DMARC (Domain-based Message Authentication, Reporting and Conformance) offers protection against phishing attacks (phishing attacks) – but what about data protection?

This often happens: you suddenly get emails in the inbox from banks, large mail order retailers or logistics companies that seem real and want to have details of your personal data under any pretext . You are the victim of a phishing attack, and you are not alone: ​​in 2017, the computers of users of Kaspersky Lab were alerted by the anti-phishing system 246 231 645 times, an increase of almost 60 % compared to the previous year. And such a phishing attack damages not only the recipient who gives his personal data too carelessly, but also, and above all, the reputation and therefore also the deliverability of the copied brand. With DMARC, you can effectively protect yourself against abuse of your own brand. But are you allowed to do it?

DMARC is a specification that allows companies to avoid the spoofing of their sender address. The specification complements two long-established technologies, Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), filling a gap in the path from sender to recipient. The SPF standard aims to ensure that an e-mail from a domain has the right to leave the server that sends it; DKIM verifies that the email has not been tampered with on the way to the recipient and that it comes from the requested source. It is therefore an email authentication service. DMARC now establishes what is happening to the recipient with emails that do not meet the specifications of SPF or DKIM.

DMARC is for everyone who sends and receives e-mails. As for the sender, the domain owner must publish the DMARC protocol in DNS while the technical sender, for example the e-mail service provider, should have implemented the technical standard Domain Keys Identified Mail (DKIM). On the recipient side, it is the Internet Service Provider (ISP), which must assess the DMARC policy and therefore, according to the specifications, simply prevent delivery. It is therefore the sender who determines which IP addresses and which signatures send or display legitimate e-mails.

DMARC is not a new technology. Since 2012, companies have been able to work with the DMARC specifications. However, their dissemination is still far from exhaustive. There is a reason for this. Even with the development of the new specification, it was not clear to what extent, with DMARC, we are dealing with personal data that fall under current data protection legislation. And even with the entry into force of the new General Data Protection Regulation (GDPR) in May this year, this uncertainty is still there. So do we run the risk of illegally processing personal data when using DMARC?

In principle, DMARC works as follows: the sender or the domain owner first defines the SPF records and the public key for DKIM for all the shipping domains to be considered. The Internet service provider (ISP) checks for incoming messages whether the sender’s IP address matches an IP address specified in the SPF record for this domain. DKIM checks if the cryptographic signature of the received email matches the public key. With DMARC, the domain owner can decide how to proceed with emails that have not or only partially “passed” the verification of the SPF and DKIM protocols. In addition, the domain owner deposits the feedback email address on the DNS (Domain Name System) where recipients who participate in DMARC can send information about DMARC policy domains and authentication results of e- mails. This is done through reports. A distinction is made between Aggregated Reports and Failure Reports. They transmit, depending on the type of report, among others:

  • IP addresses that sent emails for the DMARC policy domain;
  • The outgoing email address;
  • The recipient’s email address;
  • The subject of the email;
  • The text of the email.

This could pose problems from a data protection point of view. According to article 4 n ° 1 of the GDPR, personal data is considered to be “all information relating to an identified or identifiable person”. This is true, both for static and dynamic IP addresses, and for domains. In addition, the GDPR declares that the processing of personal data is only permitted if it is authorized by law or other legislation and / or that the data subject accepts.

If we accept other legal aspects, such as the telecommunications law, the GDPR provides for article 6 – paragraph 1 – page 1 which justifies the collection and use of personal data. It is therefore permitted to transmit or use them to the extent that it is necessary to protect the legitimate interests of the responsible body and provided that the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not predominate.

In a report on DMARC compatibility with the GDPR, the e-mail competence group of the German Internet Economy Association Eco ev also concludes that DMARC reports are generally authorized and justified, but only under the respect for the principle of proportionality. Mail experts are therefore of the opinion that the use of DMARC is compatible with the GDPR with limitations. However, personal data should be made anonymous or deleted as far as possible in the Aggregated Reports and Failure Reports.

Conclusion: DMARC can reliably protect senders from phishing attacks and loss of reputation. However, in particular with regard to the new European data protection regulation, it is important to examine certain aspects of its implementation. The Certified Senders Alliance (CSA), a joint project of the ecoe.V. with the German association of the DDV marketing dialogue to improve the quality of emails, will be your competent and expert partner in this complex matter. CSA helps you with DMARC and GDPR through debates with international experts and users and technical workshops.


Certified Senders Alliance (CSA) is a project born in 2004 at the initiative of eco, the German digital economy association and DDV, the German dialogue marketing association. The cooperation of these two associations guarantees both the support of the digital economy sector and of canvassers. The goal of CSA, a neutral organization, is to improve the quality of email as a medium. CSA has therefore set itself the task of establishing technical and legal quality standards and of updating them continuously in accordance with market requirements, as well as of applying these standards within the framework of a certification.