Understanding DMARC
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect your domain from unauthorized use, commonly known as email spoofing. Published as a DNS TXT record, DMARC builds on SPF and DKIM to give domain owners control over how receiving mail servers handle unauthenticated email.
Why DMARC Matters for Email Security
Email spoofing is a technique used by malicious actors to send emails that appear to come from your domain. Without DMARC protection, this can lead to:
- Phishing attacks targeting your customers or partners
- Brand reputation damage when fraudulent emails are sent in your name
- Financial losses from successful fraud attempts
- Reduced email deliverability as receiving servers lose trust in your domain
DMARC is now required by major email providers. Google and Yahoo began enforcing DMARC requirements for bulk senders in 2024, and PCI DSS 4.0 mandates DMARC for organizations handling payment card data.
How DMARC Works
DMARC builds on two existing email authentication mechanisms:
- SPF (Sender Policy Framework) — Specifies which mail servers are authorized to send email for your domain
- DKIM (DomainKeys Identified Mail) — Adds a digital signature to outgoing emails that receiving servers can verify
DMARC ties these together by:
- Checking that emails pass SPF and/or DKIM authentication
- Verifying alignment between the authenticated domain and the visible "From" address
- Telling receiving servers what to do with emails that fail authentication
- Providing aggregate reports back to domain owners about authentication results
DMARC Policies Explained
DMARC allows you to specify what should happen to emails that fail authentication:
| Policy | Action |
|---|---|
none |
Monitor only — no action taken on failing emails |
quarantine |
Mark failing emails as suspicious (typically sent to spam) |
reject |
Block failing emails entirely |
A DMARC Record Example
A complete DMARC DNS record looks like this:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=r; aspf=r
| Tag | Purpose |
|---|---|
v=DMARC1 |
Identifies this as a DMARC record |
p=reject |
Policy for failing emails |
rua= |
Where to send aggregate reports |
adkim=r |
DKIM alignment mode (relaxed) |
aspf=r |
SPF alignment mode (relaxed) |
The Path to Full DMARC Enforcement
Most organizations start with a p=none policy to monitor their email ecosystem without affecting delivery. As you identify and authorize all legitimate email sources, you can gradually move to stricter policies:
- Monitor (
p=none) — Collect reports and identify all senders - Quarantine (
p=quarantine) — Start filtering unauthorized email to spam - Reject (
p=reject) — Block unauthorized email entirely
This phased approach ensures you don't accidentally block legitimate email while strengthening your domain's security posture.
Key Benefits of DMARC
- Prevents domain spoofing — Stops attackers from impersonating your organization
- Improves deliverability — Email providers trust authenticated domains more
- Provides visibility — Aggregate reports show who is sending email from your domain
- Meets compliance requirements — Satisfies Google, Yahoo, PCI DSS, and NIST guidelines
- Protects your brand — Ensures only authorized systems send email on your behalf
Next Steps
- Learn about SPF and DKIM in detail
- Understand DMARC policies and when to use each one
- Check your domain's DMARC record with our free DMARC Checker