DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS record that does two things: 1) Tells receiving servers what to do when email fails SPF and DKIM authentication (none = monitor, quarantine = spam, reject = block), 2) Sends you reports showing who's sending email as your domain. DMARC is mandatory for Gmail, Yahoo, and Microsoft bulk senders. At minimum, publish v=DMARC1; p=none; rua=mailto:[email protected] — then advance to p=reject over 6-12 weeks.
What Is DMARC? Complete Guide for 2026
How DMARC Works
1. Receiving server gets email claiming to be from yourdomain.com
2. Server checks SPF → pass or fail?
3. Server checks DKIM → pass or fail?
4. Server checks DMARC alignment:
- Does SPF domain align with From: domain? (SPF alignment)
- Does DKIM domain align with From: domain? (DKIM alignment)
5. If EITHER aligns and passes → DMARC PASS
6. If NEITHER aligns → DMARC FAIL
7. On failure, server follows your DMARC policy:
- p=none → deliver anyway (but report)
- p=quarantine → send to spam
- p=reject → reject entirely
DMARC Record Format
_dmarc.yourdomain.com TXT v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
| Tag | Meaning | Values |
|---|---|---|
v=DMARC1 | Version (required, always first) | Always DMARC1 |
p= | Policy for failures | none, quarantine, reject |
rua= | Where to send aggregate reports | Email address (mailto:) |
ruf= | Where to send forensic reports | Email address (rarely used) |
pct= | Percentage of failures to apply policy to | 1-100 (default: 100) |
sp= | Subdomain policy | none, quarantine, reject |
adkim= | DKIM alignment mode | r (relaxed) or s (strict) |
aspf= | SPF alignment mode | r (relaxed) or s (strict) |
The DMARC Advancement Path
Week 1-4: Monitoring
v=DMARC1; p=none; rua=mailto:[email protected]
Collect reports. Identify all legitimate senders. Fix authentication gaps.
Week 5-6: Gradual quarantine
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
25% of failures go to spam. Monitor for legitimate email being quarantined.
Week 7-8: Full quarantine
v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]
All failures go to spam.
Week 9+: Reject
v=DMARC1; p=reject; rua=mailto:[email protected]
All failures are rejected. Maximum protection.
Full advancement guide: DMARC setup step-by-step.
DMARC Alignment
DMARC doesn't just check if SPF/DKIM pass — it checks if they align with your From: domain.
SPF alignment: The Return-Path domain (envelope sender) must match the From: domain. DKIM alignment: The d= domain in the DKIM signature must match the From: domain.
Relaxed alignment (default): Organizational domain match. mail.yourdomain.com aligns with yourdomain.com. ✓
Strict alignment: Exact domain match only. mail.yourdomain.com does NOT align with yourdomain.com. ✗
Most configurations use relaxed alignment, which is sufficient.
DMARC Reports
Aggregate Reports (RUA)
Daily XML summaries from receiving servers. Show:
- Every IP sending as your domain
- Volume per IP
- SPF result per IP
- DKIM result per IP
- DMARC pass/fail per IP
Don't read raw XML. Use a parser:
- dmarcian (free tier): Best visualization
- Postmark DMARC (free): Weekly email digest
- EasyDMARC (free tier): Good for beginners
Full report interpretation: How to read DMARC reports.
Forensic Reports (RUF)
Individual failure details. In practice: very few providers send them. Gmail doesn't. Focus on aggregate reports.
Why DMARC Matters Beyond Compliance
Anti-spoofing: Without DMARC at p=reject, anyone can send email pretending to be your domain. Phishing attacks using your domain erode customer trust.
Deliverability signal: A published DMARC record (even p=none) signals to ISPs that you care about authentication. It's a trust indicator.
Visibility: DMARC reports are the only way to see every service sending email as your domain. You'll discover services you forgot about.
BIMI prerequisite: BIMI (brand logo in inbox) requires DMARC at p=quarantine or p=reject.
Practitioner note: DMARC at p=none is required. DMARC at p=reject is the goal. The difference: p=none says "I'm watching." p=reject says "I control my domain." The advancement from none to reject takes 6-12 weeks of careful report analysis, but it's the single most impactful anti-spoofing measure available.
Practitioner note: The biggest DMARC mistake: rushing to p=reject without reading reports. I've seen companies reject their own invoicing system's email because nobody checked the DMARC reports. At p=none, those emails would have delivered fine while appearing in reports for you to fix. Read the reports before advancing.
For the complete authentication stack: SPF + DKIM + DMARC guide. For step-by-step setup: DMARC setup guide.
If you need DMARC configured and advanced safely, schedule a consultation.
Sources
- RFC 7489: DMARC
- Google: Set up DMARC
- dmarcian: DMARC Guide
v1.0 · March 2026
Frequently Asked Questions
What does DMARC do?
Two things: 1) Policy enforcement — tells receiving servers to quarantine or reject email that fails authentication (preventing spoofing), 2) Reporting — sends you daily reports showing every IP and service that sent email as your domain, with authentication results.
Is DMARC required?
Yes. Gmail and Yahoo require DMARC (at minimum p=none) for bulk senders since 2024. Microsoft requires it since May 2025. Even at low volume, DMARC protects your domain from spoofing and improves deliverability.
What are the DMARC policy levels?
p=none: monitor only, take no action on failures (start here). p=quarantine: send failures to spam. p=reject: reject failures entirely — they never arrive. Start at none, advance to reject over 6-12 weeks after verifying all legitimate senders pass.
Do I need both SPF and DKIM for DMARC?
DMARC passes when EITHER SPF or DKIM passes with alignment. Best practice: configure both so you have redundancy. DKIM is more reliable through forwarding. SPF is simpler to configure. Both together = strongest authentication.
What are DMARC aggregate reports?
Daily XML reports from receiving servers showing: every IP that sent email as your domain, the volume, SPF pass/fail, DKIM pass/fail, and alignment status. Parse with dmarcian (free tier) or Postmark DMARC (free weekly digest). Essential for identifying unauthorized senders and verifying your configuration.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.