What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that tells receiving mail servers what to do when SPF or DKIM checks fail. Without DMARC, a receiver knows an email failed authentication but has no instruction on whether to reject it, quarantine it, or let it through. DMARC closes that gap.
Defined in RFC 7489 and required by Google, Yahoo, and PCI DSS v4.0 for bulk senders and customer-facing domains.
Who requires DMARC?
DMARC has moved from optional best practice to mandatory compliance across government, financial, healthcare, and critical infrastructure sectors worldwide.
Government Mandates
All federal executive branch domains must implement DMARC with p=reject
Extends email authentication baselines, aligns with Microsoft/Google/Yahoo sender mandates
Central government domains must implement DMARC, SPF, DKIM, and TLS. All domains including parked domains require DMARC records
Australian Signals Directorate states DMARC is critical - implement it now irrespective of existing controls
Federal departments must implement DMARC, SPF, and DKIM. Minimum p=none with phased progression to p=reject
Industry Standards
Anti-phishing mechanisms including DMARC required as of March 31, 2025 for all organizations processing payment card data
Recommends DMARC with p=reject as target policy. Publish records on all domains including non-sending domains
Implement DMARC to lower the chance of spoofed or modified emails from valid domains
Requires robust cybersecurity measures including email security controls. DMARC strengthens NIS2 compliance alongside GDPR and PCI DSS
Information security management standard - DMARC implementation supports Annex A controls for communications security
Email Provider Requirements
Bulk senders (5,000+ messages/day to Gmail) must have DMARC with at minimum p=none since February 2024
Bulk senders must authenticate with DMARC alongside SPF and DKIM since February 2024
Starting May 5, 2025, Microsoft rejects email failing DMARC from high-volume senders to Outlook.com, Hotmail, and Live.com
Apple enforces DMARC policies on iCloud Mail domains, rejecting messages that fail authentication with p=reject
60% of BEC claims originate from domains without enforcement. Insurers increasingly require SPF, DKIM, and DMARC as underwriting conditions
Email was built without sender verification
The SMTP protocol has no built-in way to verify that the person in the "From" field actually sent the message. Anyone can send email claiming to be anyone. DMARC fixes this.
Without DMARC
With DMARC (p=reject)
Three steps, every email
DMARC builds on SPF and DKIM by adding policy enforcement and reporting. Here is what happens when a DMARC-protected email arrives at a receiving server.
Sender publishes a DMARC record
The domain owner adds a TXT record at _dmarc.domain.com in DNS. This record contains the policy (none, quarantine, or reject) and the reporting address.
Receiver checks SPF + DKIM alignment
When an email arrives, the receiving server checks if SPF or DKIM passes AND if the authenticated domain aligns with the From header domain. This alignment check is what makes DMARC different from SPF or DKIM alone.
Policy applied, report sent
If alignment fails, the receiver applies the published policy - deliver normally (none), route to spam (quarantine), or reject entirely. Either way, the receiver sends an aggregate report back to the domain owner.
Inside a DMARC record
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. Each tag controls a specific behavior.
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=r; pct=100; fo=1 v=DMARC1 Required Protocol version identifier. Must be the first tag in every DMARC record.
v=DMARC1 p= Required Policy for the domain: none (monitor), quarantine (spam folder), or reject (block).
p=reject rua= Address to receive aggregate reports - XML summaries of authentication results sent daily by receivers.
rua=mailto:dmarc@example.com ruf= Address to receive forensic reports - per-message failure details for investigating spoofing attempts.
ruf=mailto:forensic@example.com sp= Subdomain policy. Overrides the main policy for subdomains. Defaults to the p= value if not set.
sp=reject adkim= DKIM alignment mode: strict (s) requires exact domain match, relaxed (r) allows subdomain alignment.
adkim=r aspf= SPF alignment mode: strict (s) requires exact domain match, relaxed (r) allows subdomain alignment.
aspf=r pct= Percentage of failing messages the policy applies to. Use for gradual rollout (e.g., pct=10 then increase).
pct=100 fo= Forensic report options. Controls when forensic reports are generated (0=both fail, 1=either fails, d=DKIM fail, s=SPF fail).
fo=1 The three DMARC policies
Every DMARC journey follows the same path: monitor, quarantine, reject. Each policy builds on the previous one. Learn more about DMARC policies.
p=none Receivers take no action on failed messages. Reports are still sent, giving you visibility into who sends email from your domain.
p=quarantine Failing messages are routed to the spam or junk folder. Recipients can still find them, but they are flagged as suspicious.
p=reject Failing messages are rejected at the SMTP level. The recipient never sees them. This is full enforcement.
