DMARC (Domain-based Message Authentication, Reporting & Conformance)

What is DMARC?

DMARC is an email authentication policy that builds on SPF and DKIM to tell receiving servers how to handle messages that fail authentication. It also provides a reporting channel so domain owners can see who is sending mail on their behalf, including attempted spoofers.

Why it matters

Without DMARC, you have no visibility into forged mail using your domain and no way to enforce rejection of spoofed messages. Gmail and Yahoo now require DMARC for bulk senders, so ignoring it can get your marketing mail blocked outright. Security teams gain phishing defense, marketers gain inbox placement, and brand owners protect their reputation.

How it works

The domain owner publishes a TXT record at _dmarc that specifies a policy and reporting addresses.

_dmarc.acme.io IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100; aspf=s; adkim=s"

When a receiver gets a message, it checks SPF and DKIM and verifies that at least one aligns with the From domain. If neither aligns, the DMARC policy (none, quarantine, or reject) decides the fate. Aggregate reports are emailed to the rua address in XML format.

Examples

• Starting at p=none and collecting reports for four weeks before tightening
• Moving to p=quarantine; pct=25 to ship 25 percent of failing mail to spam as a test
• Reaching full p=reject after eliminating all legitimate unauthenticated sources

Best practices

• Start at p=none to gather data before enforcing
• Use a report aggregation tool so the XML is actually readable
• Ramp pct gradually from 0 to 100 rather than flipping straight to reject
• Ensure SPF and DKIM pass alignment checks, not just raw validation

FAQs

What is alignment in DMARC?

Alignment means the domain used in SPF or DKIM must match the domain in the visible From header. Raw SPF or DKIM passes are not enough; DMARC cares whether they line up with what the user sees.

Do I need both SPF and DKIM for DMARC?

Only one needs to pass and align, but publishing both gives you redundancy. If one fails due to forwarding, the other can still carry the message through.

How long until I can move to p=reject?

Most domains need 4 to 12 weeks at p=none to discover all legitimate sending sources and fix misconfigurations before tightening the policy.