To decide what to do with an email, mail receivers have to follow these steps or something similar. They can do steps 2-4 at the same time, but they need the results of the previous steps for steps 5 and 6.
The steps are:
- Get the domain name from the email’s From address (as explained before).
- Look up the DMARC policy record for that domain name in the DNS. If there is one, continue. If not, stop the DMARC process. See Section 6.6.3 for more details.
- Check the DKIM signatures in the email. An email can have more than one DKIM signature. The mail receiver has to remember the value of the “d=” tag from each DKIM signature that it checked.
- Check the SPF validation for the email. The mail receiver has to remember the domain name that it used for the SPF check.
- Check the Identifier Alignment. After checking the signatures and the policy, the mail receiver has to see if the domain names match as described in Section 3. If one or more of the domain names match the From domain name, the email passes the DMARC check. If not, the email fails the DMARC check.
- Apply policy. Emails that fail the DMARC check are handled according to the DMARC policy of the domain owner.
Sometimes, the domain owner may not use SPF or DKIM at all, or may use them in a way that is not compatible with DMARC. In that case, the mail receiver should not try to guess what the domain owner wants, because they may not want the mail receiver to use SPF or DKIM at all. For example, some mail receivers may use [Best-Guess-SPF] to try to find the domain name for the SPF check, but this may not be what the domain owner intends.
Also, sometimes the DMARC check may not work because of a temporary error, such as a network problem or a DNS problem. In that case, the mail receiver cannot be sure if the email failed or passed the DMARC check, so they cannot apply the DMARC policy of the domain owner. However, they can send a report to the domain owner about the temporary error, if the domain owner asks for it.
Finally, sometimes the DMARC check may not work because of a permanent error, such as a missing or invalid DNS record. In that case, the mail receiver can decide what to do with the email, depending on their own policy and preferences. They may reject it, accept it, or do something else.
Was this helpful?
0 / 0