How SPF, DKIM, and DMARC
work together
Each protocol solves a different part of the email authentication puzzle. SPF authorizes sending servers. DKIM guarantees message integrity. DMARC ties them together with alignment and policy.
-
SPFVerifies the sending server IP is authorized by the domain's DNS record. Checks the envelope sender (Return-Path).
Check SPF record → -
DKIMAttaches a cryptographic signature to the email headers. The receiving server verifies the signature against a public key in DNS.
Check DKIM record → -
DMARCRequires that either SPF or DKIM passes AND aligns with the From header domain. Publishes policy for failures and enables reporting.
Check DMARC record →
How to set up DMARC
DMARC deployment follows a phased approach. Rushing to enforcement without monitoring causes legitimate email to be blocked. Plan for 9 to 18 months from first record to full p=reject.
Configure SPF
Publish an SPF TXT record listing every IP address and service authorized to send email for your domain. Keep it under 10 DNS lookups.
Check your SPF record →Configure DKIM
Enable DKIM signing on every sending source - your mail server, Google Workspace, Microsoft 365, marketing platforms - so outbound messages carry a cryptographic signature.
Discover DKIM selectors →Publish DMARC at p=none
Add a DMARC TXT record at _dmarc.yourdomain.com starting with p=none and a rua= address to receive aggregate reports.
Validate your DMARC record →Monitor Reports for 90+ Days
Analyze aggregate reports to identify every sender, fix authentication failures, and confirm all legitimate mail passes SPF or DKIM alignment.
Start monitoring with DMARC Report →Enforce with quarantine then reject
Move to p=quarantine, monitor for another 90+ days, then advance to p=reject. Use pct= for gradual rollout. The full journey takes 9-18 months.
Learn about DMARC policies →Frequently asked questions
What is DMARC in simple terms?
DMARC is an email security protocol that lets domain owners tell receiving mail servers what to do when an email fails authentication checks. It prevents attackers from sending emails that appear to come from your domain, protecting your brand and your recipients from phishing.
How long does DMARC take to implement?
Publishing a DMARC record at p=none takes minutes. However, reaching full enforcement at p=reject typically takes 9 to 18 months. Each phase (none, quarantine, reject) requires at least 90 days of monitoring to identify and fix all legitimate sending sources.
Does DMARC stop all phishing?
DMARC stops direct domain spoofing - attackers cannot send email that passes authentication using your exact domain. It does not prevent lookalike domain attacks (e.g., examp1e.com) or phishing from unrelated domains. DMARC is one layer in a defense-in-depth email security strategy.
What is the difference between SPF, DKIM, and DMARC?
SPF verifies that a sending server is authorized by the domain owner. DKIM attaches a cryptographic signature to prove the message was not altered in transit. DMARC ties them together by requiring that either SPF or DKIM passes AND aligns with the From header domain, then tells receivers what to do when authentication fails.
Is DMARC required?
Yes - DMARC is mandatory under multiple frameworks. US federal agencies must implement p=reject under CISA BOD 18-01. PCI DSS v4.0 requires DMARC as of March 2025. Google, Yahoo, and Microsoft require DMARC for bulk senders. The UK NCSC, Australia ASD, and Canada CCCS all mandate DMARC for government domains. EU NIS2 strengthens the case for DMARC in critical infrastructure. Many cyber insurance policies now require SPF, DKIM, and DMARC enforcement as underwriting conditions.
What is a DMARC aggregate report?
An aggregate report (RUA) is an XML file sent daily by receiving mail servers. It summarizes authentication results for all messages claiming to be from your domain - showing which senders passed or failed SPF and DKIM, and what policy was applied. DMARC Report converts these XML files into visual dashboards.
Can DMARC break my email delivery?
At p=none, DMARC cannot affect email delivery - it is monitoring only. At p=quarantine or p=reject, messages from legitimate senders that fail authentication will be affected. This is why a phased approach with 90+ days of monitoring at each stage is essential before enforcement.
Trusted by Security Teams Worldwide
Rated 4.8/5 on G2 · 469 verified reviews
Verified User in Information Technology and Services
"Best security tool for your own domains"
The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.
Ryan C.
Director
"Control Centre for Email Security"
I like that we can see and check all reports on just 1 platform. We manage multiple domains, and monitoring them all in one place is essential.
eddy g.
Director
"A great solution to a common email problem."
I have been using them for the last month after my Google business email started giving DMARC errors. I didn't even know what it meant at that time. After a little googling I found that people can spoof it as well. So far so good — the best thing is it protects every email.
Start monitoring your DMARC reports today
Free plan includes 1 domain and 10,000 monthly reports - no credit card required.
Start Free - No Credit Card