--- title: "What is DMARC? Domain-Based Message Authentication Explained | DMARC Report" description: "DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that tells receiving mail servers what to do when SPF or DKIM checks fail. Learn how DMARC works, what each policy does, and how to implement it." image: "https://dmarcreport.com/images/og-default.png" canonical: "https://dmarcreport.com/what-is-dmarc/" --- Email Authentication # What is DMARC? **DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that tells receiving mail servers what to do when SPF or DKIM checks fail.** Without DMARC, a receiver knows an email failed authentication but has no instruction on whether to reject it, quarantine it, or let it through. DMARC closes that gap. Defined in [RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489) and required by Google, Yahoo, and PCI DSS v4.0 for bulk senders and customer-facing domains. [ Check Your DMARC Record → ](/tools/dmarc-checker/) [How It Works](#how-dmarc-works) Written by the **DMARC Report Security Team** | Last reviewed: **April 2026** | 10 min read Compliance ## Who requires DMARC? DMARC has moved from optional best practice to mandatory compliance across government, financial, healthcare, and critical infrastructure sectors worldwide. ### Government Mandates [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) US Federal All federal executive branch domains must implement DMARC with p=reject [CISA BOD 25-01](https://www.cisa.gov/news-events/directives/bod-25-01) US Federal Extends email authentication baselines, aligns with Microsoft/Google/Yahoo sender mandates [UK NCSC Cyber Assessment Framework](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing) United Kingdom Central government domains must implement DMARC, SPF, DKIM, and TLS. All domains including parked domains require DMARC records [ASD Essential Eight](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email) Australia Australian Signals Directorate states DMARC is critical - implement it now irrespective of existing controls [CCCS Email Domain Protection](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) Canada Federal departments must implement DMARC, SPF, and DKIM. Minimum p=none with phased progression to p=reject ### Industry Standards [PCI DSS v4.0](https://www.pcisecuritystandards.org/) Global (Payment) Anti-phishing mechanisms including DMARC required as of March 31, 2025 for all organizations processing payment card data [NIST SP 800-177](https://csrc.nist.gov/pubs/sp/800/177/r1/final) US (Guidance) Recommends DMARC with p=reject as target policy. Publish records on all domains including non-sending domains [CIS Control 9.5](https://www.cisecurity.org/) Global Implement DMARC to lower the chance of spoofed or modified emails from valid domains [EU NIS2 Directive](https://www.nis-2-directive.com/) European Union Requires robust cybersecurity measures including email security controls. DMARC strengthens NIS2 compliance alongside GDPR and PCI DSS ISO 27001 Global Information security management standard - DMARC implementation supports Annex A controls for communications security ### Email Provider Requirements [Google Sender Guidelines](https://support.google.com/a/answer/81126) Global Bulk senders (5,000+ messages/day to Gmail) must have DMARC with at minimum p=none since February 2024 Yahoo Sender Requirements Global Bulk senders must authenticate with DMARC alongside SPF and DKIM since February 2024 [Microsoft Outlook Enforcement](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) Global Starting May 5, 2025, Microsoft rejects email failing DMARC from high-volume senders to Outlook.com, Hotmail, and Live.com Apple Mail (iCloud) Global Apple enforces DMARC policies on iCloud Mail domains, rejecting messages that fail authentication with p=reject Cyber Insurance Policies Global 60% of BEC claims originate from domains without enforcement. Insurers increasingly require SPF, DKIM, and DMARC as underwriting conditions The Problem ## Email was built without sender verification The SMTP protocol has no built-in way to verify that the person in the "From" field actually sent the message. Anyone can send email claiming to be anyone. DMARC fixes this. ### Without DMARC A Attacker sends email as ceo@yourcompany.com SPF Fail / DKIM Fail Receiver has no policy instruction - message delivered to inbox ### With DMARC (p=reject) A Attacker sends email as ceo@yourcompany.com SPF Fail / DKIM Fail Receiver checks DMARC policy: p=reject Alignment fails - neither SPF nor DKIM match the From domain Message rejected - never reaches recipient How It Works ## Three steps, every email DMARC builds on SPF and DKIM by adding policy enforcement and reporting. Here is what happens when a DMARC-protected email arrives at a receiving server. 