DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that builds on SPF and DKIM to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.
DMARC verifies that emails are actually sent from the domain they claim to be from, using SPF and DKIM authentication methods.
Provides detailed reports about who is sending emails on behalf of your domain, including legitimate and fraudulent sources.
Allows you to tell receiving mail servers what to do with emails that fail authentication: monitor, quarantine, or reject them.
1. Set up SPF and DKIM
Before implementing DMARC, ensure your domain has proper SPF and DKIM records configured. These form the foundation of DMARC authentication.
2. Create DMARC Record
Start with a monitoring policy to collect data without affecting email delivery:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com
3. Monitor and Analyze
Use DMARC reporting tools to analyze authentication failures and identify all legitimate sources sending email on behalf of your domain.
4. Gradually Enforce Policy
Once you've identified all legitimate sources, gradually move from monitoring (p=none) to quarantine (p=quarantine) and finally to reject (p=reject).
Pro Tip
Always start with p=none to monitor your email authentication without impacting delivery. Move to enforcement only after analyzing reports for several weeks.
Consider enabling DMARC aggregate visualization so trends are obvious to non-technical stakeholders. Pair DMARC with SPF, DKIM key rotation, and strict TLS (MTA-STS) for resilient delivery. As confidence grows, raise pct toward 100 and enforce subdomain policies with sp=. Finally, publish BIMI to display verified brand logos in inboxes too.
Monitoring Only
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Quarantine Policy
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com
Strict Policy
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Alignment Issues
SPF and DKIM must align with the From domain. Strict alignment requires exact matches, while relaxed alignment allows subdomain matches.
Third-party Services
Email services like marketing platforms, CRMs, and support systems may fail DMARC if not properly configured to align with your domain.
Forwarding Problems
Email forwarding can break SPF alignment, causing legitimate emails to fail DMARC. This is a common issue with mailing lists and auto-forwarding rules.