What is DMARC?
What is DMARC?
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the email authentication standard that ties SPF and DKIM together and tells receiving mail servers what to do when an email fails authentication.
Without DMARC, even if SPF and DKIM are configured, there is no policy — receiving servers may still deliver failing emails. DMARC adds the policy layer and the reporting layer.
How DMARC works
You publish a DMARC record in your domain's DNS:
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"When a receiving server processes an email from your domain:
- It checks SPF — did the email come from an authorised server?
- It checks DKIM — is the email's signature valid?
- It checks DMARC alignment — do the authenticated domains match the
From:header? - Based on your DMARC policy, it decides what to do
DMARC policies
| Policy | What it does |
|---|---|
p=none |
Monitoring mode — no action taken, reports are sent. Use this to start collecting data without affecting email delivery. |
p=quarantine |
Failing emails go to spam. Use once you've identified and fixed your legitimate senders. |
p=reject |
Failing emails are blocked outright. Use when you're confident all legitimate email is passing. |
The right path: Start at p=none, use DMARC+ reports to find and fix all failing legitimate senders, then advance to p=quarantine, then p=reject.
DMARC alignment
DMARC doesn't just require SPF and DKIM to pass — it requires them to align with the From: header domain. This is what closes the spoofing loophole.
- SPF alignment — the
Return-Pathdomain must match theFrom:domain - DKIM alignment — the
d=value in the DKIM signature must match theFrom:domain
An email passes DMARC if at least one of SPF or DKIM passes AND aligns.
DMARC reporting
DMARC generates two types of reports sent to the email addresses you specify in the record:
Aggregate reports (rua) — XML files sent daily by receiving mail servers, showing authentication pass/fail statistics for all email claiming to be from your domain. DMARC+ processes these into readable dashboards.
Forensic reports (ruf) — Individual failure reports sent when an email fails DMARC. Contains headers and sometimes message content. Note: many mail providers have stopped sending these due to privacy concerns.
DMARC record syntax
| Tag | Meaning | Example |
|---|---|---|
v=DMARC1 |
Required — version identifier | v=DMARC1 |
p= |
Policy for the domain | p=reject |
sp= |
Policy for subdomains (if different) | sp=quarantine |
rua= |
Email address for aggregate reports | rua=mailto:[email protected] |
ruf= |
Email address for forensic reports | ruf=mailto:[email protected] |
pct= |
Percentage of failing emails the policy applies to | pct=100 (apply to all) |
adkim= |
DKIM alignment mode | adkim=r (relaxed, default) or adkim=s (strict) |
aspf= |
SPF alignment mode | aspf=r (relaxed, default) or aspf=s (strict) |
The path to full enforcement
| Step | Action | When to proceed |
|---|---|---|
| 1 | Publish p=none |
Immediately — start collecting data |
| 2 | Review DMARC+ reports for failing sources | After 1–2 weeks of data |
| 3 | Fix SPF/DKIM for each failing legitimate source | One by one |
| 4 | Advance to p=quarantine; pct=10 |
When legitimate pass rate > 95% |
| 5 | Increase pct gradually to 100 | Monitor for false positives |
| 6 | Advance to p=reject |
When quarantine shows no legitimate emails being caught |
| 7 | Set up BIMI | After stable p=reject |
Why DMARC matters beyond security
DMARC enforcement also improves email deliverability. Major providers (Google, Microsoft, Yahoo) give preferential treatment to authenticated senders. Since 2024, Google and Yahoo require DMARC at p=none minimum for bulk senders. p=reject domains see the highest deliverability rates.