DMARC Explained: Domain-based Message Authentication

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It builds on SPF and DKIM by adding two critical capabilities:

Alignment. It checks whether the domain in the visible From: header matches the authenticated SPF and DKIM domains.
Policy & Reporting. It tells receiving servers what to do with messages that fail authentication (none, quarantine, or reject) and provides daily reports.

DMARC is widely considered essential for serious email senders, especially those sending marketing, newsletters, or high-volume transactional email.

DMARC DNS Record Syntax

The DMARC record is published as a DNS TXT record at _dmarc.your-domain.com:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100; adkim=r; aspf=r; fo=1

p= — Policy: none, quarantine, or reject
rua= — Address for aggregate reports (daily XML summaries)
ruf= — Address for forensic (failure) reports
pct= — Percentage of messages to apply the policy to (useful for gradual rollout)
adkim= / aspf= — Alignment mode: r (relaxed) or s (strict)

Recommended DMARC Rollout Playbook

Start with p=none + rua address and collect reports for at least 2 weeks.
Fix any legitimate senders failing authentication or alignment.
Move to p=quarantine; pct=10 and gradually increase the percentage.
Once reports are clean, switch to p=reject.

A strong DMARC policy (especially p=reject) is also a prerequisite for BIMI, which allows your brand logo to appear next to your emails.

For a complete setup guide including SPF and DKIM, see the Email Authentication Guide.

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It builds on SPF and DKIM by adding two critical capabilities:

Alignment. It checks whether the domain in the visible From: header matches the authenticated SPF and DKIM domains.

Policy & Reporting. It tells receiving servers what to do with messages that fail authentication (none, quarantine, or reject) and provides daily reports.

DMARC is widely considered essential for serious email senders, especially those sending marketing, newsletters, or high-volume transactional email.

DMARC DNS Record Syntax

The DMARC record is published as a DNS TXT record at _dmarc.your-domain.com:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100; adkim=r; aspf=r; fo=1

p= — Policy: none, quarantine, or reject

rua= — Address for aggregate reports (daily XML summaries)

ruf= — Address for forensic (failure) reports

pct= — Percentage of messages to apply the policy to (useful for gradual rollout)

adkim= / aspf= — Alignment mode: r (relaxed) or s (strict)

Recommended DMARC Rollout Playbook

Start with p=none + rua address and collect reports for at least 2 weeks.

Fix any legitimate senders failing authentication or alignment.

Move to p=quarantine; pct=10 and gradually increase the percentage.

Once reports are clean, switch to p=reject.

A strong DMARC policy (especially p=reject) is also a prerequisite for BIMI, which allows your brand logo to appear next to your emails.

For a complete setup guide including SPF and DKIM, see the Email Authentication Guide.

What is DMARC?

DMARC DNS Record Syntax

Recommended DMARC Rollout Playbook

Related terms

What is DMARC?

DMARC DNS Record Syntax

Recommended DMARC Rollout Playbook

Related terms