1 ### Sender publishes a DMARC record The domain owner adds a TXT record at \_dmarc.domain.com in DNS. This record contains the policy (none, quarantine, or reject) and the reporting address. 2 ### Receiver checks SPF + DKIM alignment When an email arrives, the receiving server checks if SPF or DKIM passes AND if the authenticated domain aligns with the From header domain. This alignment check is what makes DMARC different from SPF or DKIM alone. 3 ### Policy applied, report sent If alignment fails, the receiver applies the published policy - deliver normally (none), route to spam (quarantine), or reject entirely. Either way, the receiver sends an aggregate report back to the domain owner. Record Anatomy ## Inside a DMARC record A DMARC record is a DNS TXT record published at `_dmarc.yourdomain.com`. Each tag controls a specific behavior. DNS TXT Record - \_dmarc.example.com `v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=r; pct=100; fo=1 ` `v=DMARC1` Required Protocol version identifier. Must be the first tag in every DMARC record. `v=DMARC1` `p=` Required Policy for the domain: none (monitor), quarantine (spam folder), or reject (block). `p=reject` `rua=` Address to receive aggregate reports - XML summaries of authentication results sent daily by receivers. `rua=mailto:dmarc@example.com` `ruf=` Address to receive forensic reports - per-message failure details for investigating spoofing attempts. `ruf=mailto:forensic@example.com` `sp=` Subdomain policy. Overrides the main policy for subdomains. Defaults to the p= value if not set. `sp=reject` `adkim=` DKIM alignment mode: strict (s) requires exact domain match, relaxed (r) allows subdomain alignment. `adkim=r` `aspf=` SPF alignment mode: strict (s) requires exact domain match, relaxed (r) allows subdomain alignment. `aspf=r` `pct=` Percentage of failing messages the policy applies to. Use for gradual rollout (e.g., pct=10 then increase). `pct=100` `fo=` Forensic report options. Controls when forensic reports are generated (0=both fail, 1=either fails, d=DKIM fail, s=SPF fail). `fo=1` Policies ## The three DMARC policies Every DMARC journey follows the same path: monitor, quarantine, reject. Each policy builds on the previous one. [Learn more about DMARC policies](/dmarc-policy/). `p=none` Monitor Only Receivers take no action on failed messages. Reports are still sent, giving you visibility into who sends email from your domain. When to use Starting out - you need to identify all legitimate senders before enforcing. Risk level None. No email is affected. This is a monitoring-only mode. `p=quarantine` Route to Spam Failing messages are routed to the spam or junk folder. Recipients can still find them, but they are flagged as suspicious. When to use After 90+ days of monitoring with p=none and fixing all legitimate sender failures. Risk level Moderate. Misconfigured legitimate senders will land in spam. `p=reject` Block Entirely Failing messages are rejected at the SMTP level. The recipient never sees them. This is full enforcement. When to use After 90+ days at p=quarantine with all legitimate mail consistently passing. Risk level Low if properly prepared. Unauthorized senders are blocked completely. The Authentication Triad ## How SPF, DKIM, and DMARC work together Each protocol solves a different part of the email authentication puzzle. SPF authorizes sending servers. DKIM guarantees message integrity. DMARC ties them together with alignment and policy. - `SPF` Verifies the sending server IP is authorized by the domain's DNS record. Checks the envelope sender (Return-Path). [Check SPF record →](/tools/spf-checker/) - `DKIM` Attaches a cryptographic signature to the email headers. The receiving server verifies the signature against a public key in DNS. [Check DKIM record →](/tools/dkim-lookup/) - `DMARC` Requires that either SPF or DKIM passes AND aligns with the From header domain. Publishes policy for failures and enables reporting. [Check DMARC record →](/tools/dmarc-checker/) DMARC Alignment Check Email Headers From (visible) ceo@example.com What the recipient sees Return-Path bounce@example.com Checked by SPF DKIM d= example.com Checked by DKIM DMARC Result PASS - SPF aligned, DKIM aligned 90% of cyberattacks start with email $4.88M Average data breach cost (IBM, 2024) 80% of DMARC domains never enforce 9-18 Months to full enforcement Implementation ## How to set up DMARC DMARC deployment follows a phased approach. Rushing to enforcement without monitoring causes legitimate email to be blocked. Plan for 9 to 18 months from first record to full p=reject. 