What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy framework that tells email providers what to do when they receive an email claiming to be from your domain. DMARC works with SPF and DKIM to verify authenticity and gives you reports on who's sending email with your domain. It's your strongest defense against domain spoofing and impersonation.
Why DMARC Matters
DMARC closes gaps that SPF and DKIM leave open:
- Prevents spoofing: Attackers can't impersonate your domain, even if they know your SPF/DKIM setup
- Controls email outcomes: You decide if unauthenticated emails should be rejected, quarantined, or delivered
- Provides reporting: You get feedback on legitimate mail servers and any unauthorized sending
- Builds brand trust: Domains with DMARC policies have higher email deliverability
- Complies with standards: Major email providers (Gmail, Yahoo, etc.) prefer or require DMARC for high-volume senders
How DMARC Works
1. You publish a DMARC record in your domain's DNS
2. The DMARC record specifies a policy (none, quarantine, or reject)
3. When an email arrives claiming to be from your domain, the receiving server checks:
- Does it pass SPF or DKIM?
- Does the domain in those checks align with your "From" domain?
4. If alignment fails, the receiving server follows your DMARC policy
5. The server sends you daily reports on authentication results
Understanding DMARC Policies
DMARC has three enforcement levels; start at the weakest and strengthen over time:
p=none — Monitoring only. Email is delivered regardless of authentication results, but you receive reports. Use this to test your SPF/DKIM setup before enforcing.
p=quarantine — Unauthenticated emails go to spam. Legitimate mail should pass authentication; use this once you're confident your SPF/DKIM are complete.
p=reject — Unauthenticated emails are rejected outright. Only use this after verifying all legitimate senders pass SPF/DKIM.
Setting Up DMARC
Step 1: Ensure SPF and DKIM Are Working
DMARC only works if SPF and/or DKIM pass. Before deploying DMARC:
- Add an SPF record and test it (see "SPF Records Explained")
- Add a DKIM record and enable it (see "DKIM Explained and How to Enable It")
- Verify both are working with test emails
Step 2: Create Your DMARC Record
A basic DMARC record looks like:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Breaking this down:
v=DMARC1— Version identifier (always required, must be first)p=none— Policy: monitor without enforcing (start here)rua=mailto:dmarc-reports@yourdomain.com— Email address for aggregate reports
Common additions:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com; fo=1
ruf=mailto:forensics@yourdomain.com— Email for failure forensics (detailed reports on rejected emails)fo=1— Generate forensic reports only when a message fails all authentication (SPF and DKIM)sp=reject— Subdomain policy (apply a different policy to mail from subdomains; optional)
Step 3: Add the DMARC Record to DNS
- Log in to your DNS provider
- Navigate to DNS Records or Zone Management
- Create a new TXT record
- Enter the hostname as
_dmarc(or_dmarc.yourdomain.comdepending on your DNS UI) - Paste your DMARC record as the value
- Save the record
Example DNS entry:
| Type | Name | Value |
|------|------|-------|
| TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com |
Step 4: Verify Your DMARC Record
After DNS propagation, verify the record is live:
nslookup -type=TXT _dmarc.yourdomain.com
Or use an online DMARC checker tool.
Step 5: Monitor Reports
Over the next few days to weeks, you'll receive aggregate reports (XML attachments) showing email authentication results from across the internet. These reveal:
- Which legitimate servers are sending email with your domain
- Whether they pass SPF/DKIM
- Any unauthorized sending attempts
Step 6: Strengthen Your Policy (Optional)
Once you've reviewed reports and confirmed all legitimate senders pass authentication:
- Change
p=nonetop=quarantine - Test for a week; monitor for delivery issues
- If confident, upgrade to
p=reject
Never jump straight to p=reject without testing first—you might accidentally block legitimate mail.
DMARC Best Practices
- Start with
p=none: Use monitoring to understand your email landscape before enforcing - Create report addresses: Use dedicated email addresses (dmarc@, forensics@) to keep reports organized
- Monitor regularly: Check reports weekly to catch unauthorized sending early
- Align your domain: Ensure the "From" address domain matches your SPF/DKIM domain
- Be gradual: Move from none → quarantine → reject over weeks or months
- Handle subdomains: Use
sp=if subdomains have different senders than your primary domain
Common DMARC Issues
Reports aren't arriving — The report email address must be reachable and accepting mail. Check that the address exists and isn't blocked.
Legitimate email is quarantined — A legitimate sender doesn't pass SPF or DKIM alignment. Contact the sender to ask about authentication setup, or adjust your DMARC policy back to p=none until they fix it.
DMARC policy has no effect — Email providers prioritize the most recent DMARC record. Ensure your DNS change propagated globally and that you're not publishing multiple conflicting DMARC records.
"Invalid DMARC record" — Double-check the syntax: v=DMARC1 must come first, tags must be separated by semicolons, and email addresses must be in mailto: format.
DMARC and Subdomains
By default, DMARC applies to subdomains. You can override this:
v=DMARC1; p=reject; sp=none
This rejects unauthenticated mail for yourdomain.com but only monitors mail.yourdomain.com. Use this if subdomains have different senders.
Next Steps
Once DMARC is in place with a strong policy (p=reject), your domain is protected from spoofing. Continue monitoring reports to catch any new legitimate senders that need to pass authentication. Pair DMARC with BIMI (Brand Indicators for Message Identification) to display your logo in email clients as an additional trust signal.