DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the third leg of the email-authentication stool. It builds on SPF and DKIM and adds two things: alignment requirements and reporting.
Where it lives
DMARC is a TXT record at _dmarc.example.com. A typical record looks like: v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100.
Alignment
SPF and DKIM each have their own concept of "the domain" — and DMARC's contribution is to require that both align with the visible From: address. SPF or DKIM can pass on a different domain (a forwarder, an ESP), but DMARC requires that at least one of them passes and is aligned with the From header.
Policy levels
- p=none — monitor mode. Receivers report on failures but don't reject. Use this for the first weeks while collecting data.
- p=quarantine — failing mail goes to spam.
- p=reject — failing mail is rejected outright. The end goal.
Reporting
The rua tag specifies an email address where receivers send aggregate XML reports — a list of every IP that sent mail claiming to be your domain in the last day. This is invaluable for auditing your sending infrastructure and finding spoofing attempts.
Related: SPF · DKIM · TXT lookup.