1 ### Configure SPF Publish an SPF TXT record listing every IP address and service authorized to send email for your domain. Keep it under 10 DNS lookups. [Check your SPF record →](/tools/spf-checker/) 2 ### Configure DKIM Enable DKIM signing on every sending source - your mail server, Google Workspace, Microsoft 365, marketing platforms - so outbound messages carry a cryptographic signature. [Discover DKIM selectors →](/tools/dkim-lookup/) 3 ### Publish DMARC at p=none Add a DMARC TXT record at \_dmarc.yourdomain.com starting with p=none and a rua= address to receive aggregate reports. [Validate your DMARC record →](/tools/dmarc-checker/) 4 ### Monitor Reports for 90+ Days Analyze aggregate reports to identify every sender, fix authentication failures, and confirm all legitimate mail passes SPF or DKIM alignment. [Start monitoring with DMARC Report →](/) 5 ### Enforce with quarantine then reject Move to p=quarantine, monitor for another 90+ days, then advance to p=reject. Use pct= for gradual rollout. The full journey takes 9-18 months. [Learn about DMARC policies →](/dmarc-policy/) FAQ ## Frequently asked questions ### What is DMARC in simple terms? DMARC is an email security protocol that lets domain owners tell receiving mail servers what to do when an email fails authentication checks. It prevents attackers from sending emails that appear to come from your domain, protecting your brand and your recipients from phishing. ### How long does DMARC take to implement? Publishing a DMARC record at p=none takes minutes. However, reaching full enforcement at p=reject typically takes 9 to 18 months. Each phase (none, quarantine, reject) requires at least 90 days of monitoring to identify and fix all legitimate sending sources. ### Does DMARC stop all phishing? DMARC stops direct domain spoofing - attackers cannot send email that passes authentication using your exact domain. It does not prevent lookalike domain attacks (e.g., examp1e.com) or phishing from unrelated domains. DMARC is one layer in a defense-in-depth email security strategy. ### What is the difference between SPF, DKIM, and DMARC? SPF verifies that a sending server is authorized by the domain owner. DKIM attaches a cryptographic signature to prove the message was not altered in transit. DMARC ties them together by requiring that either SPF or DKIM passes AND aligns with the From header domain, then tells receivers what to do when authentication fails. ### Is DMARC required? Yes - DMARC is mandatory under multiple frameworks. US federal agencies must implement p=reject under CISA BOD 18-01\. PCI DSS v4.0 requires DMARC as of March 2025\. Google, Yahoo, and Microsoft require DMARC for bulk senders. The UK NCSC, Australia ASD, and Canada CCCS all mandate DMARC for government domains. EU NIS2 strengthens the case for DMARC in critical infrastructure. Many cyber insurance policies now require SPF, DKIM, and DMARC enforcement as underwriting conditions. ### What is a DMARC aggregate report? An aggregate report (RUA) is an XML file sent daily by receiving mail servers. It summarizes authentication results for all messages claiming to be from your domain - showing which senders passed or failed SPF and DKIM, and what policy was applied. DMARC Report converts these XML files into visual dashboards. ### Can DMARC break my email delivery? At p=none, DMARC cannot affect email delivery - it is monitoring only. At p=quarantine or p=reject, messages from legitimate senders that fail authentication will be affected. This is why a phased approach with 90+ days of monitoring at each stage is essential before enforcement. [See all DMARC FAQs →](/dmarc-faq/) ## Trusted by Security Teams Worldwide ![G2 Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_Leader_Leader.png) Rated 4.8/5 on G2 · 469 verified reviews ![G2 Momentum Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_MomentumLeader_Leader.png) VU Verified User in Information Technology and Services 5/5 ### "Best security tool for your own domains" The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind. 8/31/2022Verified on G2 RC Ryan C. Director 4.5/5 ### "Control Centre for Email Security" I like that we can see and check all reports on just 1 platform. We manage multiple domains, and monitoring them all in one place is essential. 