What is DMARC?

FAQS / What is DMARC?

What is DMARC?

When a strict DMARC (Domain-based Message Authentication, Reporting & Conformance) policy is put in place for a given domain name (e.g. dumbledorelaw.com) and an email from that domain is received, it allows the recipient to be confident that the source of the email is authentic.

A strict DMARC policy would mean that fake emails (determined as those that don’t meet the policy standards) never reach the recipient - and can optionally be rerouted to a mailbox of the domain owners choosing, for further analysis. This can be useful for law firms in identifying when their firm may be under a targeted attack from fraudsters.

DMARC does not prevent an “authentic” email being sent by someone who has hacked into a persons email account, so all emails should still be treated with a degree of suspicion.

Furthermore, whilst a DMARC policy can help protect emails sent from the domain name you own, it will not prevent fraudsters from registering similar domain names, and sending emails that may look almost identical to your own.

This is known as Domain Spoofing and it easily circumvents solutions such as DMARC.

For example your email address might be albus@dumbledorelaw.com, but a fraudster registers dumbledurelaw.com and sends emails as albus@dumbledurelaw.com. As the name that appears would be set to “Albus Dumbledore” in both cases, without close inspection you are unlikely to spot the use of the false domain name.

If you want to find out more about DMARC, or consider implementing it within your law firm, the following resources will help:


Provides an overview of the DMARC standard and history about why it was introduced.

GCA Cybersecurity Toolkit

The Global Cyber Alliance (GCA) Cybersecurity Toolkit provides a free DMARC setup guide so you can implement DMARC within your firm at no cost, and is recommended by Action Fraud.


OnDMARC is a self service tool that guides you through setting up DMARC for your firm. At the time of writing it offers a free entry level account for low volume single domain users (sending up to 10,000 emails per year).