DMARC (Domain-based Message Authentication): The Complete Guide
Everything you need to know about DMARC policy to orchestrate SPF and DKIM and protect your domain against phishing.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol defined in RFC 7489. It was created to address a major weakness of SPF and DKIM: these protocols, on their own, do not tell the receiving server what to do when authentication fails.
DMARC acts as a conductor that defines a clear policy: what should the receiving server do when an email fails SPF and DKIM checks? Reject it, quarantine it, or do nothing? DMARC also provides a reporting system that lets you see exactly who is sending emails using your domain.
The key concept of DMARC is alignment: the domain used in the "From" header (visible to the recipient) must match the domain verified by SPF or DKIM. Without this alignment, an attacker could pass SPF with their own envelope domain while displaying your domain in the visible "From" header.
DMARC is now considered essential. Many email providers (Google, Yahoo, Microsoft) now require a valid DMARC record to accept bulk email. Without DMARC, your emails risk landing in spam or being rejected entirely.
How does DMARC work?
DMARC combines the results of SPF and DKIM with an additional alignment check:
- Email reception — The receiving server receives an email and extracts the domain from the "From" header.
- DMARC DNS query — It queries DNS to find a DMARC record at
_dmarc.domain.com. - SPF check + alignment — The server verifies whether SPF passes AND whether the envelope domain (MAIL FROM) is aligned with the "From" header domain.
- DKIM check + alignment — The server verifies whether DKIM passes AND whether the DKIM signature domain (tag
d=) is aligned with the "From" header domain. - Policy enforcement — If neither SPF nor DKIM pass with alignment, the server applies the DMARC policy defined by the domain owner.
- Report delivery — The receiving server sends aggregate (and optionally forensic) reports to the domain owner.
A DMARC record looks like this:
Each tag has a specific meaning:
v=DMARC1— Identifies the record as DMARC version 1 (required).p=— The policy to apply:none(monitoring),quarantine(spam), orreject(reject).rua=— Address for receiving aggregate reports (required in practice).ruf=— Address for receiving forensic reports (optional, poorly supported).adkim=— DKIM alignment mode:s(strict) orr(relaxed, default).aspf=— SPF alignment mode:s(strict) orr(relaxed, default).pct=— Percentage of emails to which the policy applies (useful for gradual rollout).
How to configure DMARC step by step
Step 1: Verify SPF and DKIM
Before configuring DMARC, make sure your SPF and DKIM are correctly configured. DMARC relies on both of these protocols — if they are not working, DMARC cannot function effectively.
Step 2: Start in monitoring mode (p=none)
Create a TXT record in your DNS to start collecting reports without impacting deliverability:
- Type: TXT
- Name: _dmarc
- Value:
This configuration does not block any email but sends you daily reports detailing all emails sent using your domain.
Step 3: Analyze the reports (2 to 4 weeks)
DMARC reports are XML files. You can read them manually or use an analysis service (such as Postmark, dmarcian, or Valimail). Identify:
- Legitimate services that are failing (missing SPF or DKIM)
- Suspicious sources spoofing your domain
- The volume of affected emails
Step 4: Switch to quarantine mode
Once all your legitimate services pass SPF and/or DKIM with alignment, switch to the quarantine policy:
The pct=50 tag applies the policy to only 50% of emails initially, to limit risk.
Step 5: Enable full reject (p=reject)
The final step is the strictest policy:
With p=reject, any email that fails DMARC checks is rejected by the receiving server. This provides maximum protection against spoofing and phishing. Strict alignment (adkim=s; aspf=s) requires an exact domain match.
Common mistakes to avoid
1. Jumping straight to p=reject
This is the most dangerous mistake. If you switch directly to p=reject without a monitoring phase, you risk blocking your own legitimate emails. Always follow the progression: none → quarantine → reject.
2. Staying on p=none indefinitely
The p=none policy offers no real protection: it collects reports but blocks nothing. Many domains remain in monitoring mode for years. Set a goal of 1 to 3 months maximum before moving to quarantine.
3. Not configuring a report address (rua)
Without the rua tag, you will not receive any reports. You will be blind to what is happening with your domain. Reports are essential for detecting configuration issues and spoofing attempts.
4. Ignoring subdomains
By default, the DMARC policy for the main domain does not apply to subdomains. Use the sp=reject tag to explicitly set a policy for subdomains, otherwise an attacker could send from fake.yourdomain.com.
Frequently asked questions about DMARC
Which DMARC policy should I choose?
The ultimate goal is always p=reject, which provides the best protection. But start with p=none to collect reports and identify all services sending emails with your domain. Then gradually move to p=quarantine and finally p=reject.
What is DMARC alignment?
Alignment verifies that the domain used in the "From" header (visible to the recipient) matches the domain verified by SPF (envelope domain) or DKIM (tag d= domain). In "relaxed" mode (default), subdomains are accepted. In "strict" mode, domains must match exactly.
Is DMARC mandatory in 2025?
Technically no, but in practice yes. Since February 2024, Google and Yahoo require a DMARC record for senders sending more than 5,000 emails per day. Even for smaller volumes, the absence of DMARC seriously degrades your email deliverability. It has become an essential standard for email security.
Check your domain for free
Test your SPF, DKIM, and DMARC configuration in one click. Our tool analyzes your domain and tells you exactly what needs to be fixed.
Test my domain