What is DMARC? The Complete Guide for 2026

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on top of SPF and DKIM to give domain owners control over what happens when an email fails authentication. Published as a DNS TXT record, DMARC tells receiving mail servers how to handle messages that claim to come from your domain but fail SPF or DKIM checks.

Without DMARC, anyone can send email that appears to come from your domain. Phishing attackers routinely spoof legitimate business domains to trick recipients into clicking malicious links or sharing credentials. DMARC closes this gap by letting you specify a policy and by sending you reports about who is using your domain to send email.

Think of it this way: SPF and DKIM are the locks on your door. DMARC is the security camera and the instructions for what to do when someone tries to pick the lock.

How DMARC Works

When a receiving mail server gets an email claiming to be from example.com, it performs these steps:

1. SPF check: The server verifies the sending IP is authorized by the domain's SPF record.
2. DKIM check: The server verifies the DKIM signature in the email header matches a public key published in DNS.
3. DMARC alignment check: This is the critical step. DMARC requires that at least one of SPF or DKIM not only passes, but also aligns with the "From" domain. Alignment means the domain in the From header matches the domain that passed SPF or DKIM.
4. Policy enforcement: If alignment fails, the server checks the DMARC policy (p= tag) to decide whether to deliver, quarantine, or reject the message.
5. Reporting: The receiving server sends aggregate (RUA) and/or forensic (RUF) reports back to the domain owner.

The alignment requirement is what makes DMARC powerful. An attacker might pass SPF by using their own server, but the From header will show your domain while the SPF-authenticated domain is theirs. DMARC catches this mismatch.

The Three DMARC Policy Types

p=none (Monitor Only)

The p=none policy tells receivers to deliver the email regardless of DMARC results, but send reports. This is the starting point for every DMARC deployment. You use it to gather data about who is sending email from your domain before enforcing a stricter policy.

v=DMARC1; p=none; rua=mailto:[email protected];

When to use: During initial deployment. Stay here for 2-4 weeks minimum while you review reports and identify all legitimate senders.

p=quarantine

The p=quarantine policy tells receivers to treat failing messages with suspicion, typically routing them to the spam/junk folder. This is the intermediate step.

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=50;

Notice the pct=50 tag: this applies the quarantine policy to only 50% of failing messages. The pct tag lets you gradually increase enforcement so you can catch any legitimate senders you missed.

When to use: After you've confirmed all legitimate senders are passing DMARC. Increase pct from 25 → 50 → 75 → 100 over several weeks.

p=reject

The p=reject policy tells receivers to outright reject messages that fail DMARC. The email is never delivered, not even to spam. This is the gold standard.

v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1;

The fo=1 tag requests failure reports when either SPF or DKIM fails (not just when both fail), giving you maximum visibility.

When to use: When you're confident your legitimate email is fully aligned. This is the only policy that truly prevents domain spoofing.

How to Set Up DMARC: Step by Step

Step 1: Ensure SPF and DKIM Are in Place

DMARC requires at least one of SPF or DKIM to pass with alignment. Before deploying DMARC, make sure you have:

• A valid SPF record that includes all your legitimate sending sources
• DKIM signing enabled on your email platform (most providers like Google Workspace and Microsoft 365 enable this by default)

You can scan your domain to check your current SPF and DKIM status instantly.

Step 2: Create Your Initial DMARC Record

Start with a monitoring policy. Create a TXT record at _dmarc.yourdomain.com:

Host:  _dmarc
Type:  TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected];

The rua tag specifies where aggregate reports should be sent. These are XML reports that summarize authentication results for all email sent from your domain.

Step 3: Monitor Reports for 2-4 Weeks

DMARC aggregate reports arrive daily from major mailbox providers. They'll show you:

• Which IP addresses are sending email from your domain
• Whether those messages pass or fail SPF/DKIM
• The volume of messages from each source

Review these reports to identify any legitimate senders that aren't properly authenticated. Common ones you might miss: marketing platforms (Mailchimp, HubSpot), CRM systems (Salesforce), transactional email services (SendGrid, Postmark), and ticketing systems.

Step 4: Fix Authentication for All Legitimate Senders

For each legitimate sender you find in reports that's failing authentication:

• Add their sending IPs or include mechanism to your SPF record
• Configure DKIM signing through their platform settings
• Verify alignment: the sending domain should match your From domain

Step 5: Gradually Enforce

Once all legitimate senders pass, move to quarantine with a low percentage, then increase:

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected];

Monitor for a week, then increase to 50%, 75%, and finally 100%. When quarantine at 100% shows no issues, move to reject:

v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1;

Common DMARC Mistakes

1. Jumping Straight to p=reject

The most dangerous mistake. If you skip the monitoring phase and go straight to reject, you'll block legitimate email from third-party services you forgot about. Always start with p=none and work your way up.

2. Not Including All Sending Sources in SPF

You might forget that your CRM, helpdesk, or marketing platform sends email on your behalf. These services need to be included in your SPF record or they'll fail DMARC. Run a domain scan to check what's currently authorized.

3. Ignoring DMARC Reports

Setting up DMARC without monitoring reports defeats the purpose. The reports tell you exactly what's happening with your domain's email: who's spoofing you, which legitimate services are misconfigured, and whether your policy is working.

4. Misunderstanding Alignment

SPF passing isn't enough. The domain that passes SPF must align with the From header domain. If your marketing tool sends as bounce.marketingtool.com but the From header says yourdomain.com, SPF passes but DMARC alignment fails. You need to configure the tool to use your domain for the return path, or rely on DKIM alignment instead.

5. Using Too Many DNS Lookups in SPF

SPF has a 10-lookup limit. If your SPF record exceeds this, it fails entirely, which means DMARC fails for SPF alignment. Check your SPF record to see your current lookup count.

Why DMARC Matters Now More Than Ever

Google and Yahoo Mandates

In February 2024, Google and Yahoo began requiring DMARC for anyone sending more than 5,000 emails per day to their users. This wasn't optional. Bulk senders without a DMARC record (even p=none) started seeing deliverability problems, rate limiting, and outright blocks.

Microsoft Joins In

As of May 2025, Microsoft followed suit with similar requirements for Outlook.com, Hotmail, and Live.com. The three largest consumer email providers in the world now require DMARC. Read our detailed breakdown of the Google & Yahoo DMARC requirements.

Regulatory Pressure

Beyond the tech mandates, industries like finance, healthcare, and government are increasingly requiring DMARC as part of compliance frameworks. PCI DSS 4.0, NIST guidelines, and various government directives now reference email authentication as a baseline security requirement.

Brand Protection

DMARC at p=reject makes it effectively impossible for attackers to spoof your exact domain in email. Any organization that values its brand reputation (and what organization doesn't?) should treat DMARC as a requirement, not a nice-to-have.

Check Your DMARC Record Now

Not sure where you stand? Use our free DMARC checker to instantly see your current DMARC policy, identify issues, and get specific recommendations. Or run a full domain security scan to check SPF, DKIM, DMARC, SSL, DNSSEC, and security headers all at once.