DMARC (Domain-based Message Authentication, Reporting and Conformance)

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that builds on SPF and DKIM. It tells receiving mail servers what to do with messages that fail authentication checks — and it gives you visibility into how your domain is being used (and abused) via detailed reporting. DMARC is the policy layer that makes SPF and DKIM actionable, and it's now effectively mandatory for bulk senders following Google and Yahoo's 2024 requirements.

How DMARC Works

DMARC is published as a TXT record in DNS at _dmarc.yourdomain.com. It defines a policy (none, quarantine, or reject) and a reporting destination. When a receiving server gets an email claiming to be from your domain, it checks SPF and DKIM. If both fail, DMARC's policy determines the outcome: p=none means take no action but report the failure; p=quarantine means route to spam; p=reject means refuse delivery. DMARC also requires "alignment" — the domain in the From header must match the domain validated by SPF or DKIM.

DMARC Policies Explained

p=none is the monitoring policy — you receive reports but no enforcement action is taken on failing messages. Use this phase to understand your email ecosystem before enforcing. p=quarantine tells receivers to send failing messages to spam. This is an intermediate enforcement policy. p=reject is full enforcement — failing messages are refused entirely. Moving from none to reject should be done carefully, based on report data confirming all legitimate sending sources pass authentication.

DMARC Reporting

DMARC generates two types of reports: aggregate reports (RUA) give a daily XML summary of all messages evaluated against your DMARC policy — how many passed, how many failed, and which IPs are sending on your behalf. Forensic reports (RUF) provide details about individual failing messages. These reports are invaluable for discovering unauthorized use of your domain, identifying misconfigured sending sources, and confirming that your authentication is working correctly before tightening your policy.

DMARC and Email Deliverability

Deploying DMARC signals to ISPs that you're a responsible sender who takes authentication seriously. At p=none, the direct deliverability impact is minimal — but you gain the visibility to fix problems. At p=quarantine and p=reject, you actively prevent spammers and phishers from abusing your domain, which protects your brand reputation and keeps malicious mail from being attributed to your sending domain. Long-term, this reputation protection improves deliverability.

Checking and Setting Up DMARC

Use EmailVerify.io's free DMARC Checker at emailverify.io/tools/dmarc-checker to inspect your current DMARC record and identify issues. The DMARC Generator at emailverify.io/tools/dmarc-generator helps you build a valid DMARC record ready to publish in DNS. Getting DMARC right from the start prevents months of deliverability problems and brand damage from domain spoofing.

Common DMARC Mistakes

Jumping to p=reject before confirming all legitimate senders are passing. Not monitoring RUA reports (flying blind on your own domain). Publishing a DMARC record without configuring SPF and DKIM first. Using incorrect report email addresses that can't receive XML data. Setting pct=100 (full enforcement) before a gradual rollout through pct values like 10, 25, 50. Take a methodical, data-driven approach to DMARC deployment.