Skip to content
DDMARC

What is DMARC?

Learn how DMARC protects your domain from email spoofing and phishing attacks with policy-based authentication.

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is an email authentication protocol that gives domain owners the ability to specify how receiving mail servers should handle messages that fail SPF and DKIM authentication checks.

Published as a DNS TXT record, a DMARC policy tells receivers: "If an email claims to come from my domain but fails authentication, here's what you should do with it — and please send me reports about it."

How Does DMARC Work?

DMARC builds on top of two existing protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). When a receiving mail server gets a message, it runs both checks and then evaluates DMARC alignment.

Alignment means the domain in the From: header — what the recipient actually sees — must match the domain authenticated by SPF or DKIM. Without alignment, a spammer could pass SPF on a different domain and still spoof your brand's From: address.

A message passes DMARC if at least one of the following is true:

  • SPF passes and the SPF-authenticated domain aligns with the From: domain
  • DKIM passes and the DKIM d= domain aligns with the From: domain

The Three DMARC Policies

The p= tag in your DMARC record defines what happens to messages that fail:

  • p=none — Monitor mode. No action is taken on failing messages. Reports are still sent. Use this when first deploying DMARC to understand your email traffic before enforcing.
  • p=quarantine — Failing messages are sent to the spam/junk folder. A middle ground that provides some protection while you refine your setup.
  • p=reject — Failing messages are refused outright by the receiving server. This is the strongest protection and the goal of full DMARC deployment.

Why is DMARC Important?

Without DMARC, anyone can send an email with your domain in the From: header. Attackers exploit this to impersonate your brand in phishing attacks, business email compromise (BEC) scams, and spam campaigns. DMARC with a reject policy closes this vector.

Beyond security, DMARC improves email deliverability. Major providers like Gmail and Microsoft give preferential treatment to authenticated, policy-enforced domains. Google and Yahoo now require DMARC for bulk senders.

DMARC Report Types

DMARC sends two types of reports back to domain owners:

  • Aggregate reports (RUA) — XML summaries sent daily by receiving mail servers. They show source IPs, volume, and SPF/DKIM pass/fail counts. Essential for understanding your email ecosystem.
  • Forensic reports (RUF) — Detailed reports triggered by individual authentication failures. They include message headers and are useful for diagnosing specific problems, though many providers have stopped sending them for privacy reasons.

How to Set Up DMARC

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. Here's a minimal example:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

A more complete production record with forensic reports and a subdomain policy:

v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:dmarc-rua@yourdomain.com; ruf=mailto:dmarc-ruf@yourdomain.com; fo=1

Key tags explained:

  • v=DMARC1 — Required. Identifies this as a DMARC record.
  • p= — Policy: none, quarantine, or reject.
  • sp= — Subdomain policy (defaults to the main policy if omitted).
  • pct= — Percentage of failing mail the policy applies to (100 = all).
  • rua= — Email address for aggregate reports.
  • ruf= — Email address for forensic reports.
  • fo= — Forensic reporting options: 0 (both fail), 1 (any fail), d (DKIM fail), s (SPF fail).

Common Issues

  • Third-party senders not authenticated — Email service providers (CRMs, marketing tools) sending on your behalf must be included in your SPF record or configured with DKIM signing using your domain.
  • Forwarding breaks DMARC — When email is forwarded, the SPF check re-runs against the forwarder's IP, which may fail. DKIM usually survives unless the message body is modified. This is why p=quarantine can be useful before moving to reject.
  • Moving too fast to reject — Always deploy p=none first, analyze reports for 2-4 weeks, authorize all legitimate senders, then gradually enforce.

Frequently Asked Questions

Does DMARC replace SPF and DKIM?

No. DMARC requires both SPF and DKIM to be properly configured. It acts as the policy and reporting layer on top of them. All three protocols work together.

How long does it take to see DMARC reports?

Most major mail providers send aggregate reports once per day, covering the previous 24-hour period. You should start receiving reports within 24-48 hours of publishing your DMARC record — but only if you have the rua= tag set.

Can DMARC hurt my email deliverability?

A p=none policy has no impact on delivery. Moving to reject before authorizing all legitimate senders can cause legitimate email to be blocked. Always analyze reports thoroughly before enforcing. Tools like DDMARC make this process significantly easier.

Related Articles

What is SPF?

Understand Sender Policy Framework (SPF) and how it authorizes mail servers to send email on behalf of your domain.

Core Concept

What is DKIM?

Learn how DomainKeys Identified Mail (DKIM) uses cryptographic signatures to verify email authenticity.

Core Concept

DMARC Alignment Explained

Understand DMARC alignment — how SPF and DKIM domain alignment determines whether emails pass DMARC checks.

Core Concept
Start protecting your domain today

Ready to secure your email?

Start monitoring your DMARC reports today. Free 14-day trial, no credit card required.

Get Started FreeContact Sales