What does DMARC do that SPF does not?

The standard needed to address the shortcomings of the standalone SPF protocol by explicitly telling receivers what to do and provide authentication reports back. These reports enabled the sender to take the necessary actions to fix legitimate mail flows.

DMARC makes use of SPF as one of its foundations but also adds additional features:

  • Focuses on the From header which is visible to the end user (Header From).
  • DMARC requires that the domain used by SPF aligns (either an exact match or subdomain) with the domain found in the visible From address of the email.
  • DMARC ignores the nuances of soft fail and hard fail in your SPF configuration i.e. ~all and -all are treated equivalently as a SPF fail.
  • DMARC provides the reporting functionality to send email authentication results back to the owner of the From domain so they can find out if their domain is being misused. It also helps with troubleshooting your deliverability as the reporting will aid in discovering any misconfiguration with your legitimate email senders.
  • DMARC provides a policy which tells the receivers what to do with an email that fails email authentication. This policy is enforced by the receivers. There is no enforcement when SPF is used without DMARC.
  • Now that DMARC is here to provide the missing pieces, it is widely being adopted and used as an authentication requirement, that comes with the added bonus of improving email deliverability. Another protocol that DMARC relies on is DKIM which serves as a failsafe in cases where SPF breaks.