Email Glossary

DMARC (Domain-based Message Authentication)

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication policy that builds on SPF and DKIM. It tells receiving servers what to do with emails that fail authentication and provides reporting on email activity.

How DMARC Works

DMARC checks two things:

  • Authentication - Does the email pass SPF or DKIM?
  • Alignment - Does the From domain match the SPF/DKIM domain?

If either check fails, DMARC tells the receiving server what action to take based on your policy: none (monitor), quarantine (spam folder), or reject (block).

DMARC also requests reports from receiving servers about emails using your domain.

DMARC Record Syntax

A DMARC record is a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Key tags:

  • p= - Policy: none, quarantine, or reject
  • rua= - Where to send aggregate reports
  • ruf= - Where to send forensic reports
  • pct= - Percentage of emails to apply policy to
  • sp= - Policy for subdomains

DMARC Policies Explained

p=none (Monitor mode) No action taken on failing emails. Use this while setting up to collect data via reports.

p=quarantine (Spam mode) Failing emails go to spam folder. Good intermediate step before reject.

p=reject (Block mode) Failing emails are rejected outright. Maximum protection but requires confidence in your setup.

Start with none, analyze reports, fix issues, then gradually move to quarantine and finally reject.

Reading DMARC Reports

Aggregate reports (RUA) are XML files sent daily by receiving servers. They show:

  • How many emails were sent from your domain
  • Which IPs sent them
  • SPF and DKIM pass/fail rates
  • What actions were taken

Use a DMARC reporting tool to parse these reports into actionable insights. Look for:

  • Unauthorized senders (potential spoofing)
  • Legitimate services failing authentication
  • Trends in pass/fail rates

Related Tools

DNS Checker

Related Terms

SPF (Sender Policy Framework)

Tells receiving servers which IPs can send email for your domain.

DKIM (DomainKeys Identified Mail)

Adds a digital signature to emails proving they haven't been tampered with.

Email Deliverability

The ability of your emails to reach recipients' inboxes instead of spam.

Email Spoofing

When attackers forge the sender address to make emails appear from a trusted source.

Frequently Asked Questions

What DMARC policy should I start with?
Always start with p=none to monitor your email traffic without affecting delivery. Analyze the reports for 2-4 weeks, fix any authentication issues, then move to p=quarantine. Once you're confident, switch to p=reject for maximum protection.
What is DMARC alignment?
Alignment means the domain in the From header matches the domain used for SPF or DKIM authentication. Relaxed alignment allows subdomains to match; strict alignment requires exact matches. Relaxed is the default and recommended for most setups.
Do I need DMARC if I have SPF and DKIM?
Yes. SPF and DKIM authenticate emails, but without DMARC, receiving servers don't know what to do when authentication fails. DMARC provides the policy and gives you visibility into who's sending email as your domain.
Get started in minutes

Need help with email deliverability?

Transmit handles authentication, warmup, and reputation isolation automatically.