---
title: "What is DMARC and Does It Protect Email Recipients From Fraud? | DuoCircle"
description: "Discover how an innovative approach to email security protects against phishing What if there was a way to protect your brand from bad actors using your email."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/dmarc-protect-email-recipients-fraud/"
---

Quick Answer

DMARC (Domain-based Message Authentication, Reporting and Conformance) protects recipients from forged mail by requiring the visible From domain to align with a domain authenticated by SPF or DKIM, and by telling receiving servers what to do when alignment fails. Every email has two From addresses: the Envelope From (used for SPF and bouncing) and the Header From (visible in the inbox). Attackers can forge either. SPF alone validates the envelope sender; DKIM alone validates the message integrity. Neither stops a forged Header From on its own. DMARC ties them together: when DMARC is published, receivers check that the Header From domain matches the SPF Return-Path or the DKIM signing domain. If neither aligns, the receiver applies the policy (none, quarantine, or reject) and sends an aggregate report back to the domain owner. A basic DMARC record looks like: v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fdmarc-protect-email-recipients-fraud%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20is%20DMARC%20and%20Does%20It%20Protect%20Email%20Recipients%20From%20Fraud%3F&url=undefined%2Fblog%2Fdmarc%2Fdmarc-protect-email-recipients-fraud%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fdmarc-protect-email-recipients-fraud%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fdmarc-protect-email-recipients-fraud%2F&title=What%20is%20DMARC%20and%20Does%20It%20Protect%20Email%20Recipients%20From%20Fraud%3F "Share on Reddit") [ ](mailto:?subject=What%20is%20DMARC%20and%20Does%20It%20Protect%20Email%20Recipients%20From%20Fraud%3F&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fdmarc-protect-email-recipients-fraud%2F "Share via Email") 

![Email Recipients From Fraud](https://media.mailhop.org/duocircle/images/2018/03/smtp-service-3467.jpg) 

#### Discover how an innovative approach to email security protects against phishing

What if there was a way to protect your brand from bad actors using your email address for fraudulent activity?

It’s a well-known fact that cybercriminals impersonate trusted contacts in order to commit fraud. In fact, [70 percent](https://sitetakedown.com/email/shocking-email-fraud-statistics/) of all email fraud is sent from a domain name that doesn’t match the one named in the email header.

This approach relies on the fact that email clients do not automatically check whether individual messages actually come from the domain they claim to come from. However, there is a way to independently verify emails that claim to come from your domain.

This method is called _Domain-based Message Authentication, Reporting and Conformance_, DMARC for short, and it protects your brand against spammers forging email addresses that appear to come from your domain even if they did not originate from your validate Outbound SMTPsmtp server.

This technology offers numerous benefits to brands, and it isn’t hard to implement. Read on to find out more about DMARC and how you can use it to stop fraudulent email activity conducted in your name.

### **What is DMARC**

DMARC is an important tool for maintaining trust between your brand and its customers and partners. It provides a foundation of trust between your brand and everyone on your email contact list, ensuring that the messages coming from your domain name are secure.

DMARC gives you control over emails that purport to come from your domain. It acts as a filter for messages that claim to come from your domain but that did not actually originate in your mail servers.

This technology lets senders tell email providers which emails really come from them, and further instructs email providers on what to do with messages that fail authentication. It sends reports back to the original sender, letting domain owners know that someone out there is attempting to forge their name for fraudulent activity.

### **Who needs DMARC**

Any organization that operates its own domain name and relies on email to communicate, internally or externally, needs an authentication solution like DMARC. The global volume of email phishing attempts grew by [65 percent in 2017](https://blog.dashlane.com/phishing-statistics/), and it’s not stopping there.

You can no longer trust customers and employees to identify phishing emails by bad grammar, suspicious visuals, and other tell-tale indicators. In fact, a recent Intel study showed that of 19,000 respondents, [80 percent](http://securityaffairs.co/wordpress/36922/cyber-crime/study-phishing-emails-response.html) incorrectly identified at least one fraudulent email.

If your business is under your own domain name, then your entire contact list is at risk. Whether a cybercriminal forges your domain name to obtain sensitive data from customers or impersonates executive leadership to steal financial records from your employees, email headers are the easiest tools to counterfeit.

[![G-Suite follows DMARC](https://media.mailhop.org/duocircle/images/2018/03/spf-record-8176.jpg)](https://media.mailhop.org/duocircle/images/2018/03/spf-record-8176.jpg)

Even if you don’t have an email client set up on your domain, DMARC can help you mitigate the risk of email fraud. Google’s [G-Suite follows DMARC](https://support.google.com/a/answer/2466580?hl=en) protocols and lets users decide how Gmail should treat unauthenticated mail that claims to come from your domain.

Remember that since cybercriminals forge email headers, it doesn’t matter whether you actually send emails from your domain or from a commercial email client like Gmail. In both cases, DMARC sets the record straight by verifying that your messages come from the same server. If your business uses a third-party mail server, you still need to deploy DMARC.

### **How DMARC works**

Email, as a system, has numerous security flaws that have remained largely unaddressed due to the decentralized nature of the Internet. One of the primary flaws is the fact that every email message actually has two **from** addresses:

- The **Envelope from** is embedded in the hidden email message header. Mail servers read this data as a return address.
- The **Header from** is the one you are most familiar with. It is visible to all email users in the **From** field in your email client.

