DMARC Explained: No-Nonsense Guide

DMARC demystified: what it does, why you need it, and how to set it up properly.

Published: 2026-01-21 | Updated: 2026-01-21 | Read time: 7 min

Key Takeaways

• DMARC tells email providers what to do when authentication fails
• Start with p=none to monitor, then progress to p=reject
• DMARC reports reveal who is sending email as your domain
• Without DMARC, providers treat your domain as higher risk
• Gmail and Yahoo require DMARC for bulk senders

What DMARC Actually Does

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is your domain's email security policy. It answers two questions: 1. What should email providers do when SPF or DKIM fails? 2. Who should receive reports about emails using my domain?

Without DMARC

Email providers see failed SPF/DKIM but don't know if you want them to:

• Deliver anyway (maybe it's a legitimate config issue)
• Send to spam (maybe it's a phishing attempt)
• Reject entirely (you're serious about security)

With DMARC

You explicitly tell providers: "Here's my policy. Follow it." This is why domains without DMARC have lower deliverability—providers treat them as higher risk.

Understanding DMARC Policies

DMARC has three policy levels. Choose based on your confidence:

p=none (Monitor Mode)

``dns v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com ` What it does: Collect reports only—don't affect email delivery. When to use:

• First setting up DMARC
• Learning who sends email as your domain
• Not sure if your SPF/DKIM is complete

p=quarantine (Spam Folder)

`dns v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com ` What it does: Send failing emails to spam/junk. When to use:

• You've verified your email setup
• Want protection without risking lost emails
• Transitioning from p=none

p=reject (Maximum Protection)

`dns v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com `` What it does: Block failing emails completely—they never arrive. When to use:

• You're confident in your email setup
• Maximum protection against spoofing
• High-security requirements (finance, healthcare)

Anatomy of a DMARC Record

Let's break down a complete DMARC record: ``dns v=DMARC1; p=quarantine; sp=reject; pct=100; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com; adkim=s; aspf=s `

Required Tags

| Tag | Value | Meaning | |-----|-------|---------| | v | DMARC1 | Version (always DMARC1) | | p | none/quarantine/reject | Policy for your domain |

Optional Tags

| Tag | Example | Meaning | |-----|---------|---------| | sp | reject | Policy for subdomains | | pct | 100 | Percentage of emails to apply policy to | | rua | mailto:dmarc@example.com | Where to send aggregate reports | | ruf | mailto:forensics@example.com | Where to send forensic reports | | adkim | s (strict) or r (relaxed) | DKIM alignment mode | | aspf | s (strict) or r (relaxed) | SPF alignment mode |

Recommended Starting Record

`dns v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com `` Start with monitoring, then increase enforcement after reviewing reports.

How to Set Up DMARC

Step 1: Create a Reporting Email

Create an email address for DMARC reports:

• dmarc@yourdomain.com
• dmarc-reports@yourdomain.com

Or use a DMARC reporting service for easier analysis.

Step 2: Add the DNS Record

In your DNS provider: | Field | Value | |-------|-------| | Type | TXT | | Name/Host | _dmarc | | Value | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com | | TTL | 3600 |

Step 3: Wait and Collect Data

• Wait 2-4 weeks for reports to accumulate
• Review who's sending email as your domain
• Ensure all legitimate sources have proper SPF/DKIM

Step 4: Increase Enforcement

Once you've verified your setup: 1. Move to p=quarantine with pct=10 (10% of emails) 2. Monitor for issues 3. Gradually increase pct to 100 4. Finally, move to p=reject

Reading DMARC Reports

DMARC aggregate reports (RUA) are XML files sent daily by email providers. They show:

What's in a Report

• Which IPs sent email as your domain
• Whether SPF passed or failed
• Whether DKIM passed or failed
• Whether alignment passed
• How many emails from each source

Sample Report Data (Simplified)

| Source IP | Count | SPF | DKIM | Disposition | |-----------|-------|-----|------|-------------| | 209.85.220.41 | 150 | pass | pass | none | | 104.47.55.36 | 45 | pass | pass | none | | 185.70.41.35 | 12 | fail | fail | reject |

What to Look For

✅ Legitimate sources with pass/pass ⚠️ Legitimate sources with failures (fix your config) 🚨 Unknown sources sending as you (potential spoofing)

Making Reports Readable

Raw XML is hard to read. Options: 1. Use a DMARC reporting service (Postmark, dmarcian, Valimail) 2. Parse with open-source tools 3. Forward to a dedicated analysis email

Understanding DMARC Alignment

DMARC doesn't just check if SPF/DKIM pass—it checks alignment. This is where many setups fail.

What is Alignment?

Alignment means the domain in your email's "From" header matches the domain that passed SPF or DKIM.

SPF Alignment

The domain in your From: header must match the MAIL FROM (envelope sender) domain. | From Header | Envelope Sender | Aligned? | |-------------|-----------------|----------| | user@example.com | user@example.com | ✅ Yes | | user@example.com | bounce@mail.example.com | ✅ Yes (relaxed) | | user@example.com | user@sendgrid.net | ❌ No |

DKIM Alignment

The domain in your From: header must match the d= domain in the DKIM signature. | From Header | DKIM d= | Aligned? | |-------------|---------|----------| | user@example.com | d=example.com | ✅ Yes | | user@example.com | d=mail.example.com | ✅ Yes (relaxed) | | user@example.com | d=sendgrid.net | ❌ No |

Strict vs Relaxed

• Relaxed (default): Subdomains allowed (mail.example.com aligns with example.com)
• Strict: Exact match required

Recommendation: Start with relaxed alignment until you've verified your setup.

Common DMARC Issues

1. Third-Party Services Failing Alignment

Problem: SendGrid sends email for you, but DKIM signs with d=sendgrid.net. Fix: Configure custom DKIM signing in SendGrid using your domain.

2. Forwarded Emails Failing

Problem: When someone forwards your email, SPF fails (different server). Fix: Ensure DKIM is properly configured—it survives forwarding. Use aspf=r (relaxed).

3. Starting with p=reject Too Soon

Problem: Legitimate emails get blocked because SPF/DKIM isn't complete. Fix: Always start with p=none, review reports, then gradually increase.

4. Forgetting Subdomains

Problem: mail.yourdomain.com has no DMARC and gets spoofed. Fix: Add sp=reject to block subdomain spoofing, or set up DMARC on each subdomain.

5. Not Monitoring Reports

Problem: You set p=reject but aren't watching reports—legitimate email fails silently. Fix: Always have rua= set and regularly review reports.

DMARC FAQ

How long until DMARC takes effect?

Once the DNS record propagates (typically 1-48 hours), providers start applying your policy.

Can I have DMARC without SPF or DKIM?

Technically yes, but it's pointless. DMARC requires at least one (SPF or DKIM) to pass and align.

Will DMARC stop all spam?

No. DMARC prevents spoofing of YOUR domain. It doesn't stop spam from other domains.

What's the difference between rua and ruf?

• rua (aggregate): Daily summary reports—volumes and pass/fail stats
• ruf (forensic): Individual failure reports with email details (not all providers send these)

Should I use a DMARC monitoring service?

For anything beyond basic use, yes. They parse reports into dashboards and alert you to issues.