Authentication

DMARCDomain-based Message Authentication, Reporting & Conformance

Q: What DMARC policy should I start with?

Start with p=none and a valid rua address, collect at least two weeks of aggregate reports, confirm every legitimate source aligns, then move to p=quarantine and finally p=reject.

Definition

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email-authentication standard, defined in RFC 7489, that tells receiving servers what to do with mail that fails SPF or DKIM, and emails the domain owner reports on who is sending under their name. It is published as one DNS TXT record, and it is what finally lets a domain say “reject anything that isn’t really from me.”

It is the only layer that protects your visible From: address from spoofing
Start at p=none to monitor, then tighten to quarantine and reject
Required for bulk senders to Gmail and Yahoo since February 2024
A passing SPF or DKIM check still fails DMARC unless it aligns with your domain

At a glance

Record type DNS TXT

Hostname _dmarc.yourdomain.com

Defined in RFC 7489 (2015)

Builds on SPF + DKIM

Policies none · quarantine · reject

Required by Gmail & Yahoo bulk senders (Feb 2024)

How DMARC works

DMARC sits on top of two existing checks: SPF (did the message come from an IP the domain authorises?) and DKIM (does it carry a valid cryptographic signature from the domain?). On their own, neither check looks at the From: address your recipient actually sees. DMARC closes that gap with a rule called alignment.

For a message to pass DMARC, at least one of SPF or DKIM must pass and be aligned, meaning the domain it authenticated matches the visible From: domain. Alignment can be relaxed (the organizational domain must match, so mail.example.com aligns with example.com) or strict (an exact match is required). If both checks fail, or neither aligns, the receiver applies whatever policy you published.

The three DMARC policies

Your policy is set with the p= tag, and it is the single most consequential part of the record:

p=none: monitor only. Take no action on failures, but send me the reports. Every sender should start here.
p=quarantine: treat failing mail as suspicious. Most receivers route it to the spam folder.
p=reject: block failing mail outright at the SMTP layer, before it can reach the inbox. This is the only policy that actually stops exact-domain spoofing.

The intended path runs from none to quarantine to reject: begin in monitoring, read your aggregate reports until you are confident every legitimate source authenticates and aligns, then tighten. Jumping straight to p=reject before your reports are clean is the fastest way to block your own invoices and password resets.

Anatomy of a DMARC record

A DMARC record is a list of tag=value pairs in a single TXT record at _dmarc.yourdomain.com. A typical enforcing record looks like this:

An enforcing DMARC record with strict alignment and aggregate reporting

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100; fo=1

v=DMARC1: version. Required, and must come first.
p=reject: the policy for the main domain.
rua=mailto:…: where to send daily aggregate reports (the ones worth reading).
adkim=s / aspf=s: require strict DKIM/SPF alignment (r = relaxed, the default).
pct=100: apply the policy to 100% of mail (ramp with a lower number if you like).
fo=1: request a failure sample whenever any underlying check fails.

Why DMARC matters for sender reputation

Since February 2024, Google and Yahoo require every bulk sender (anyone sending 5,000 or more messages a day to Gmail or Yahoo accounts) to publish a DMARC record of at least p=none, on top of passing aligned SPF and DKIM. Microsoft began enforcing the same baseline for high-volume senders to Outlook and Hotmail in 2025. Without a record, that mail is now liable to be rejected or sent straight to spam.

Beyond the mandate, DMARC protects the asset your whole reputation is built on: your domain. A published reject policy makes it dramatically harder for spammers to send phishing in your name, and exact-domain spoofing is one of the fastest ways to torch a previously good reputation. The aggregate reports are also the only place you can see every service sending as your domain, including shadow IT and long-forgotten vendors.

How DMARC decides what happens to a message

A message arrives claiming to be from your domain

The receiver checks SPF and DKIM

SPF: is the sending IP authorised? DKIM: is the signature valid?

Does a passing check align with the visible From: domain?

If it aligns, the message passes DMARC and is delivered normally

If not, your published policy decides

none: let through quarantine: send to spam reject: block outright

SPF vs DKIM vs DMARC

	SPF	DKIM	DMARC
What it checks	Which servers may send	The message is signed and unaltered	That SPF or DKIM aligns with `From:`
Mechanism	DNS list of IPs	Cryptographic signature	DNS policy + reports
Sees the `From:` address?	No	No	Yes, through alignment
Stops spoofing alone?	No	No	Yes, with `p=reject`

By the numbers

5,000+/day

The bulk-sender threshold at which Gmail and Yahoo require a DMARC record, since February 2024.

0.3%

The spam-complaint rate Google asks bulk senders to stay under in Postmaster Tools.

Policies you can publish: none, quarantine, and reject.

Common mistakes

Living on p=none forever

A monitoring policy gives you reports but zero protection. none is a starting line, not a destination. If you never reach quarantine or reject, anyone can still spoof you.

Going straight to p=reject

Publishing an enforcing policy before your reports are clean blocks your own legitimate mail (newsletters, CRMs, invoicing tools) the moment it fails alignment. Ramp through none first.

SPF passes, but doesn’t align

A message can pass SPF on your ESP’s Return-Path domain yet still fail DMARC because that domain doesn’t match your visible From:. Authentication and alignment are two different tests.

No rua reporting address

Without an aggregate-report address you are flying blind: you can’t see who is sending as you, so you can never safely tighten the policy.

Frequently asked questions

Is DMARC required?

For bulk senders, yes. Since February 2024 Google and Yahoo require any domain sending 5,000 or more messages per day to their users to publish a DMARC record (minimum p=none) alongside aligned SPF and DKIM. Smaller senders aren’t mandated, but a DMARC record is still strongly recommended to prevent spoofing.

What’s the difference between SPF, DKIM, and DMARC?

SPF authorises which servers may send for your domain; DKIM cryptographically signs each message; DMARC ties them to the visible From: address through alignment and tells receivers what to do when both fail. SPF and DKIM are the checks; DMARC is the policy and reporting layer on top.

Why is my email failing DMARC even though SPF passes?

Almost always alignment. SPF can pass on the Return-Path (envelope) domain, often your ESP’s, while DMARC compares against the From: domain your recipient sees. If those organizational domains don’t match, DMARC fails despite a green SPF check. Fix it by DKIM-signing with your own domain, or by using a custom Return-Path.

What DMARC policy should I start with?

Start with p=none and a valid rua address, collect at least two weeks of aggregate reports, confirm every legitimate source aligns, then move to p=quarantine and finally p=reject.

Sources & further reading

RFC 7489 · The DMARC core specification Google Email Sender Guidelines · Bulk-sender requirements (Gmail) Yahoo Sender Best Practices · Authentication and bulk-sending requirements

Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary