DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an open email authentication protocol that gives domain owners the ability to protect their domain from unauthorized use — commonly known as email spoofing.
Email spoofing is one of the most common tactics in phishing attacks. Without DMARC, anyone can send an email that appears to come from your domain, deceiving customers, employees, and partners. DMARC solves this by building on two existing authentication standards — SPF and DKIM — and adding a critical layer: a published policy that tells receiving mail servers what to do when authentication fails.
Published as a DNS TXT record at _dmarc.yourdomain.com, a DMARC record gives you control over how your domain is used in email and provides visibility through aggregate and forensic reports.
How DMARC Works
DMARC does not work alone. It relies on two underlying protocols — SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) — and introduces a concept called alignment to tie everything together.
1. SPF Check
SPF verifies that the sending server's IP address is authorized to send mail for the domain. The receiving server looks up the SPF record in DNS and checks whether the sending IP is listed. DMARC then checks whether the domain in the SPF record aligns with the domain in the email's "From" header.
2. DKIM Check
DKIM attaches a cryptographic signature to outgoing emails. The receiving server retrieves the public key from the sender's DNS and verifies the signature, confirming that the message was not altered in transit. DMARC then verifies that the DKIM signing domain aligns with the "From" domain.
3. Alignment
Alignment is the key innovation of DMARC. For a message to pass DMARC, either SPF or DKIM must not only pass their own checks, but the domain they authenticate must also match (or align with) the domain shown in the visible "From" header. This prevents attackers from passing SPF or DKIM with their own domain while forging your domain in the "From" field.
4. Policy Application
If neither SPF nor DKIM passes with proper alignment, the receiving server applies the policy specified in your DMARC record. This determines whether the email is delivered, quarantined, or rejected outright.
The Three DMARC Policies
The p= tag in your DMARC record defines the enforcement policy. There are three levels, each representing a different level of protection:
p=none
Monitor only. No action is taken on failing emails. This is the starting point for collecting data and understanding your email ecosystem before enforcing restrictions.
p=quarantine
Suspicious emails go to spam. Emails that fail authentication are delivered to the recipient's spam or junk folder, reducing their visibility while allowing you to review potential false positives.
p=reject
Unauthorized emails are blocked. Emails that fail DMARC are completely rejected and never reach the recipient. This is the strongest protection against domain spoofing.
DMARC Reporting
One of DMARC's most powerful features is its reporting mechanism. DMARC generates two types of reports that provide visibility into how your domain is being used in email:
Aggregate Reports (RUA)
Sent daily in XML format, aggregate reports provide a statistical overview of all email traffic using your domain. They show which IP addresses are sending email as your domain, how many messages passed or failed SPF, DKIM, and alignment checks, and which policies were applied. These reports are essential for identifying legitimate senders and detecting unauthorized use.
Forensic Reports (RUF)
Forensic reports provide real-time, message-level details about individual emails that fail DMARC authentication. They include headers and metadata from the failed message, allowing you to investigate specific spoofing attempts. Note that not all mailbox providers send forensic reports due to privacy considerations.
Why DMARC Matters Now
DMARC adoption has become increasingly urgent. In February 2024, Google and Yahoo began enforcing new requirements for bulk email senders. Domains sending over 5,000 messages per day must have a valid DMARC record published. Without it, emails may be throttled, sent to spam, or outright rejected.
Microsoft has since announced similar requirements for Outlook.com domains. The message from major mailbox providers is clear: DMARC is no longer optional for organizations that rely on email for communication, marketing, or transactional purposes.
Beyond compliance, DMARC protects your brand reputation. When attackers send phishing emails using your domain, it erodes trust with your customers and partners. DMARC enforcement ensures that only authorized senders can use your domain, preserving the integrity of your brand in every inbox.
Getting Started with DMARC
Implementing DMARC is a journey that typically follows four phases:
- Publish a DMARC record with p=none — Start monitoring without affecting email delivery. Use our DMARC Generator to create your record.
- Analyze your reports — Review aggregate reports to identify all legitimate senders and fix SPF/DKIM alignment issues. SimpleDMARC converts raw XML reports into clear, actionable dashboards.
- Move to p=quarantine — Once you have identified and authorized all legitimate senders, tighten the policy. Unauthorized emails will be sent to spam.
- Enforce with p=reject — The final step. All emails that fail DMARC are blocked before reaching the recipient. Your domain is now fully protected from spoofing.
Ready to Protect Your Domain?
Start with a free DMARC check to see where your domain stands today.
Check Your Domain Now