What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that tells receiving mail servers what to do when an email claiming to be from your domain fails SPF or DKIM authentication.
Without DMARC, anyone can send email pretending to be from your domain. With p=reject, those emails are blocked before reaching any inbox. This protects your customers from phishing attacks using your brand.
DMARC also generates reports — sent to an email address you specify — showing every source sending email on behalf of your domain. This visibility is invaluable for finding shadow IT, misconfigured services, and spoofing attempts.
Prerequisites: SPF and DKIM First
DMARC requires SPF or DKIM (ideally both) to already be passing. DMARC checks that the domain in the email's From: header aligns with the domain that passed SPF or DKIM. If neither is configured, DMARC has nothing to verify against.
Don't skip this: Setting p=reject without working SPF and DKIM will reject all your legitimate email. Always set up SPF and DKIM first, verify they're passing, then add DMARC.
Check your current status: run the SPF / DMARC / DKIM checker on your domain before proceeding.
Step 1: Add a p=none Monitoring Record
Start with p=none. This tells mail servers to take no action on failing emails — it just generates reports so you can see what's happening without breaking anything.
Add this TXT record to your DNS:
| Type | Host | Value | TTL |
|---|---|---|---|
| TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; | 3600 |
Replace yourdomain.com with your domain and make sure the rua address is a real mailbox you monitor. This is where aggregate reports will be sent daily.
Important: The host must be _dmarc, not @ or dmarc. The full DNS name this creates is _dmarc.yourdomain.com.
Step 2: Read Your DMARC Reports
After 24–48 hours, you'll start receiving XML reports at the rua address. These are hard to read directly — use a DMARC report analyzer like Postmark's free analyzer, dmarcian, or Valimail to parse them.
What to look for:
- All your legitimate senders — Google Workspace, marketing tools, CRM, helpdesk — should show
dkim=passand/orspf=pass - Unknown sources — these are either spoofing attempts or services you forgot to authorize
- Alignment failures — passing SPF or DKIM but with a different domain than the From: header
For each legitimate sender that's failing, you need to either add it to your SPF record, enable DKIM signing through that service, or both. Don't move to the next phase until all legitimate senders show as passing.
Monitor for 2–4 weeks before moving to enforcement.
Step 3: Move to p=quarantine
Once you're confident all legitimate mail is passing, update your record to quarantine failing emails (send them to spam instead of inbox):
| Type | Host | Value |
|---|---|---|
| TXT | _dmarc | v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com; |
The pct=10 applies the policy to only 10% of failing emails first. This gives you a safety net. Watch your legitimate email delivery for a few days, then increment: 25%, 50%, 100%.
When ready for 100% quarantine:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com;Step 4: Enforce with p=reject
After a week or two at p=quarantine with no legitimate email going missing, you're ready for full enforcement:
| Type | Host | Value |
|---|---|---|
| TXT | _dmarc | v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; |
At p=reject, any email failing DMARC is rejected at the server level — it never reaches any inbox, spam folder, or bounce. This is the strongest protection against spoofing.
DMARC Record Syntax Explained
The full set of DMARC tags you can use:
v=DMARC1— Required. Must be first.p=none|quarantine|reject— Required. The policy to apply.rua=mailto:address— Where to send aggregate reports (daily XML summaries).ruf=mailto:address— Where to send forensic reports (per-failure, often disabled by providers).pct=0-100— Percentage of failing mail to apply policy to. Default is 100.sp=none|quarantine|reject— Policy for subdomains. Defaults to the main policy.aspf=r|s— SPF alignment: relaxed (r, default) or strict (s).adkim=r|s— DKIM alignment: relaxed (r, default) or strict (s).
Use relaxed alignment (aspf=r; adkim=r) unless you have a specific reason for strict. Strict alignment requires exact domain matches, which can cause legitimate mail from subdomains to fail.
Common DMARC Mistakes
- Jumping to p=reject without testing — causes immediate delivery failures for any unaccounted-for sender
- Wrong host name — record must be at
_dmarc.yourdomain.com, notdmarc.yourdomain.com - Not setting up SPF/DKIM first — DMARC has nothing to verify
- Forgetting third-party senders — ESPs, CRMs, helpdesks sending on your behalf
- Ignoring reports — the reports are the whole point of p=none; not reading them wastes weeks
- Multiple DMARC records — only one allowed; having two breaks DMARC validation
A DMARC record is a TXT DNS record at _dmarc.yourdomain.com that tells receiving servers what to do when email from your domain fails authentication. Options are p=none (monitor only), p=quarantine (send to spam), or p=reject (block entirely).
Yes, if you set p=quarantine or p=reject before all your legitimate senders are passing authentication. That's why you start with p=none to monitor, then incrementally enforce. p=none alone will never affect delivery.
The DNS record propagates within hours. But collecting enough report data to safely move to enforcement takes 2–4 weeks of monitoring at p=none.
Yes, indirectly. Having a DMARC record (even p=none) is increasingly a signal of legitimate sender infrastructure. Google and Yahoo now require DMARC for bulk senders. Proper DMARC + SPF + DKIM authentication is foundational for good inbox placement.