What Is DMARC? A Complete Guide for 2026

What Is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is an email authentication protocol that builds on two existing mechanisms — SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) — to give domain owners control over what happens when an email fails authentication checks.

Published as a DNS TXT record at _dmarc.yourdomain.com, DMARC tells receiving mail servers how to handle emails that claim to come from your domain but fail SPF or DKIM alignment. Without DMARC, anyone can send emails pretending to be your organization — and inbox providers have no policy instruction from you on what to do about it.

How Does DMARC Work?

When a receiving mail server gets an email, it performs several checks. First, it verifies the SPF record to confirm the sending server is authorized. Then it checks the DKIM signature to verify the message integrity. DMARC adds a critical layer on top: it checks whether the domain in the visible "From" header aligns with the domains authenticated by SPF or DKIM.

This alignment check is what makes DMARC powerful. An attacker might pass SPF for their own domain while spoofing your domain in the "From" field. DMARC catches this by requiring that the authenticated domain matches the visible sender domain.

The DMARC check follows this flow:

1. Receiving server extracts the domain from the "From" header.
2. It looks up the DMARC record at _dmarc.domain.com.
3. It runs SPF and DKIM checks and evaluates alignment.
4. If both fail alignment, it applies the DMARC policy (none, quarantine, or reject).
5. It sends aggregate and/or forensic reports back to the domain owner.

Why Does DMARC Matter?

Email spoofing remains one of the most common attack vectors for phishing and business email compromise (BEC). The FBI estimates that BEC attacks cost businesses billions of dollars annually. DMARC is your first line of defense against domain impersonation.

Beyond security, DMARC directly impacts email deliverability. Major inbox providers like Google and Yahoo now require DMARC for bulk senders. As of 2024, senders without a published DMARC record experience higher bounce rates and lower inbox placement. A properly configured DMARC policy signals to inbox providers that your domain is trustworthy and protected.

You can check your domain's current DMARC configuration using our free DMARC Checker tool.

How to Set Up DMARC Step by Step

Setting up DMARC requires that you already have SPF and DKIM configured for your domain. If you haven't done that yet, start with our guides on SPF and DKIM first.

1. Start with monitoring mode. Add a DNS TXT record at _dmarc.yourdomain.com with the value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
2. Monitor your reports. Wait 2-4 weeks and review the aggregate reports sent to your rua address. Identify all legitimate senders and ensure they pass SPF and DKIM alignment.
3. Move to quarantine. Once you are confident that all legitimate mail passes, change p=none to p=quarantine. You can also use the pct tag to apply the policy to a percentage of messages first.
4. Enforce with reject. After quarantine has been running smoothly, upgrade to p=reject for maximum protection.

DMARC Tags Explained

A DMARC record consists of several tags. Here are the most important ones:

• v — Version. Always DMARC1.
• p — Policy. What to do with failing emails: none, quarantine, or reject.
• sp — Subdomain policy. Same options as p, but for subdomains.
• rua — Aggregate report URI. Where to send daily aggregate reports (XML format).
• ruf — Forensic report URI. Where to send detailed failure reports (not widely supported).
• adkim — DKIM alignment mode. r (relaxed, default) or s (strict).
• aspf — SPF alignment mode. Same as adkim.
• pct — Percentage of messages the policy applies to (1-100). Useful for gradual rollout.
• fo — Failure reporting options. Controls when forensic reports are generated.

Common DMARC Mistakes to Avoid

Even experienced administrators make these mistakes when deploying DMARC:

• Jumping straight to p=reject. Always start with p=none and monitor before enforcing. Skipping this step can block legitimate emails from third-party senders you forgot about.
• Not setting up rua reports. Without aggregate reports, you are flying blind. You won't know which senders pass or fail.
• Forgetting about subdomains. If you don't set the sp tag, subdomains inherit the parent policy. Attackers often target subdomains without their own DMARC records.
• Not aligning SPF and DKIM. DMARC requires alignment — the domain in the From header must match the domain authenticated by SPF or DKIM. Make sure your third-party senders support custom DKIM signing or envelope sender alignment.
• Publishing multiple DMARC records. Only one DMARC record should exist per domain. Multiple records cause unpredictable behavior.

Verify Your DMARC Configuration

Once you have published your DMARC record, use our free tools to verify your setup:

• DMARC Checker — Verify your DMARC record, policy, and reporting configuration.
• SPF Checker — Validate your SPF record and authorized senders.
• DKIM Checker — Verify your DKIM signatures and DNS records.