What is a DMARC record?
DMARC, short for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication standard that builds on SPF and DKIM. A DMARC record is a single DNS TXT record published at _dmarc.yourdomain.com, beginning with v=DMARC1. It does two things: it tells receiving mail servers what policy to apply when a message fails authentication, and it asks them to send back reports showing who is using your domain to send mail.
The standard is defined in RFC 7489. Since 2024, Google, Yahoo, and Microsoft have all required a published DMARC record for bulk senders, so a valid record is no longer optional if you send any meaningful volume of email.
How DMARC uses SPF and DKIM alignment
DMARC does not replace SPF and DKIM. It sits on top of them and adds the concept of alignment. SPF checks the envelope sender, and DKIM checks a cryptographic signature, but neither one looks at the visible From address your recipients actually see. DMARC closes that gap by requiring the authenticated domain to match the From domain.
A message passes DMARC when SPF passes and aligns with the From domain, or when DKIM passes and aligns with it. Only one of the two needs to align. Alignment can be relaxed, which matches the organizational domain, or strict, which requires an exact match. Relaxed is the default and works for most senders.
- SPF alignment (aspf): compares the From domain with the domain SPF authenticated. Set to
rfor relaxed orsfor strict. - DKIM alignment (adkim): compares the From domain with the domain in the DKIM signature. Also
rors. - Pass logic: if either SPF or DKIM passes and aligns, DMARC passes, regardless of the other result.
The policies: p=none, p=quarantine, and p=reject
The policy tag, p=, is the heart of a DMARC record. It tells receivers what to do with mail that fails the alignment check above.
- p=none is monitoring only. Failing mail is still delivered normally, but you receive reports. It collects data and provides no spoofing protection on its own, so it is a starting point, not a destination.
- p=quarantine asks receivers to treat failing mail with suspicion, usually by routing it to the spam folder. It is the first enforcing policy.
- p=reject tells receivers to block failing mail outright, so it never reaches the inbox or the spam folder. This is the strongest setting and the goal of a full rollout.
Two related tags shape how the policy is applied. The subdomain policy, sp=, sets a separate rule for subdomains and defaults to the main policy when omitted. The percentage tag, pct=, applies the policy to only a sample of failing mail, which is useful while ramping up but should reach 100 before you rely on enforcement.
Reading aggregate reports
The reporting tags are what make DMARC actionable. The aggregate report tag, rua=, names an address that receives daily XML summaries from mailbox providers. Each report lists the sending IP addresses seen using your domain, the volume from each, and whether those messages passed SPF, DKIM, and alignment.
These reports are how you discover every legitimate service that sends on your behalf, from your help desk to your newsletter platform, before you tighten the policy. A forensic tag, ruf=, can request per-message failure samples, but many providers no longer send them for privacy reasons, so aggregate reporting is the one that matters. Without a rua address you are enforcing blind, with no visibility into what your policy is affecting.
Rolling out DMARC safely
The safe path is gradual. Moving straight to p=reject before you have mapped every sender is the fastest way to block your own legitimate mail. Work through these steps in order, re-scanning after each change.
- Publish p=none with rua. Start in monitoring mode with an aggregate report address so you collect data without affecting delivery.
- Authenticate every sender. Read the reports, then bring each legitimate service into SPF and DKIM alignment until the failures you see are only spoofing attempts.
- Move to p=quarantine. Once the reports are clean, switch to quarantine, optionally using
pctto ramp from a small sample up to 100 percent. - Finish at p=reject. When quarantine causes no collateral damage, move to reject for full protection against spoofing of your domain.
DMARC only works when SPF and DKIM are in place first. Confirm both with the SPF record checker and the DKIM record checker, build a policy with the DMARC record generator, then grade everything together with the sender reputation checker.