DMARC records, explained
What a DMARC record does, how it protects your domain from email spoofing, and how to set up a sensible policy for your business.
Even if you've set up SPF and DKIM, there's one more piece that ties everything together: DMARC. It tells receiving email servers what to do when an email fails authentication — and gives you reports so you can see if anyone is spoofing your domain. This guide explains DMARC in plain English.
Quick summary
DMARC is a DNS TXT record that sets a policy for handling emails that fail SPF or DKIM checks. Options range from "monitor only" to "reject failing emails." DMARC also enables email abuse reports to be sent to you. It's the final piece of a three-part email authentication system.
What DMARC stands for
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It builds on SPF and DKIM by telling receiving servers what to do when those checks fail.
How DMARC works
A receiving server gets an email claiming to be from @yourbusiness.com.
SPF and DKIM checks are performed (see SPF records and DKIM records).
If both checks pass, the email is delivered normally. DMARC has no action to take.
If either check fails, the receiving server looks up your DMARC record to find out what policy to apply.
The policy is applied: monitor, quarantine, or reject.
Reports may be sent to the address specified in your DMARC record, summarizing authentication activity.
The three DMARC policies
| Policy | What it means | When to use it |
|---|---|---|
p=none | Monitor only — take no action on failing email | Starting out; learning what's being sent |
p=quarantine | Send failing email to spam/junk | Moderate protection; not confident all sources are covered |
p=reject | Refuse to deliver failing email | Full protection; confident all legitimate senders are covered |
What a DMARC record looks like
A DMARC record is a TXT record added to your DNS at the name _dmarc:
_dmarc.yourbusiness.comA simple monitoring DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourbusiness.comA stricter record that quarantines failing email:
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourbusiness.comBreaking down the parts
| Part | What it means |
|---|---|
v=DMARC1 | Declares this is a DMARC record |
p=none/quarantine/reject | The policy to apply |
pct=100 | Apply the policy to 100% of failing email (default) |
rua=mailto:email@domain | Send aggregate reports to this address |
ruf=mailto:email@domain | Send forensic (detailed failure) reports to this address |
sp= | Policy for subdomains (if different from the main policy) |
A recommended starting approach
Start with a monitoring-only policy to understand what's being sent from your domain before tightening the policy:
Start with p=none and set up a rua email address to receive aggregate reports.
Review reports over a few weeks. The reports (usually in XML format) show you what services are sending email from your domain. Tools like Postmark's DMARC Digests or MXToolbox DMARC Analyzer can make these readable.
Make sure all legitimate senders (your email provider, newsletter tool, CRM) are covered by SPF and have DKIM enabled.
Move to p=quarantine once confident, then p=reject for maximum protection.
Don't jump straight to reject
Moving directly to p=reject without verifying all your sending sources can cause legitimate emails to be refused. Take the time to monitor first.
DMARC and DMARC alignment
DMARC also requires alignment — the domain in the email's "From" header must align with the domain that passed SPF or DKIM. This prevents attackers from using a legitimate mail server to send spoofed email.
Common questions
Related guides
- SPF records, explained
- DKIM records, explained
- Email DNS records (MX, SPF, DKIM, DMARC)
- Why your emails land in spam (deliverability)
Need a hand?