What is DMARC?

DMARC ties SPF and DKIM together, tells receivers how to handle messages that fail authentication, and sends you reports on who is sending mail as your domain.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is a policy layer built on top of SPF and DKIM. It is published as a DNS TXT record at _dmarc.yourdomain.com and does two jobs: it enforces alignment and it generates reports about mail claiming to be from your domain.

Alignment is the key concept. SPF checks the envelope sender and DKIM checks its signing domain, but neither guarantees they match the From address a recipient actually sees. DMARC requires that a passing SPF or DKIM result align with the visible From domain, closing the spoofing gap that authentication alone leaves open.

A DMARC record specifies a policy with the p tag: none simply monitors, quarantine sends failing mail to spam, and reject blocks it entirely. Senders typically start at p=none to collect aggregate (rua) reports, confirm all legitimate sources pass, and then tighten to quarantine and reject once they are confident nothing legitimate will break.

Gmail, Yahoo, and Microsoft now require a valid DMARC record for bulk senders, so publishing one is mandatory for serious outreach. Beyond compliance, DMARC protects your brand from being impersonated in phishing, and its reports are the single best way to discover shadow sending sources you did not know existed.

Examples

  • v=DMARC1; p=none; rua=mailto:reports@example.com — monitoring mode with aggregate reports
  • v=DMARC1; p=quarantine; pct=50; — quarantine half of failing mail while ramping up
  • v=DMARC1; p=reject; — full enforcement, unauthenticated mail is blocked

Frequently asked questions

Free tools for working with DMARC

Related terms