What is DMARC? Email Policy & Reporting Explained

Learn how DMARC works with SPF and DKIM to protect your domain from email spoofing. Complete setup guide with policy examples.

Updated December 20, 2025
9 min read

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM to protect your domain from email spoofing and phishing.

While SPF and DKIM authenticate emails, DMARC tells receiving servers what to do when authentication fails and provides reports about your email authentication status.

How DMARC Works

DMARC adds a policy layer on top of SPF and DKIM. Here's how it works:

1. Email Authentication

When an email is received, the server first checks SPF and DKIM authentication. At least one of these must pass for DMARC to pass.

2. Alignment Check

DMARC checks if the domain in the "From" header aligns with the domain that passed SPF or DKIM. This is called "identifier alignment."

3. Policy Application

If authentication and alignment pass, the email is delivered. If they fail, the receiving server follows your DMARC policy: none (monitor only), quarantine (send to spam), or reject (block completely).

4. Reporting

Receiving servers send daily reports to your specified email address, showing authentication results for all emails claiming to be from your domain.

DMARC Requires SPF or DKIM

DMARC doesn't work alone—you must have SPF and/or DKIM configured first. DMARC builds on these protocols to provide policy enforcement and reporting.

DMARC Record Syntax

A DMARC record is a TXT record published at _dmarc.yourdomain.com. Here's an example:

Example DMARC Record
_dmarc.yourdomain.com  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100; adkim=r; aspf=r"

# Breaking down the components:
# v=DMARC1                           -> DMARC version
# p=quarantine                       -> Policy (none, quarantine, or reject)
# rua=mailto:dmarc@yourdomain.com   -> Aggregate report email
# ruf=mailto:forensic@yourdomain.com -> Forensic report email
# pct=100                            -> Percentage of mail to apply policy (100%)
# adkim=r                            -> DKIM alignment mode (r=relaxed, s=strict)
# aspf=r                             -> SPF alignment mode (r=relaxed, s=strict)

DMARC Policy Tags

TagDescriptionRequired
vDMARC version (always DMARC1)Yes
pPolicy: none, quarantine, or rejectYes
ruaAggregate report email addressRecommended
rufForensic report email addressOptional
pctPercentage of mail to filter (0-100)Optional
spPolicy for subdomainsOptional
adkimDKIM alignment: r (relaxed) or s (strict)Optional
aspfSPF alignment: r (relaxed) or s (strict)Optional

Understanding DMARC Policies

DMARC offers three policy levels. You should implement them progressively:

1

p=none (Monitor Mode)

No action is taken on failed emails—they're still delivered. Use this initially to monitor your email authentication without affecting delivery.

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Best for: Initial setup, gathering data, testing configuration

2

p=quarantine (Quarantine Failed Mail)

Emails that fail authentication are sent to spam/junk folders. This is a good middle ground that protects your domain while minimizing delivery issues.

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Best for: After monitoring, when you're confident in your setup

3

p=reject (Block Failed Mail)

Emails that fail authentication are completely rejected and not delivered. This provides maximum protection but requires perfect configuration.

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

Best for: Mature implementations with complete authentication coverage

Progressive Implementation

Always start with p=none and monitor for at least 2-4 weeks. Review DMARC reports, fix any authentication issues, then gradually move to p=quarantine and finally p=reject.

How to Set Up DMARC

1

Ensure SPF and DKIM are Working

DMARC requires either SPF or DKIM (or both) to be configured. Verify these are working before implementing DMARC.

2

Create a Mailbox for Reports

Set up an email address to receive DMARC reports (e.g., dmarc@yourdomain.com). These reports can be large and frequent, so use a dedicated mailbox.

3

Create Your DMARC Record

Start with a monitoring-only policy:

dns
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100
4

Add to DNS

Add the DMARC record as a TXT record at _dmarc.yourdomain.com

5

Monitor Reports

Review DMARC reports for 2-4 weeks. Look for failed authentications and identify any legitimate sources that need SPF/DKIM configuration.

6

Gradually Increase Policy

Once confident, update to p=quarantine, monitor again, then move to p=reject if desired.