What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email security protocol that protects your domain from being used in phishing and spoofing attacks. It builds on two existing technologies — SPF and DKIM — by adding a critical missing piece: a way for domain owners to tell email providers what to do when authentication fails.

The Problem: Email Spoofing

To understand why DMARC matters, imagine this scenario:

❌ Without DMARC

Alice works at Acme Corp (acme.com). A scammer wants to trick Bob, one of Acme's clients, into wiring money to a fake account.

The scammer sets up a random mail server and sends an email to Bob with the From address set to alice@acme.com. The email says "Hi Bob, our bank details have changed — please send this month's payment to this new account."

Bob's email provider (say Gmail) receives the message. It looks at the "From" field and sees alice@acme.com — but it has no way to know this is fake. Email was designed in 1982 without any sender verification. The "From" address is just text that anyone can fill in, like a return address on an envelope.

The email lands in Bob's inbox looking completely legitimate. Bob trusts it, follows the instructions, and loses money.

✅ With DMARC

Now imagine Acme Corp has set up DMARC. They've published a DNS record that says: "Only these specific servers are authorised to send email from acme.com. If anything else shows up claiming to be us — reject it."

The scammer sends the same fake email. But this time, when Gmail receives it, it checks acme.com's DMARC record. Gmail sees that the email didn't come from an authorised server, and the cryptographic signatures don't match. The email fails both SPF and DKIM alignment.

Acme's DMARC policy says p=reject, so Gmail blocks the email entirely. It never reaches Bob's inbox.

Meanwhile, Acme Corp gets a daily report showing that someone tried to spoof their domain — so they know about the attack even though it was stopped.

How DMARC Works

DMARC works by publishing a simple DNS record that tells receiving email servers three things:

1. AuthenticationCheck if emails pass SPF and/or DKIM — and verify they align with the From: domain
2. PolicyWhat to do when emails fail: monitor (none), send to spam (quarantine), or block (reject)
3. ReportingSend daily reports back to you showing who's sending email using your domain

DMARC Authentication Flow

📧 Email Arrives Check SPF ✓ | Check DKIM ✓ Do results align with From: domain? YES ✓ NO ✗ ✅ DMARC Pass — Deliver ❌ DMARC Fail — Apply Policy

What is a DMARC Record?

A DMARC record is a TXT entry in your domain's DNS. It lives at _dmarc.yourdomain.com and looks like this:

v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; adkim=r; aspf=r

Let's break down the key parts:

Tag Meaning Values
v=DMARC1 Version (required) Always DMARC1
p= Policy (required) none, quarantine, reject
rua= Aggregate report address mailto:address@example.com
ruf= Forensic report address mailto:address@example.com
sp= Subdomain policy none, quarantine, reject
adkim= DKIM alignment r (relaxed) or s (strict)
aspf= SPF alignment r (relaxed) or s (strict)
pct= Percentage to filter 1100 (default 100)
fo= Failure reporting options 0, 1, d, s

The Three DMARC Policies

DMARC gives you three policy options, and you should progress through them in order:

Policy Progression

p=none Monitor & collect reports Start here ✦ p=quarantine Send to spam folder After review ✦✦ p=reject Block entirely Full protection ✦✦✦
💡 Start with p=none. This lets you see who's sending email as your domain without blocking anything. Once you've reviewed your reports and confirmed all legitimate senders are authenticated, gradually move to quarantine and then reject.

What is DMARC Alignment?

This is the concept that makes DMARC powerful. SPF and DKIM can pass on their own, but DMARC adds an alignment check — it verifies that the domain authenticated by SPF or DKIM actually matches the domain in the From: header that the user sees.

Without alignment, an attacker could set up valid SPF for their domain while spoofing your domain in the From: field. DMARC closes this gap.

There are two alignment modes:

  • Relaxed (r) — The domains must share the same base domain. mail.example.com aligns with example.com. Recommended for most setups.
  • Strict (s) — The domains must match exactly. mail.example.com does NOT align with example.com.

Why You Need DMARC

🛡️
Prevent phishing Stop attackers from sending emails that appear to come from your domain
📬
Improve deliverability Email providers trust authenticated domains — your emails are more likely to reach the inbox
👁️
Gain visibility Daily reports show you every source sending email as your domain — legitimate or not
Meet requirements Google, Yahoo, and Microsoft now require DMARC for bulk senders. PCI DSS 4.0 recommends it.

Getting Started

Setting up DMARC takes about 5 minutes:

  1. Generate your DMARC record — Use our DMARC Record Generator to create a record with monitoring enabled
  2. Add it to your DNS — Create a TXT record at _dmarc.yourdomain.com
  3. Review your reports — Within 24-48 hours, you'll start receiving aggregate reports
  4. Authenticate your senders — Make sure all legitimate email sources have proper SPF and DKIM
  5. Enforce your policy — Gradually move from p=none to p=quarantine to p=reject

Ready to protect your domain?

Generate your DMARC record and start monitoring in under 5 minutes — completely free.

Generate Your DMARC Record →

Related Topics

What is SPF? →
Sender Policy Framework explained
 What is DKIM? →
DomainKeys Identified Mail explained
 SPF vs DKIM vs DMARC →
How they work together