What is DMARC and why is it required?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to tell receiving servers what to do when authentication fails and provides reports about emails using your domain. DMARC is required by Google and Yahoo for bulk senders since February 2024.

What DMARC policy should I start with?

Start with p=none (monitor only) to collect reports without affecting email delivery. After 2-4 weeks of analyzing reports and fixing authentication issues, move to p=quarantine (mark as spam), then finally p=reject (block completely).

What is DMARC alignment?

DMARC alignment means the domain in the From header must match the domain authenticated by SPF (Return-Path) or DKIM (d= signing domain). Either SPF or DKIM must pass AND align for DMARC to pass.

Knowledge Base

DMARC Implementation Guide

Configure DMARC to protect your domain from email spoofing and receive reports on email authentication.

Intermediate8 min read

Quick Overview

Set Up SPF/DKIM

Create Policy

Add DNS Record

Monitor Reports

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to:

1. Tell receiving servers what to do when SPF/DKIM fail 2. Get reports about emails using your domain 3. Prevent domain spoofing and phishing

DMARC is required by Google and Yahoo for bulk senders since February 2024.

DMARC Record Format

DMARC is published as a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:[email protected]

The "rua" tag tells servers where to send aggregate reports about your email.

DMARC Policy Options

The policy (p=) determines what happens to failing emails:

• p=none - Monitor only, don't take action (start here) • p=quarantine - Mark failing emails as spam • p=reject - Block failing emails completely

Also consider: • sp= - Policy for subdomains • pct= - Percentage of emails to apply policy to (for gradual rollout)

DMARC Alignment

DMARC requires alignment between the "From" header and authenticated domain:

• SPF Alignment: The Return-Path domain must match the From domain • DKIM Alignment: The DKIM signing domain (d=) must match the From domain

Either SPF OR DKIM must pass AND align for DMARC to pass.

Third-party senders (marketing platforms, CRMs) may break alignment. Configure them to use your domain for signing.

Implementation Steps

1. Start with monitoring:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]

Implementation Steps (continued)

2. Wait and analyze reports for 2-4 weeks

3. Fix authentication issues for legitimate senders

4. Move to quarantine:

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

Implementation Steps (final)

5. Gradually increase pct to 100%

6. Finally, move to reject:

v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s

adkim=s and aspf=s enforce strict alignment for maximum protection.

Reading DMARC Reports

Aggregate reports (rua) are XML files sent daily. They show: • IP addresses sending email as your domain • SPF and DKIM results for each source • Volume of emails from each source

Use services like Postmark DMARC, DMARC Analyzer, or parse them yourself.

Common Pitfalls to Avoid

Starting with p=reject
Always start with p=none to monitor. Jumping to reject can block legitimate email.
Missing rua address
Without aggregate reports, you cannot see who is sending email as your domain.
Third-party alignment issues
Marketing platforms and CRMs may not align. Configure them to use your domain for signing.
Ignoring subdomain policy
Set sp= to protect subdomains, or attackers may spoof them instead.

Next Guide

DNSSEC Setup

Free Tool

DMARC Record Generator

Create a DMARC policy with our free generator. Configure reporting, enforcement, and alignment in seconds.

Check Your Configuration

Use IntoDNS.ai to verify your setup is correct