Cybercriminals can forge either one of these addresses to generate fraudulent emails. DMARC combines two email authentication frameworks to generate an elegant, reliable system for verifying the trustworthiness of both addresses. These are briefly described below:

- ****The Sender Policy Framework (SPF). SPF lets domain owners specify the mail servers that they use to send emails from their domains. This lets email providers verify that messages come from the correct server as mentioned in the Envelope from field. However, SPF is not perfect. For instance, simply forwarding an email can break the system if the forwarded message originates from an untrusted server.**
- DomainKeys Identified Mail Protocol (DKIM). DKIM uses cryptography to ensure that email messages are sent from authentic sources. The cryptographic protocol is quite complex and it has not been widely adopted, which means that DKIM alone cannot reliably verify a sender’s identity. Additionally, DKIM is invisible to non-technical users and does not prevent the forging of Header from fields.

While these two technologies do not provide for reliable email authentication on their own, when combined they provide a powerful framework for aligning domains with _Envelope From_ and _Header From_ addresses. This is where DMARC’s two innovative features, domain alignment and reporting, come into play.

When a DMARC user sends an email, the email provider that receives the message checks if DMARC tags have been implemented in the **Header from** domain. If the answer is yes, it checks if the **Header from** domain matches the **Envelope from** domain as verified by SPF, and if the **Header from** domain matches the DKIM-verified domain name.

Using DMARC, domain owners can control what happens to messages that fail these checks. You can have these message quarantined (sent to the recipient’s spam folder) or rejected (sent directly to the trash). DMARC automatically generates and sends reports to the domain owner for each failed attempt.

This combined solution is so successful that both the [United States](http://money.cnn.com/2017/10/16/technology/dhs-dmarc-mandate-email-security/index.html) and [United Kingdom](https://www.gov.uk/government/publications/email-security-standards/domain-based-message-authentication-reporting-and-conformance-dmarc) governments are implementing DMARC. [Fortune 500](http://www.eweek.com/security/dmarc-email-security-adoption-grows-in-u.s.-government) businesses in the financial and technology sectors are also increasingly incorporating DMARC.

### **How to implement DMARC**

The easiest way to implement DMARC is through a third-party deployment service. Vendors like [DMARCian.com](https://dmarcian.com/deploy/) provide ideal reporting services for low-volume email users interested in protecting a single domain.

If your business has multiple domains and sends a high volume of emails on a regular basis, you will need to use an enterprise-level authentication service.

If you wish to implement DMARC manually, you need to access your Domain Name Server (DNS) and publish a text like the following:

v=DMARC1; p=quarantine; pct=100;  
rua=mailto:**yourmail**@**yourdomain.com**

This tells email clients that receive your messages:

- DMARC (v=DMARC1) is used
- Messages that fail DMARC are treated as spam (p=quarantine)
- 100 percent of your messages should be treated in this way (pct=100)
- The address that the reports must be sent back to (rua=**yourmail**@**yourdomain.com**)

For this code to work, you must publish your SPF record and your DKIM record as well in your outbound smtp service. You must then ensure that your emails carry a DKIM signature that matches the one in the DKIM record.

[![Phish Protection](https://media.mailhop.org/duocircle/images/2018/03/spf-record-check-7135.jpg)](https://media.mailhop.org/duocircle/images/2018/03/spf-record-check-7135.jpg)

Do you want to learn more about DMARC deployment and implementation? Have DuoCircle walk you through the steps so that your domain remains secure against cybercriminal forgery and while you are at it check out our [Phish Protection](/email/phishing-protection/) service.

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 7m  DMARC at p=none Is a Setup State, Not a Deployment  May 5, 2026 ](/blog/dmarc-p-none-is-a-setup-not-a-deployment/)[  DMARC 15m  10 Ways To Master DMARC Failure Troubleshooting And Fix Email Authentication Fast  Feb 26, 2026 ](/blog/dmarc/10-ways-master-dmarc-failure-troubleshooting-fix-email-fast/)[  DMARC 13m  7 Easy Steps to Set Up DMARC and Secure Your Email Domain  Dec 19, 2025 ](/blog/dmarc/7-easy-steps-to-set-up-dmarc-and-secure-your-email-domain/)[  DMARC 16m  8 Reasons To Choose A DMARC Report Analyzer Tool With Real-Time Dashboards And Alerts  Jan 27, 2026 ](/blog/dmarc/8-reasons-choose-dmarc-report-analyzer-real-time-dashboards-alerts/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"What is DMARC and Does It Protect Email Recipients From Fraud?","description":"Discover how an innovative approach to email security protects against phishing What if there was a way to protect your brand from bad actors using your email.","url":"https://www.duocircle.com/blog/dmarc/dmarc-protect-email-recipients-fraud/","datePublished":"2018-03-09T02:29:29.000Z","dateModified":"2025-05-26T12:04:22.000Z","dateCreated":"2018-03-09T02:29:29.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-protect-email-recipients-fraud/"},"articleSection":"dmarc","keywords":"","wordCount":1201,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2018/03/smtp-service-3467.jpg","caption":"Email Recipients From Fraud","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"What is DMARC and Does It Protect Email Recipients From Fraud?","item":"https://www.duocircle.com/blog/dmarc/dmarc-protect-email-recipients-fraud/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"What is DMARC and Does It Protect Email Recipients From Fraud?","item":"https://www.duocircle.com/blog/dmarc/dmarc-protect-email-recipients-fraud/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"What is DMARC and Does It Protect Email Recipients From Fraud?","description":"Discover how an innovative approach to email security protects against phishing What if there was a way to protect your brand from bad actors using your email.","url":"https://www.duocircle.com/blog/dmarc/dmarc-protect-email-recipients-fraud/","datePublished":"2018-03-09T02:29:29.000Z","dateModified":"2025-05-26T12:04:22.000Z","dateCreated":"2018-03-09T02:29:29.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-protect-email-recipients-fraud/"},"articleSection":"dmarc","keywords":"","wordCount":1201,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2018/03/smtp-service-3467.jpg","caption":"Email Recipients From Fraud","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```