DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer that tells receiving mail servers what to do with messages that fail SPF or DKIM checks. Without DMARC, even a perfectly configured SPF record cannot prevent attackers from spoofing the visible From: address on your domain.
DMARC requires both SPF and DKIM to be configured and working before you publish a DMARC policy. DMARC evaluates whether at least one of these passes and aligns with the From domain. If neither is set up, DMARC enforcement will break your email delivery.
Step 1: Confirm SPF and DKIM Are Working
Before touching DMARC, verify that your SPF and DKIM records are already published and passing. Send a test email to a Gmail or Apple Mail address and open the raw message headers. You should see lines like:
Authentication-Results: mx.google.com;
dkim=pass header.i=@example.com header.s=google header.b=AbCdEfGh;
spf=pass (google.com: domain of hello@example.com designates
203.0.113.42 as permitted sender) smtp.mailfrom=hello@example.comBoth dkim=pass and spf=pass should appear. If either shows fail or neutral, fix those records first before continuing.
You can also check your SPF TXT record directly using the ShowDNS TXT Lookup tool.
Step 2: Understand the DMARC Record Format
A DMARC record is a TXT record published at _dmarc.yourdomain.com. The key tags you need to know:
| Tag | Required | Description |
|---|---|---|
v=DMARC1 | Yes | Version identifier — must be first and exactly this value. |
p= | Yes | Policy: none, quarantine, or reject. |
rua= | Recommended | Email address to receive aggregate reports (daily summaries). |
ruf= | Optional | Email address to receive forensic (per-failure) reports. |
pct= | Optional | Percentage of messages the policy applies to (default 100). |
adkim= | Optional | DKIM alignment: r (relaxed, default) or s (strict). |
aspf= | Optional | SPF alignment: r (relaxed, default) or s (strict). |
Step 3: Create a Monitoring-Only Record (p=none)
Never jump straight to p=reject. Start with p=none, which collects reporting data without affecting delivery. This lets you discover all the legitimate sending sources on your domain before you enforce a policy that could block them.
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"Publish this TXT record at _dmarc.yourdomain.com (not at the root domain). The rua address is where receiving servers send daily aggregate reports — use an address you actually monitor, or route it through a DMARC report analyser like Postmark's DMARC Digests, Valimail, or dmarcian.
Create a dedicated mailbox for DMARC reports (e.g. dmarc-reports@example.com). Aggregate report volumes can be high for busy domains. Using a dedicated address keeps your main inbox clean and makes it easy to feed reports into an analysis tool.
Step 4: Verify the Record Is Published
After saving the DNS record, verify it is publicly visible using the ShowDNS TXT Lookup tool. Query _dmarc.yourdomain.com and confirm the record appears as expected.
You can also query from the command line:
# dig (Linux / macOS)
dig TXT _dmarc.example.com +short
# nslookup (all platforms)
nslookup -type=TXT _dmarc.example.comStep 5: Monitor Reports for 2–4 Weeks
Leave the p=none record in place and read the aggregate reports every few days. Each report is an XML file that lists:
- The IP addresses that sent email claiming to be from your domain.
- Whether each message passed or failed SPF and DKIM.
- Whether alignment passed for each message.
- The disposition applied (in
p=nonemode, alwaysnone).
Use this data to identify any legitimate senders that are currently failing. Common causes include: a missing include: in your SPF record, a service that sends from a subdomain without its own DKIM key, or a third-party tool you had forgotten about.
Step 6: Move to p=quarantine
Once you are confident all legitimate sending sources pass SPF or DKIM, escalate to p=quarantine. This tells receivers to accept the message but deliver it to the spam folder rather than the inbox.
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@example.com"Start with pct=10 to apply the quarantine policy to only 10% of failing messages. Monitor reports for another 1–2 weeks. If no legitimate mail is being incorrectly quarantined, gradually increase to pct=50, then remove the pct tag entirely (which defaults to 100%).
Step 7: Enforce with p=reject
The final stage is p=reject — the strongest DMARC policy. Receivers will outright reject messages that fail DMARC, meaning they never reach the recipient's mailbox at all. This provides the strongest protection against domain spoofing.
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s"The adkim=s and aspf=s settings enforce strict alignment, meaning the domain in the DKIM signature or SPF envelope must exactly match the From domain (not just the organisational domain). Use strict alignment only if you are certain all your senders use the same domain.
Moving to p=reject too quickly can cause legitimate emails to be silently dropped. Follow the full monitoring cycle: p=none for 2–4 weeks, then p=quarantine with low pct, then gradually increase to 100%, then finally switch to p=reject.
Frequently Asked Questions
Where exactly does the DMARC record go in DNS?
The DMARC record is always a TXT record at _dmarc.yourdomain.com — for example, _dmarc.example.com. It is not placed at the root domain. The underscore prefix is intentional and required.
What is DMARC alignment?
Alignment means the domain used in the DKIM signature (d= tag) or the SPF envelope sender must match the domain in the email's visible From: header. In relaxed mode, the organisational domain must match (e.g. mail.example.com aligns with example.com). In strict mode, the domains must match exactly.
Will DMARC break my email if I go straight to p=reject?
It can. If any legitimate sender fails SPF or DKIM — or if alignment is not configured correctly — p=reject will cause those messages to be dropped entirely. Always start with p=none and use the reporting data to fix all failures before enforcing a strict policy.
How do I read DMARC aggregate reports?
Aggregate reports are XML files sent as email attachments. They can be difficult to read raw. Use a free DMARC report viewer such as Postmark's DMARC Digests, dmarcian, or Google's Postmaster Tools. These parse the XML and present the data in a readable dashboard.
Do I need DMARC for every subdomain?
DMARC has a sp= (subdomain policy) tag that controls policy for subdomains not covered by their own DMARC record. If you omit sp=, the root domain's p= policy applies to subdomains as well. You can also publish separate DMARC records for individual subdomains that send email.