Imagine waking up to find hundreds of angry replies from people who never signed up to your newsletter — because someone sent thousands of spam emails pretending to be you. This is email spoofing, and without DMARC, your domain is wide open to it.
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It's a DNS record that tells receiving mail servers what to do when they receive an email claiming to be from your domain that fails authentication checks.
DMARC works by building on two older standards:
DMARC ties them together. If an email claiming to be from your domain fails both SPF and DKIM, DMARC tells the receiver: "monitor it", "put it in spam", or "reject it outright."
The core of your DMARC record is the p= tag, which sets the policy:
p=none — Monitor mode. No action is taken on failing mail, but you receive reports. This is where everyone starts.p=quarantine — Soft enforcement. Failing mail is sent to the spam folder instead of the inbox.p=reject — Full enforcement. Failing mail is outright rejected and never delivered. The gold standard.💡 Start with p=none and monitor reports for 2–4 weeks before moving to quarantine. Jumping straight to p=reject can break legitimate email flows you didn't know existed.
DMARC records are published as a TXT record at _dmarc.yourdomain.com. Here's a basic example:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;Breaking it down:
v=DMARC1 — Required version tagp=none — Policy (none / quarantine / reject)rua= — Where to send aggregate reports (XML summaries of all traffic)pct=100 — Apply the policy to 100% of failing mailStep 1 — Make sure SPF and DKIM are working first. DMARC needs at least one of them to pass for mail to be considered legitimate. Use Fred's checker to verify.
Step 2 — Create a mailbox for DMARC reports. Something like dmarc@yourdomain.com. You'll receive XML aggregate reports from Gmail, Microsoft, Yahoo and others showing which servers are sending mail as your domain.
Step 3 — Publish a p=none record. Add this TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100;Step 4 — Monitor for 2–4 weeks. Check your reports. Tools like dmarcian can parse the XML for you. Look for any legitimate services (newsletters, CRMs, helpdesks) sending mail as your domain that might not be covered by your SPF record.
Step 5 — Ramp up. Once you're confident all legitimate senders are covered, move to p=quarantine; pct=10 and increase the percentage over the following weeks, then move to p=reject.
In February 2024, Google and Yahoo introduced new bulk sender requirements. Any domain sending more than 5,000 emails per day to Gmail or Yahoo must have DMARC configured. But even for smaller senders, a DMARC record signals to mail providers that your domain is legitimate — improving deliverability even at p=none.
🤖 Check your DMARC record now with Fred's SPF / DKIM / DMARC checker →
p=reject immediately — Always start with p=none and monitor firstrua= address — Without reports you're flying blind; you can't see what's failingsp=reject to also cover subdomains that don't send mail