DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is a DNS record that tells receiving mail servers — Gmail, Outlook, Yahoo, and every other major provider — what to do when an inbound message claims to be from your domain but fails authentication checks.
Without DMARC, an attacker can send an email that appears in the recipient's inbox as coming from your domain. With DMARC at enforcement (p=reject), those messages are dropped before they land. With DMARC at monitoring (p=none), you receive aggregate reports showing who is sending on behalf of your domain — which is the essential first step before enforcement.
How DMARC works
DMARC builds on top of two existing mechanisms: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). For a message to pass DMARC, it must pass at least one of these and the authenticated domain must align with the From: header domain.
SPF alignment means the domain in the Return-Path (the envelope sender) matches the From: header domain. DKIM alignment means the d= tag in the DKIM signature matches the From: header domain. DMARC checks both and passes if either aligns.
When a message fails DMARC, the receiving server consults the p= (policy) tag in your DNS record: p=none means monitor only, p=quarantine means deliver to spam, p=reject means drop the message entirely.
DMARC record structure
A DMARC record is a TXT record published at _dmarc.yourdomain.com. A minimal monitoring record looks like: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. The rua tag specifies where aggregate XML reports are sent — usually a DMARC report aggregator service.
A full enforcement record adds the subdomain policy and failure report address: v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-agg@yourdomain.com; ruf=mailto:dmarc-fail@yourdomain.com. The sp= tag applies the same policy to all subdomains, preventing attackers from spoofing mail@alerts.yourdomain.com when only yourdomain.com has DMARC.
Moving from p=none to p=reject
Starting at p=none lets you collect aggregate reports without risk. The reports identify every mail stream sending on behalf of your domain — your ESP, your CRM, your transactional mailer, your support desk. Before you move to enforcement you need all legitimate streams to pass SPF or DKIM alignment. Missing one means real email gets dropped.
The typical migration path is p=none for 30–90 days to enumerate senders, then p=quarantine at pct=10 (10% of failing messages) stepping to pct=100, then p=reject. Google and Yahoo's 2024 bulk sender requirements mandate at least p=none for any domain sending more than 5,000 messages per day.
Frequently asked questions
01Does DMARC stop all email spoofing?
DMARC stops spoofing of the exact From: header domain when it is at p=reject. It does not stop lookalike domain attacks (your-company-support.com vs yourcompany.com), cousin domains, or display-name spoofing where the From: address is changed but the displayed name is yours.
02What is the difference between DMARC p=quarantine and p=reject?
p=quarantine instructs the receiving server to deliver the message to the spam folder. p=reject instructs it to refuse the message at the SMTP layer — it never reaches any folder. For anti-phishing protection, p=reject is the goal; p=quarantine is a stepping-stone used during migration to catch configuration mistakes before they cause lost mail.
03Does DMARC affect email deliverability?
A DMARC record at p=none has no deliverability impact — it is monitoring-only. Moving to p=quarantine or p=reject can initially hurt deliverability if any legitimate mail stream is not properly authenticated. Once all senders pass SPF or DKIM alignment, DMARC at enforcement typically improves deliverability because it signals to mailbox providers that your domain is well-governed.
04How do I check my DMARC record?
Query the TXT record at _dmarc.yourdomain.com — for example, dig TXT _dmarc.yourdomain.com +short or nslookup -type=TXT _dmarc.yourdomain.com. The returned record shows your policy (p=none, quarantine, or reject), alignment modes (aspf, adkim), and the reporting addresses (rua, ruf). Any DMARC parser will then break down whether the syntax is valid and whether your alignment settings match your sending streams.
Run a free deliverability audit on your sending domain.
MailerMonk checks DMARC alignment, SPF lookups, DKIM keys, MX records, and major blocklists in under a minute. No signup, no card.