What Is DMARC (Domain-based Message Authentication)?
DMARC is an email authentication protocol that builds on SPF and DKIM to give domain owners control over how receiving servers handle emails that fail authentication.
How DMARC Works
DMARC is published as a TXT record at _dmarc.yourdomain.com. When a receiving server gets an email, it checks whether the message passes SPF or DKIM with alignment — meaning the authenticated domain must match the domain in the visible From header. Based on the DMARC policy, the server then delivers, quarantines, or rejects the message.
DMARC also enables reporting. Domain owners receive aggregate reports showing which emails pass and fail authentication, giving full visibility into who is sending email as their domain.
Why DMARC Matters
DMARC closes the gap left by SPF and DKIM alone. Without DMARC, an attacker can pass SPF with their own domain while displaying your domain in the From header — and the receiving server has no policy instruction from you. DMARC fixes this with alignment checks and enforcement policies. Since 2024, Google and Yahoo require DMARC for bulk senders.
DMARC Policies
DMARC supports three policy levels: p=none (monitor only), p=quarantine (send to spam), and p=reject (block entirely). Start with p=none and monitor reports before escalating.
Frequently Asked Questions
What are the three DMARC policies?
The three DMARC policies are p=none (monitor only), p=quarantine (send failing emails to spam), and p=reject (block failing emails entirely). Organizations should start with none, then move to quarantine and reject.
Does DMARC replace SPF and DKIM?
No. DMARC builds on top of SPF and DKIM — it requires at least one of them to pass with alignment. All three protocols work together.
What is DMARC alignment?
DMARC alignment means the domain in the visible From header must match the domain authenticated by SPF or DKIM. This prevents attackers from passing authentication with their own domain while spoofing yours.