What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is defined in RFC 7489. It builds on top of SPF and DKIM by adding two key capabilities: a policy that tells receivers how to handle unauthenticated mail (monitor, quarantine, or reject), and a reporting mechanism that sends you XML reports on who's sending mail from your domain and whether it's passing authentication.
Crucially, DMARC adds the concept of **alignment** — the domain in the email's visible "From" header must match the domain authenticated by SPF or DKIM. This prevents attackers from passing SPF/DKIM on a different domain while spoofing your domain in the From header.
Why do you need DMARC?
1Header From protection
SPF and DKIM alone don't protect the visible From address — DMARC closes that gap with alignment
2Enforcement policy
You decide what happens to failing mail: monitor it, send to spam, or reject it outright
3Aggregate reporting
Daily XML reports (RUA) show every IP sending mail with your domain and pass/fail rates
4Forensic reporting
Failure reports (RUF) send a redacted copy of individual failing messages for investigation
5Required by Google/Yahoo
Since Feb 2024, bulk senders must have DMARC at p=none minimum to reach Gmail/Yahoo inboxes
6Brand protection
Prevents phishing emails that impersonate your brand from reaching your customers
How DMARC works — step by step
You publish a DMARC TXT record at `_dmarc.yourdomain.com` specifying your policy and report addresses.
A message arrives at the receiving server. It runs SPF and DKIM checks independently.
DMARC alignment is tested: does the authenticated domain (from SPF or DKIM) match the header From domain?
If either SPF+alignment OR DKIM+alignment passes, DMARC passes for the message.
If both fail, the receiver applies your policy: none (deliver), quarantine (spam folder), or reject (bounce).
The receiver collects authentication data for your domain and sends aggregate (RUA) or forensic (RUF) reports to the addresses you specified.
DMARC record syntax
v=DMARC1; p=quarantine; pct=100; sp=reject;
rua=mailto:dmarc-reports@yourdomain.com;
ruf=mailto:dmarc-failures@yourdomain.com;
adkim=s; aspf=s; fo=1Tag reference
v=DMARC1— version, requiredp=— policy for the domainsp=— policy for subdomainspct=— % of failing mail the policy applies torua=— aggregate report recipients (mailto:)ruf=— forensic report recipients (mailto:)adkim=— DKIM alignment: r=relaxed, s=strictaspf=— SPF alignment: r=relaxed, s=strictfo=— failure reporting options (0,1,d,s)ri=— report interval in seconds (default 86400)The three DMARC policies
DMARC alignment explained
Common DMARC failures and fixes
SPF alignment failure
The envelope From (return-path) domain doesn't match the header From — common with ESPs using their own return-path
DKIM alignment failure
The d= domain in the DKIM signature doesn't match the visible From domain — configure your ESP to sign with your domain
Missing RUA address
Without rua= you get no reports and no visibility — always include at least one report address
Subdomains not covered
Add sp=reject to extend your policy to subdomains, or publish separate DMARC records per subdomain
Frequently Asked Questions
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a critical email authentication protocol that works alongside SPF and DKIM. It provides instructions to receiving mail servers on how to handle emails that fail authentication checks, effectively preventing unauthorized parties from spoofing your domain and protecting your brand reputation.
A DMARC checker verifies that your record is correctly formatted and published in your DNS settings. By ensuring your DMARC policy is active (ideally moving toward p=reject), you signal to ISPs like Google and Outlook that your emails are legitimate, which significantly reduces the chances of your messages being marked as spam or blocked.
The 'quarantine' policy instructs the receiving server to deliver emails that fail DMARC to the recipient's spam or junk folder. The 'reject' policy is more secure, as it tells the server to bounce the email entirely, ensuring it never reaches the recipient. Both policies are essential steps in securing your domain's email flow.
DMARC alignment occurs when the domain in the 'From' header matches the domain validated by SPF or DKIM. Without proper alignment, even a valid SPF or DKIM check can result in a DMARC failure. Alignment ensures that the visible sender address is the one that was actually authenticated.
DMARC changes depend on your DNS record's TTL (Time to Live) settings. While the update happens almost instantly at the source, it can take anywhere from a few minutes to 48 hours for global propagation. Using a DMARC checker regularly helps you verify when the changes have reached major mail servers.
No DMARC record means receivers have no instructions on what to do when mail fails SPF or DKIM, leaving your domain easier to spoof and your legitimate mail more likely to be filtered. Publishing a DMARC record, starting with p=none, lets you monitor authentication and progressively protect your domain.