DKIM authentication and alignment, the receiving mail server can check the sender's DMARC email security policy to decide whether to accept, block, or quarantine the email.

The following is the verification flowchart for your reference:

User's image

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Handian Sudianto 6,096 Reputation points

2023-09-27T08:09:25+00:00

Hello @Aholic Liang-MSFT

"DMARC check is performed only if the email passes both SPF and DKIM authentication"

If SPF dan DKIM result is pass and the sender DMRAC policy set to "reject" the DMRAC result will be pass or reject?
Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2023-09-27T09:00:35.2733333+00:00

Hi @ Handian Sudianto,

Sorry, the answer above is misleading.

I rechecked the process and made the following changes:

DMARC checks is performed after an email has been SPF and DKIM authenticated, not after passing the SPF and DKIM check.

If a message doesn't pass SPF or DKIM authentication and alignment, the receiving mail server can check the sender's DMARC email security policy to decide whether to accept, block, or quarantine the email.

(Additionally, I'll modify the original answer to avoid other users. Thanks for your understanding. ）
Handian Sudianto 6,096 Reputation points

2023-09-29T01:57:53.8533333+00:00

Hi @Aholic Liang-MSFT

What happened if we only have SPF and DMRAC record?

Example the recipient server check my email have failed on SPF checking, without the DMARC the message will be rejected? Am i right?

But if we have DMARC record with policy 'none' the message will be delivered even the SPF failed?
Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2023-10-03T09:51:35.8+00:00

Hi @ Handian Sudianto,

If you only have SPF and no DMARC, the receiving server checks your domain's SPF record and compares it to the sender's IP address. If they don't match, the email won't pass SPF verification. However, the receiving server might still accept e-mail messages, depending on its own policies.

Share via

DMARC Authentication

1 answer

Your answer