DMARC is a way to stop people from sending fake emails that look like they come from your business. Think of it as a “return address verification” system for email — it lets you tell email providers like Gmail and Outlook: “Here’s how to check if an email is really from us, and what to do if it’s not.” (The full name is Domain-based Message Authentication, Reporting & Conformance, but you don’t need to remember that.)
The Problem: Anyone Can Fake Your Email Address
To understand why DMARC matters, imagine this scenario:
❌ Without DMARC
Alice works at Acme Corp (acme.com). A scammer wants to trick Bob, one of Acme’s clients, into wiring money to a fake account.
The scammer sets up a random mail server and sends an email to Bob with the From address set to alice@acme.com. The email says “Hi Bob, our bank details have changed — please send this month’s payment to this new account.”
Bob’s email provider (say Gmail) receives the message. It looks at the “From” field and sees alice@acme.com — but it has no way to know this is fake. Email was invented in the 1980s without any way to verify who really sent a message. The “From” address is just text that anyone can type in, like writing any return address on an envelope.
The email lands in Bob’s inbox looking completely legitimate. Bob trusts it, follows the instructions, and loses money.
✅ With DMARC
Now imagine Acme Corp has set up DMARC. They’ve published a simple setting in their domain’s public directory (called a DNS record) that says: “Only these specific servers are authorised to send email from acme.com. If anything else shows up claiming to be us — reject it.”
The scammer sends the same fake email. But this time, when Gmail receives it, it checks acme.com’s DMARC settings. Gmail sees that the email didn’t come from a server that Acme authorised, and the security signatures don’t match.
Acme’s DMARC policy says p=reject, so Gmail blocks the email entirely. It never reaches Bob’s inbox.
Meanwhile, Acme Corp gets a daily report showing that someone tried to spoof their domain — so they know about the attack even though it was stopped.
How DMARC Works
DMARC works by adding a simple setting to your domain’s public directory (called a DNS record) that tells email providers three things:
What Happens When an Email Arrives
What Does a DMARC Record Look Like?
A DMARC record is a short piece of text that you add to your domain’s settings (specifically, a TXT entry in your domain’s public directory, known as DNS). It lives at _dmarc.yourdomain.com and looks like this:
v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; adkim=r; aspf=r
Don’t worry about memorising this — here’s what each part means:
| Setting | What It Does | Options |
|---|---|---|
v=DMARC1 |
Version identifier (required) | Always DMARC1 |
p= |
Your policy — what to do with fakes (required) | none (monitor only), quarantine (send to spam), reject (block) |
rua= |
Where to send daily summary reports | mailto:address@example.com |
ruf= |
Where to send detailed failure reports | mailto:address@example.com |
sp= |
Policy for subdomains (e.g. mail.yourdomain.com) | none, quarantine, reject |
adkim= |
How strictly to match the DKIM signing domain | r (relaxed) or s (strict) |
aspf= |
How strictly to match the SPF sender domain | r (relaxed) or s (strict) |
pct= |
What percentage of failing emails to apply the policy to | 1–100 (default 100) |
fo= |
Failure reporting options | 0, 1, d, s |
Your Three Protection Levels
DMARC gives you three levels of protection. You start at the lowest and work your way up as you gain confidence:
How DMARC Catches Impostors (Alignment)
This is the clever part. Even if a scammer sets up their own email server with all the right security settings for their domain, DMARC checks whether the verified domain actually matches the “From” address that your customers see. This matching process is called alignment.
In plain terms: it’s not enough for an email to prove someone sent it — it has to prove that the right someone sent it. The verified identity has to match the “From” address.
There are two matching modes:
- Relaxed — Subdomains are allowed. An email from
mail.example.comcounts as a match forexample.com. This is the default and works for most businesses. - Strict — The domains must match exactly.
mail.example.comwould NOT count as a match forexample.com.
For a deeper dive, see Understanding DMARC Alignment.
Why Your Business Needs DMARC
Stop fake emails
Prevent scammers from sending emails that look like they come from your business — protecting your customers and reputation
Get your emails delivered
Email providers like Gmail and Outlook are more likely to deliver your real emails to the inbox (not spam) when your domain is properly set up
See who’s using your name
Get daily reports showing every server that sent (or tried to send) email using your domain — so you always know what’s happening
Meet industry requirements
Google, Yahoo, and Microsoft now require DMARC for bulk email senders. Many industry standards (like PCI DSS 4.0) recommend it too.
Getting Started
Setting up DMARC takes about 5 minutes. Here’s the path:
- Generate your DMARC record — Use our DMARC Record Generator to create your settings (we’ll guide you through the options)
- Add it to your domain — Paste the record into your domain’s DNS settings (we have step-by-step guides for every major provider)
- Review your reports — Within 24–48 hours, you’ll start getting daily summaries showing who’s sending email as your domain
- Fix any issues — Make sure all your legitimate email sources (your mail server, marketing tools, CRM, etc.) are properly verified
- Strengthen your protection — Once everything looks good, gradually increase your protection level from “monitor” to “quarantine” to “reject”
Ready to protect your domain?
Generate your DMARC record and start monitoring in under 5 minutes — completely free.