What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to publish a policy specifying how receiving servers should handle messages that fail authentication, and provides reporting mechanisms to monitor email authentication.
Why DMARC is Essential
SPF and DKIM alone have a critical gap: they don't tell receivers what to do with failed messages. An attacker can send spoofed email without SPF/DKIM, and receivers have no guidance.
DMARC solves this by:
- Defining policy: Reject, quarantine, or allow failed messages
- Requiring alignment: From header must match SPF/DKIM domains
- Enabling reporting: Aggregate and forensic reports show authentication results
How DMARC Works
1. Sender publishes DMARC policy in DNS (TXT record at _dmarc.domain.com)
2. Email is sent with From: user@domain.com
3. Receiver checks SPF and DKIM
4. Receiver checks alignment: Does authenticated domain match From header?
5. Policy applied: Based on DMARC record (none, quarantine, reject)
6. Reports sent: Aggregate reports to specified addresses
DMARC Alignment
DMARC requires "alignment"—the domain in the From header must match either:
- SPF alignment: The envelope sender (MAIL FROM) domain
- DKIM alignment: The d= domain in the DKIM signature
Without alignment, SPF/DKIM pass but DMARC fails.
DMARC Record Format
DMARC records are TXT records at _dmarc.yourdomain.com:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"DMARC Tags
| Tag | Required | Description | Example |
|---|---|---|---|
| v | Yes | Version | v=DMARC1 |
| p | Yes | Policy | p=none/quarantine/reject |
| rua | No | Aggregate report URI | rua=mailto:reports@example.com |
| ruf | No | Forensic report URI | ruf=mailto:forensic@example.com |
| pct | No | Policy percentage | pct=100 |
| sp | No | Subdomain policy | sp=reject |
| adkim | No | DKIM alignment mode | adkim=s (strict) or adkim=r (relaxed) |
| aspf | No | SPF alignment mode | aspf=s or aspf=r |
DMARC Policies
p=none: Monitor only—take no action on failed messagesv=DMARC1; p=none; rua=mailto:dmarc@example.comv=DMARC1; p=quarantine; rua=mailto:dmarc@example.comv=DMARC1; p=reject; rua=mailto:dmarc@example.comDMARC Implementation Path
Phase 1: Monitor (p=none)
Start with monitoring to understand your email ecosystem:
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.comAnalyze reports for 2-4 weeks to identify:
- Legitimate sending services missing SPF/DKIM
- Unauthorized senders (spoofing)
- Alignment issues
Phase 2: Quarantine (p=quarantine)
Once legitimate sources are authenticated:
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@example.comUse pct=10 to quarantine only 10% initially, increasing gradually.
Phase 3: Reject (p=reject)
Full protection:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.comDMARC Reports
Aggregate Reports (rua)
Daily XML reports showing authentication results across all your email:
- Volume of email
- Pass/fail rates for SPF, DKIM, DMARC
- Sending IP addresses
- Recipient organizations
Forensic Reports (ruf)
Individual failure reports (not all receivers send these due to privacy):
- Full message headers
- Authentication failure details
Report Processing
Raw DMARC reports are XML and hard to read. Use services like:
- DMARC Analyzer
- Dmarcian
- Valimail
- Postmark DMARC
Checking DMARC
dig _dmarc.example.com TXTcurl "https://domscan.net/v1/health?domain=example.com"
# Returns hasDMARC status
Common DMARC Issues
No reports received: Ensure rua address can receive large emails; some providers filter. Legitimate email failing: Check SPF/DKIM configuration for all sending services; verify alignment. Third-party services failing: Many services require custom DKIM setup for DMARC alignment.DMARC is the capstone of email authentication—implement it after SPF and DKIM are working correctly.