DMARC Implementation Guide
Configure DMARC to protect your domain from email spoofing and receive reports on email authentication.
Quick Overview
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance, RFC 7489) is the policy layer that sits on top of SPF and DKIM. SPF and DKIM each produce a pass/fail result, but neither tells a receiver what to do with a failure, and neither protects the From: address that recipients actually see. DMARC closes both gaps:
1. Alignment — it requires that a passing SPF or DKIM result be tied to the same domain shown in the From: header, defeating the spoofing that SPF and DKIM alone allow. 2. Policy — it tells receivers whether to monitor, quarantine, or reject mail that fails DMARC. 3. Reporting — it instructs receivers to send you aggregate (and optionally forensic) reports, giving you visibility into every source sending as your domain.
Since February 2024, Google and Yahoo require a DMARC record for bulk senders (5,000+ messages/day), making DMARC effectively mandatory for any serious sender.
How DMARC Works: Alignment
DMARC's core mechanism is identifier alignment. A message passes DMARC only if at least one of the following is true:
• SPF alignment — SPF passes AND the envelope MAIL FROM domain matches the From: header domain. • DKIM alignment — a DKIM signature passes AND its d= domain matches the From: header domain.
Either path is sufficient; you do not need both. Alignment can be relaxed (default) — where a subdomain like mail.yourdomain.com aligns with the organizational domain yourdomain.com — or strict, where the domains must match exactly. This is why a message can pass raw SPF yet fail DMARC: if SPF authenticated bounce.sendgrid.net while the From: shows yourdomain.com, SPF passes but does not align.
Third-party senders (ESPs, CRMs, helpdesks) commonly pass SPF/DKIM for their own domain, not yours — so they fail DMARC alignment. Configure them to DKIM-sign with your domain (custom signing domain / CNAME setup) before enforcing.
DMARC Record Format
DMARC is a single TXT record published at the _dmarc subdomain. A minimal monitoring record looks like this:
# DNS name: _dmarc.yourdomain.com
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comThe record must live at _dmarc.yourdomain.com (and _dmarc.subdomain for an explicit subdomain policy), not at the root.
DMARC Tag Reference
A DMARC record is a list of tag=value pairs. v and p are required; the rest are optional but rua is strongly recommended:
| Tag | Required | Purpose / values |
|---|---|---|
| v | yes | Version, must be DMARC1 (first tag) |
| p | yes | Policy for the organizational domain: none | quarantine | reject |
| sp | no | Policy for subdomains; inherits p if omitted |
| rua | no* | Aggregate report address(es), mailto: URIs |
| ruf | no | Forensic/failure report address(es) (rarely honored) |
| pct | no | Percent of mail the policy applies to (1-100, default 100); for staged rollout |
| adkim | no | DKIM alignment: r (relaxed, default) or s (strict) |
| aspf | no | SPF alignment: r (relaxed, default) or s (strict) |
| fo | no | Forensic options: 0,1,d,s (when to send ruf) |
| ri | no | Aggregate report interval in seconds (default 86400) |
rua is technically optional, but omitting it means you get no reports and lose all visibility — always include it.
Policy Options & Subdomains
The policy tag p= decides what receivers do with mail that fails DMARC:
• p=none — monitor only; take no action. The mandatory starting point. • p=quarantine — deliver failing mail to spam/junk. • p=reject — refuse failing mail at the SMTP layer. The end goal.
Two tags control rollout and scope: • pct= applies the policy to only a percentage of failing mail (e.g. pct=25), letting you ramp quarantine/reject gradually rather than all at once. • sp= sets a separate policy for subdomains. Attackers frequently spoof unused subdomains; if you do not send from subdomains, set sp=reject explicitly so they inherit strong protection regardless of p=.
Step-by-Step Rollout
Move toward enforcement in stages, driven by what the reports show — never jump straight to reject:
1. Monitor. Publish p=none with reporting and collect data for 2–4 weeks:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comSet up an inbox or a DMARC report processor for the rua address before you publish — reports start arriving within a day.
Step-by-Step Rollout (continued)
2. Fix sources. From the aggregate reports, identify every legitimate sender failing alignment and correct their SPF/DKIM (custom DKIM signing for ESPs, missing includes for SPF).
3. Quarantine a slice. Once legitimate mail aligns, move to quarantine at a low percentage and watch for fallout:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.comStep-by-Step Rollout (enforcement)
4. Ramp to 100%. Increase pct to 100 once quarantine causes no legitimate-mail problems.
5. Reject. Move to full enforcement, optionally with strict alignment and an explicit subdomain policy:
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc@yourdomain.comp=none is not protection — it only monitors. A domain stuck at p=none indefinitely, or with no rua, remains fully spoofable. The goal is to reach p=quarantine or p=reject.
Reading DMARC Reports
Aggregate reports (rua) are gzipped XML files most receivers send once per day. Each report lists, per sending source: • the source IP and the volume of messages it sent as your domain, • the SPF result and whether it aligned, • the DKIM result and whether it aligned, • the DMARC disposition that was applied (none/quarantine/reject).
Use these to build an inventory of every legitimate sender before you enforce, and to spot spoofing attempts. The XML is dense; tools like Postmark's free DMARC service, dmarcian, or Valimail aggregate and visualize it, though you can parse it yourself. Forensic reports (ruf) contain redacted copies of individual failing messages but are honored by very few receivers today.
Verify and Next Step
Confirm your record is present, syntactically valid, and shows the policy and alignment you intend with our free DMARC Checker, and build or refine the record with the DMARC Record Generator.
Once DMARC is at p=quarantine or p=reject with full alignment, you have met the prerequisite for BIMI — displaying your verified brand logo in the inbox.
adkim=s and aspf=s enforce strict alignment for maximum protection, but only enable them after confirming your senders can meet exact-match alignment.
Common Pitfalls to Avoid
- Starting with p=reject
Always start with p=none to monitor. Jumping to reject can block legitimate email.
- Missing rua address
Without aggregate reports, you cannot see who is sending email as your domain.
- Third-party alignment issues
Marketing platforms and CRMs may not align. Configure them to use your domain for signing.
- Ignoring subdomain policy
Set sp= to protect subdomains, or attackers may spoof them instead.
Related tools & guides
Frequently asked questions
What is DMARC and why is it required?
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to tell receiving servers what to do when authentication fails and provides reports about emails using your domain. DMARC is required by Google and Yahoo for bulk senders since February 2024, and by Microsoft for high-volume Outlook.com, Hotmail, and Live senders since 2025.
What DMARC policy should I start with?
Start with p=none (monitor only) to collect reports without affecting email delivery. After 2-4 weeks of analyzing reports and fixing authentication issues, move to p=quarantine (mark as spam), then finally p=reject (block completely).
What is DMARC alignment?
DMARC alignment means the domain in the From header must match the domain authenticated by SPF (Return-Path) or DKIM (d= signing domain). Either SPF or DKIM must pass AND align for DMARC to pass.