8/29/2022Verified on G2 eg eddy g. Director 4.5/5 ### "A great solution to a common email problem." I have been using them for the last month after my Google business email started giving DMARC errors. I didn't even know what it meant at that time. After a little googling I found that people can spoof it as well. So far so good — the best thing is it protects every email. 8/29/2022Verified on G2 [Read all 469 reviews on G2 →](https://www.g2.com/products/dmarc-report/reviews) ## Start monitoring your DMARC reports today Free plan includes 1 domain and 10,000 monthly reports - no credit card required. [Start Free - No Credit Card](https://app.dmarcreport.com/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is DMARC in simple terms?","acceptedAnswer":{"@type":"Answer","text":"DMARC is an email security protocol that lets domain owners tell receiving mail servers what to do when an email fails authentication checks. It prevents attackers from sending emails that appear to come from your domain, protecting your brand and your recipients from phishing."}},{"@type":"Question","name":"How long does DMARC take to implement?","acceptedAnswer":{"@type":"Answer","text":"Publishing a DMARC record at p=none takes minutes. However, reaching full enforcement at p=reject typically takes 9 to 18 months. Each phase (none, quarantine, reject) requires at least 90 days of monitoring to identify and fix all legitimate sending sources."}},{"@type":"Question","name":"Does DMARC stop all phishing?","acceptedAnswer":{"@type":"Answer","text":"DMARC stops direct domain spoofing - attackers cannot send email that passes authentication using your exact domain. It does not prevent lookalike domain attacks (e.g., examp1e.com) or phishing from unrelated domains. DMARC is one layer in a defense-in-depth email security strategy."}},{"@type":"Question","name":"What is the difference between SPF, DKIM, and DMARC?","acceptedAnswer":{"@type":"Answer","text":"SPF verifies that a sending server is authorized by the domain owner. DKIM attaches a cryptographic signature to prove the message was not altered in transit. DMARC ties them together by requiring that either SPF or DKIM passes AND aligns with the From header domain, then tells receivers what to do when authentication fails."}},{"@type":"Question","name":"Is DMARC required?","acceptedAnswer":{"@type":"Answer","text":"Yes - DMARC is mandatory under multiple frameworks. US federal agencies must implement p=reject under CISA BOD 18-01. PCI DSS v4.0 requires DMARC as of March 2025. Google, Yahoo, and Microsoft require DMARC for bulk senders. The UK NCSC, Australia ASD, and Canada CCCS all mandate DMARC for government domains. EU NIS2 strengthens the case for DMARC in critical infrastructure. Many cyber insurance policies now require SPF, DKIM, and DMARC enforcement as underwriting conditions."}},{"@type":"Question","name":"What is a DMARC aggregate report?","acceptedAnswer":{"@type":"Answer","text":"An aggregate report (RUA) is an XML file sent daily by receiving mail servers. It summarizes authentication results for all messages claiming to be from your domain - showing which senders passed or failed SPF and DKIM, and what policy was applied. DMARC Report converts these XML files into visual dashboards."}},{"@type":"Question","name":"Can DMARC break my email delivery?","acceptedAnswer":{"@type":"Answer","text":"At p=none, DMARC cannot affect email delivery - it is monitoring only. At p=quarantine or p=reject, messages from legitimate senders that fail authentication will be affected. This is why a phased approach with 90+ days of monitoring at each stage is essential before enforcement."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Learn","item":"https://dmarcreport.com/what-is-dmarc/"},{"@type":"ListItem","position":3,"name":"What is DMARC","item":"https://dmarcreport.com/what-is-dmarc/"}]} ```