Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore

Domain-based Message Authentication, Reporting & Conformance (DMARC)

Information resource on DMARC

Last updated 7 February 2025

What is DMARC?

DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance," is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author ("From:") domain name, publishing policies for recipient handling of authentication failures, and reporting from receivers to senders to improve and monitor the protection of the domain from fraudulent email.

Why is DMARC important?

DMARC is a way to make it easier for email senders and receivers to determine whether a given message is legitimately from the sender and what to do if it is not. This makes it easier to identify spam and phishing messages and keep them out of people's inboxes.

DMARC is a proposed standard that allows email senders and receivers to cooperate in sharing information about the email they send to each other. This information helps senders improve the mail authentication infrastructure to authenticate all their mail. It also gives the legitimate owner of an Internet domain a way to request that illegitimate messages such as spam, spoofing or phishing to be put directly in the spam folder or rejected outright.

How does DMARC work?

DMARC policy allows a sender to indicate that their messages are protected by Sender Policy Framework (SPF) and/or DKIM and tells a receiver what to do if neither of those authentication methods passes – such as junk or rejecting the message. DMARC removes the guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report to the sender about messages that pass and/or fail DMARC evaluation.

High-level explanation

  1. Domain Owner publishes a DMARC policy at their respective domain name server.

  2. Receiving email server receives incoming mail from the sending mail server.

  3. Receiving email server performs DKIM/SPF checks according to the domain owner’s DMARC policy.

  4. Receiving email server evaluates the results of DKIM/SPF checks in accordance with the domain owner’s DMARC policy.

    1. Pass: Direct mail to recipient’s inbox.

    2. Fail: Apply DMARC policy action (None, Quarantine, Reject)

      1. None: Direct mail to recipient’s inbox.

      2. Quarantine: Diect mail to recipient’s junk or spam folder.

      3. Reject: Blocks unqualified emails from getting to recipient.

Process 1 to 4 of how DMARC work

Hyperlinks

Adoption statistics

  1. Dmarc.org: DMARC Adoption Statistics

Further information

  1. Dmarc.org: DMARC FAQs

  2. Microsoft: Interoperation between mailing list operators with DMARC to avoid failures

  3. Mimecast: DMARC Analyzer

  4. Dmarcian: DMARC Analyzer

  5. Dmarc.org: How does DMARC work in non-technical terms

  6. Dmarc.org: Why is DMARC Important?