Every day, billions of spam and phishing emails are sent that falsely claim to come from legitimate domains. DMARC — Domain-based Message Authentication, Reporting and Conformance — is the protocol that gives domain owners control over how their domain is used in email, and the ability to receive reports when someone tries to abuse it.
What Is DMARC?
DMARC is an email authentication standard that builds on top of SPF and DKIM. While SPF verifies that a message was sent from an authorized IP address and DKIM verifies that the message content has not been tampered with, DMARC adds a critical third layer: it tells receiving mail servers what to do when a message fails those checks.
DMARC also adds alignment — it requires that the domain in the "From" header (what the recipient sees) aligns with the domain authenticated by SPF or DKIM. This closes a loophole where attackers could pass SPF/DKIM checks using a different domain while displaying a legitimate domain in the From field.
Finally, DMARC provides a reporting mechanism — domain owners receive aggregate and forensic reports that show who is sending email on behalf of their domain, including any unauthorized senders.
Why DMARC Matters
Without DMARC, an attacker can send an email that appears to come from yourbank.com, and most mail servers will happily deliver it. With DMARC configured at the reject policy, those fraudulent emails are blocked before reaching recipients.
DMARC adoption has significantly reduced:
- Email spoofing and brand impersonation attacks.
- Phishing campaigns that impersonate trusted organizations.
- Business Email Compromise (BEC) fraud.
You can check your domain's DMARC record using the ShowDNS DMARC Lookup tool.
How DMARC Works with SPF and DKIM
When an email is received, the receiving server checks three things in order:
- SPF check: Is the sending IP address authorized to send email for the domain in the Return-Path (envelope sender)?
- DKIM check: Is there a valid DKIM signature from the domain specified in the
d=tag? - DMARC alignment check: Does the domain used in the passing SPF or DKIM check align (match) with the domain in the message's "From" header?
DMARC passes only if at least one of SPF or DKIM passes and the corresponding domain aligns with the From header domain. If DMARC fails, the receiving server applies the policy defined in the sender's DMARC record.
| SPF Result | DKIM Result | Alignment | DMARC Result |
|---|---|---|---|
| Pass | Pass | Aligned | Pass |
| Pass | Fail | SPF aligned | Pass |
| Fail | Pass | DKIM aligned | Pass |
| Fail | Fail | None | Fail |
The DMARC Record
A DMARC record is a TXT record published in DNS at a specific location: _dmarc.yourdomain.com. It contains a series of tags that define the policy.
_dmarc.example.com. 300 IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; pct=100; adkim=r; aspf=r"DMARC Tags Explained
| Tag | Required? | Description |
|---|---|---|
v=DMARC1 | Yes | DMARC version identifier — always DMARC1 |
p= | Yes | Policy: none, quarantine, or reject |
rua= | Recommended | Email address to receive aggregate reports |
ruf= | Optional | Email address to receive forensic (failure) reports |
pct= | Optional | Percentage of failing messages to apply policy to (0–100) |
adkim= | Optional | DKIM alignment mode: r (relaxed) or s (strict) |
aspf= | Optional | SPF alignment mode: r (relaxed) or s (strict) |
sp= | Optional | Policy for subdomains (overrides p= for subdomains) |
fo= | Optional | Forensic reporting options (0, 1, d, s) |
DMARC Policies
The p= tag defines what happens to emails that fail DMARC checks:
p=none: Monitor mode. No action is taken on failing emails — they are delivered normally. Use this when you first deploy DMARC to collect reports without risk of blocking legitimate email.p=quarantine: Failing emails are moved to the recipient's spam/junk folder. A middle ground that protects recipients while you refine your configuration.p=reject: Failing emails are rejected outright. The strongest protection — unauthorized emails never reach the inbox.
p=none to collect reports, then move to p=quarantine at a low pct= percentage, and gradually increase to p=reject; pct=100 once you have confirmed all legitimate sending sources are properly authenticated.DMARC Alignment
Alignment ensures the domain in the email's "From" header matches the domain authenticated by SPF or DKIM. There are two alignment modes:
- Relaxed alignment (
r): The organizational domain must match. For example, mail fromnewsletter.example.comaligns with a DMARC record atexample.com. - Strict alignment (
s): The domains must match exactly.newsletter.example.comwould NOT align withexample.comunder strict mode.
Relaxed alignment is the default and recommended setting for most organizations, as strict alignment can break legitimate email from subdomains.
DMARC Reports
One of DMARC's most valuable features is reporting. When you add a rua= address to your DMARC record, receiving mail servers send you daily aggregate reports in XML format showing:
- All IP addresses that sent email using your domain.
- SPF and DKIM pass/fail results for each sender.
- The volume of messages from each source.
- Whether DMARC passed or failed for each source.
These reports help you discover all legitimate email services sending on your behalf (ESP, transactional email, CRM tools) so you can ensure they are properly authenticated before moving to a stricter policy.
Frequently Asked Questions
Do I need SPF and DKIM to use DMARC?
Yes. DMARC requires at least one of SPF or DKIM to pass with alignment. DMARC alone cannot authenticate email — it needs SPF or DKIM (or both) as its foundation. In practice, implementing all three provides the strongest protection.
What is the difference between DMARC p=none and p=quarantine?
With p=none, no action is taken on failing emails — they are delivered normally and you receive reports. With p=quarantine, failing emails are directed to the recipient's spam folder. Use p=none during the monitoring phase, then progress to quarantine and reject as you gain confidence in your authentication setup.
Can DMARC break legitimate email?
Yes, if configured too aggressively before all sending sources are properly authenticated. This is why starting with p=none and reviewing aggregate reports is important before moving to stricter policies.
How do I check my domain's DMARC record?
Use the ShowDNS DMARC Lookup tool to check your DMARC record, or run dig _dmarc.yourdomain.com TXT +short from the command line.