Home › Glossary › DMARC

DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the third leg of the email-authentication stool. It builds on SPF and DKIM and adds two things: alignment requirements and reporting.

Where it lives

DMARC is a TXT record at _dmarc.example.com. A typical record looks like: v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100.

Alignment

SPF and DKIM each have their own concept of "the domain": and DMARC's contribution is to require that both align with the visible From: address. SPF or DKIM can pass on a different domain (a forwarder, an ESP), but DMARC requires that at least one of them passes and is aligned with the From header.

Two alignment modes per mechanism: strict (exact match) and relaxed (same organizational domain). Relaxed is the default and almost always what you want — strict breaks subdomain-based sending almost immediately.

Policy levels

• p=none: monitor mode. Receivers report on failures but don't reject. Use this for the first weeks while collecting data.
• p=quarantine: failing mail goes to spam.
• p=reject: failing mail is rejected outright. The end goal.

Worked example: p=none → p=reject in six weeks

Week 1: publish v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; pct=100. Set up an inbox or use a vendor (dmarcian, EasyDMARC, Postmark's free DMARC monitoring) to parse the daily XML reports.

Weeks 2–3: read the reports. You'll find legitimate senders you forgot about (the contractor sending invoices from a personal Mailchimp, the monitoring tool that emails alerts, etc.). Add each to your SPF and/or set up DKIM for them. Reports trend from "mixed pass/fail" toward "almost all pass."

Week 4: move to p=quarantine; pct=10. Only 10% of failing mail goes to spam; the rest still passes. This is a safety valve in case you missed a sender. Watch reports for new failures.

Week 5: p=quarantine; pct=100. All failing mail quarantined.

Week 6: p=reject; pct=100. You're done. Spoofed mail is now rejected at the receiver, never reaching inboxes.

Reading an aggregate report

The XML lists every IP that sent mail claiming to be your domain in the last 24 hours: source IP, count, SPF result, DKIM result, alignment, and the disposition the receiver applied. Two failure patterns to watch for: (1) IPs you don't recognize sending high volumes — that's spoofing, and your DMARC reject policy is the fix; (2) IPs you do recognize failing alignment — that's a misconfigured legitimate sender, fix the config.

Reporting tags

• rua: aggregate report destination. Daily XML.
• ruf: forensic report destination. Per-failure data. Most receivers don't send these anymore due to privacy concerns.
• sp: subdomain policy. Defaults to the same as p if omitted. Set this explicitly if you want stricter handling for subdomains.
• adkim / aspf: alignment mode for DKIM/SPF. Default r (relaxed). Use s (strict) only if you understand the implications.

Verify on WhereIsDNS

Run the DMARC check on your domain. It queries _dmarc.<domain> across all 14 resolvers. Consistency across resolvers means the policy is published; the policy level (p=...) tells you whether it's actually enforcing.

Related: SPF · DKIM · TXT lookup.