What is DMARC?
DMARC is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to specify how email receivers should handle messages that fail authentication checks, and provides reporting to help you monitor your domain’s email authentication status.Prevents Spoofing
Protects your domain from being used in phishing attacks
Improves Deliverability
Email providers trust authenticated messages more
Visibility & Reporting
Get reports on who is sending email using your domain
Industry Standard
Required by major email providers for best delivery
Setup Guide
1
Add DMARC Record
Start with a monitoring-only policy (
p=none) to collect data without affecting email delivery:| Field | Value |
|---|---|
| Type | TXT |
| Name/Host | _dmarc |
| Value | v=DMARC1; p=none; rua=mailto:[email protected] |
| TTL | 3600 (or Auto) |
2
Test Email Delivery
After adding your DMARC record, send test emails and verify they are being delivered successfully. Monitor the DMARC reports you receive to ensure all legitimate email sources pass authentication.
Verify with dig command:
Terminal
Expected output:
Response
Wait 1-2 weeks with
p=none to collect reports and ensure all your legitimate email sources (marketing tools, transactional emails, etc.) pass DMARC.3
Upgrade DMARC Policy
Once you’ve confirmed all legitimate email passes DMARC, gradually upgrade your policy for stronger protection:
p=none
Monitor OnlyNo action taken on failed emails. Receive reports only. Start here.
p=quarantine
QuarantineFailed emails are sent to spam/junk folder. Good intermediate step.
p=reject
RejectFailed emails are blocked entirely. Maximum protection against spoofing.
Recommended final DMARC record:
DNS TXT Record
DMARC Parameters Reference
Here are all the available DMARC parameters you can use:| Parameter | Description | Example |
|---|---|---|
v | Version (required) | v=DMARC1 |
p | Policy for your domain (required) | p=reject |
sp | Policy for subdomains | sp=quarantine |
pct | Percentage of emails to apply policy (0-100) | pct=100 |
rua | Email for aggregate reports | rua=mailto:[email protected] |
ruf | Email for forensic/failure reports | ruf=mailto:[email protected] |
adkim | DKIM alignment mode (r=relaxed, s=strict) | adkim=r |
aspf | SPF alignment mode (r=relaxed, s=strict) | aspf=r |
Common Issues
DMARC failures after adding record
DMARC failures after adding record
Ensure both SPF and DKIM are correctly configured and passing. DMARC requires at least one of these to pass and align with your From domain.
Third-party services failing DMARC
Third-party services failing DMARC
If you use other email services (marketing tools, CRMs), ensure they’re authorized in your SPF record and use your domain’s DKIM signing.
Not receiving DMARC reports
Not receiving DMARC reports
Reports are sent daily by email providers. Ensure the
rua email address is valid and can receive emails. Consider using a DMARC analysis service for easier reporting.What’s Next?
Domain Verification
Set up SPF and DKIM for your sending domain
Deliverability Guide
Best practices for improving inbox placement
Useful Resources
- DMARC.org - Official DMARC specification
- MXToolbox DMARC Checker - Validate your DMARC record
- Learn DMARC - Interactive DMARC learning tool