DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It lets domain owners publish a policy telling receiving servers whether to accept, quarantine, or reject emails that fail authentication. DMARC also requires alignment — the domain in SPF or DKIM must match the visible From: address — and provides XML reports on authentication results.
What Is DMARC? (Domain-based Message Authentication Explained)
DMARC in 30 Seconds
DMARC is the policy layer on top of SPF and DKIM. Without DMARC, receiving servers see SPF and DKIM results but decide on their own what to do with failures. DMARC lets you — the domain owner — make that decision: monitor, quarantine, or reject.
It also closes the spoofing gap by requiring alignment between authentication results and the From: address.
How DMARC Works
- You publish a DMARC policy in DNS at
_dmarc.example.com - Someone sends email using your From: domain
- The receiving server checks SPF and DKIM
- It checks whether either result aligns with the From: domain
- If alignment fails, it applies your DMARC policy (none/quarantine/reject)
- It sends aggregate reports to the address in your
rua=tag
DMARC Record Syntax
v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s
v=DMARC1— required versionp=— policy (none, quarantine, reject)rua=— where to send aggregate reportspct=— percentage of failing mail to apply policy toadkim=— DKIM alignment mode (s=strict, r=relaxed)aspf=— SPF alignment mode (s=strict, r=relaxed)
The Three Policy Levels
| Policy | Effect | When to Use |
|---|---|---|
p=none | Monitor only, no enforcement | Starting out, identifying all senders |
p=quarantine | Send failures to spam | After confirming all legitimate senders pass |
p=reject | Block failures entirely | Full protection against spoofing |
Read the complete DMARC policy levels guide for advancement strategy.
Why DMARC Matters Now
Gmail and Yahoo's bulk sender requirements mandate DMARC for anyone sending over 5,000 emails/day. Without it, your email will be throttled or rejected. DMARC is no longer optional — it's table stakes.
Practitioner note: The most dangerous moment in DMARC deployment is moving from
p=nonetop=quarantine. That's when you discover the invoice system, the helpdesk, the CRM, and the newsletter tool that nobody told you about — all sending email from your domain without proper authentication.
Practitioner note: Don't skip the reporting phase. I've seen companies jump to
p=rejectand block their own transactional emails. Spend at least 2-4 weeks onp=nonereading DMARC reports before advancing.
For step-by-step setup, read the DMARC setup guide. If DMARC is failing, see the DMARC authentication troubleshooting guide.
Need help advancing to p=reject without breaking legitimate email? Schedule a consultation — I'll analyze your DMARC reports and build a safe advancement plan.
Sources
- RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Google: DMARC requirements for bulk senders
- Yahoo: Sender Requirements and Best Practices
- Dmarcian: DMARC Overview
- Valimail: DMARC Adoption Statistics
v1.0 · April 2026
Frequently Asked Questions
What does DMARC do?
DMARC does three things: (1) requires that SPF or DKIM results align with the From: domain, (2) tells receivers what to do when alignment fails (none/quarantine/reject), and (3) sends XML reports back to the domain owner showing who's sending email using their domain.
What are the three DMARC policies?
p=none monitors without affecting delivery (reporting only). p=quarantine sends failing emails to spam. p=reject blocks failing emails entirely. Start with none, analyze reports, fix legitimate senders, then advance to quarantine and finally reject.
What is DMARC alignment?
Alignment means the domain authenticated by SPF or DKIM must match the From: header domain. SPF alignment checks Return-Path vs From:. DKIM alignment checks the d= signing domain vs From:. At least one must align for DMARC to pass.
Do I need DMARC if I have SPF and DKIM?
Yes. Without DMARC, SPF and DKIM results exist but there's no policy telling receivers what to do with failures. Attackers can spoof your From: address even if SPF/DKIM exist. DMARC is also required by Gmail and Yahoo's bulk sender requirements.
How do I set up DMARC?
Add a TXT record at _dmarc.example.com with your policy. Start with: v=DMARC1; p=none; rua=mailto:[email protected]. This enables reporting without affecting delivery. Analyze reports for 2-4 weeks before advancing to quarantine.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.