AI QA Monkey
AI Security Intelligence
Glossary

What Is DMARC? Email Authentication Explained

Updated Feb 17, 2026 8 min read By AI QA Monkey Security Team

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that protects your domain from being used in email spoofing, phishing, and Business Email Compromise (BEC) attacks. It builds on two existing protocols — SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) — by adding a policy layer that tells receiving mail servers what to do when authentication fails.

Related Guides

Also see: How to Set Up SPF, DKIM & DMARC, Email Spoofing Prevention Guide, DNS Security Best Practices, and Website Security Checklist 2026.

Without DMARC, anyone can send emails that appear to come from your domain. This is called email spoofing, and it's the foundation of phishing attacks that cost businesses $2.7 billion annually according to the FBI's Internet Crime Report.

How DMARC Works

When a receiving mail server gets an email claiming to be from your domain, it performs these checks:

  1. SPF check: Is the sending server authorized by your SPF record?
  2. DKIM check: Does the email have a valid DKIM signature from your domain?
  3. Alignment check: Does the authenticated domain match the "From" header domain?
  4. DMARC policy: If checks fail, what should happen? (none / quarantine / reject)
# DMARC decision flow:
Email arrives claiming to be from yourdomain.com
  ├── SPF pass + aligned? → DMARC pass ✅
  ├── DKIM pass + aligned? → DMARC pass ✅
  └── Both fail or not aligned?
       ├── p=none      → Deliver anyway, send report
       ├── p=quarantine → Send to spam folder
       └── p=reject     → Reject the email entirely

DMARC Record Syntax

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com:

# Basic DMARC record
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

# Components:
# v=DMARC1  — Version (required, must be first)
# p=        — Policy for your domain: none, quarantine, or reject
# rua=      — Email address for aggregate reports (daily XML summaries)
# ruf=      — Email address for forensic reports (individual failures)
# pct=      — Percentage of emails to apply policy to (1-100)
# adkim=    — DKIM alignment mode: s=strict, r=relaxed (default)
# aspf=     — SPF alignment mode: s=strict, r=relaxed (default)
# sp=       — Subdomain policy (overrides p= for subdomains)

DMARC Policy Options

p=none (Monitor Only)

No enforcement — emails are delivered regardless of authentication results. DMARC reports are still generated, allowing you to see who is sending email as your domain. Start here.

p=quarantine (Spam Folder)

Emails that fail DMARC are sent to the recipient's spam/junk folder. This catches most spoofed emails while allowing legitimate emails that might have configuration issues to still be somewhat visible.

p=reject (Full Enforcement)

Emails that fail DMARC are rejected entirely — they never reach the recipient. This is the goal. It provides the strongest protection against email spoofing.

Rollout Strategy

Never start with p=reject. Begin with p=none for 2-4 weeks to identify all legitimate email sources. Move to p=quarantine for 2 weeks. Only set p=reject when you're confident all legitimate senders pass authentication.

DMARC vs SPF vs DKIM

  • SPF answers: "Is this server allowed to send email for my domain?"
  • DKIM answers: "Was this email tampered with in transit?"
  • DMARC answers: "What should happen when SPF/DKIM fail, and does the authenticated domain match the From header?"

All three work together. SPF and DKIM provide the authentication mechanisms; DMARC provides the policy and reporting layer.

Reading DMARC Reports

DMARC aggregate reports (rua) are XML files sent daily by receiving mail servers. They show:

  • Which IP addresses sent email as your domain
  • Whether each email passed or failed SPF and DKIM
  • The volume of emails from each source
  • Which emails were affected by your DMARC policy

Use free tools like DMARC Analyzer, Postmark DMARC, or Google Postmaster Tools to parse and visualize these reports.

Setting Up DMARC

For complete step-by-step setup instructions with DNS configurations for Google Workspace, Microsoft 365, and custom mail servers, see our SPF, DKIM & DMARC Setup Guide.

Common DMARC implementation mistakes

DMARC rollout failures typically follow a small number of predictable patterns. Understanding these in advance prevents weeks of troubleshooting and accidental email delivery failures.

  • Moving too fast to p=reject: Organizations that jump directly to p=reject without a p=none monitoring phase block legitimate email. Marketing platforms (Mailchimp, HubSpot, Salesforce Marketing Cloud), transactional senders (SendGrid, Mailgun, Postmark), and HR systems all send email on behalf of your domain and must be authenticated before enforcement.
  • Forgetting subdomains: The p= policy applies to the root domain. Subdomains used for email (e.g., notifications.yourdomain.com) need separate DMARC records or an explicit sp= subdomain policy in the root DMARC record. Without this, attackers can spoof subdomains.
  • SPF over 10 DNS lookup limit: SPF has a hard limit of 10 DNS lookups per evaluation. Exceeding this causes SPF to fail permanently, breaking DMARC. Use SPF flattening or Macro-based SPF to stay within limits when using multiple sending platforms.
  • Not monitoring rua reports: Setting p=none without reading the aggregate reports provides no benefit. The reports show unauthorized senders and authentication failures — without reading them, the monitoring phase produces no actionable intelligence.
  • DKIM key too short: 1024-bit DKIM keys are considered weak. Use 2048-bit keys. Some providers default to 1024-bit — check your key length in the DNS TXT record at selector._domainkey.yourdomain.com.

DMARC alignment: strict vs. relaxed

Alignment determines how strictly the authenticated domain must match the From: header domain. This is a frequently misunderstood aspect of DMARC that affects whether subdomains pass authentication.

# Relaxed alignment (default: adkim=r; aspf=r)
# Subdomains PASS alignment if the organizational domain matches
From: no-reply@mail.yourdomain.com
SPF authenticated domain: yourdomain.com  ✅ (subdomain of org domain)
DKIM d= tag: yourdomain.com              ✅ (org domain matches)

# Strict alignment (adkim=s; aspf=s)
# Exact domain match required
From: no-reply@mail.yourdomain.com
SPF authenticated domain: yourdomain.com  ❌ (must be exactly mail.yourdomain.com)
DKIM d= tag: yourdomain.com              ❌ (must be exactly mail.yourdomain.com)

For most organizations, relaxed alignment is appropriate and allows subdomains to authenticate against the root domain. Only move to strict alignment if you have a specific security requirement and have confirmed all senders can meet it.

DMARC for high-value domains: additional hardening

For domains that are high-value phishing targets (financial services, healthcare, large enterprises), additional steps beyond basic DMARC enforcement strengthen protection:

  • BIMI (Brand Indicators for Message Identification): After reaching p=quarantine or p=reject, BIMI allows you to display your brand logo in supported email clients (Gmail, Apple Mail, Yahoo Mail). Requires a Verified Mark Certificate (VMC) for Gmail. Published as a DNS TXT record at default._bimi.yourdomain.com.
  • MTA-STS (SMTP MTA Strict Transport Security): Prevents SMTP downgrade attacks by requiring TLS for email delivery to your domain. Published as a DNS TXT record and a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
  • TLS-RPT: Companion to MTA-STS that sends reports when TLS negotiation fails during delivery. Published as a DNS TXT record at _smtp._tls.yourdomain.com.
  • DMARC for parked domains: Domains that never send email are prime spoofing targets. Publish a DMARC record with p=reject and an SPF record with ~all or -all for all parked domains: v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s.

Verifying your DMARC implementation

After publishing DMARC records, external verification confirms the records are correctly formed and resolving as expected:

  • Run the AI QA Monkey DNS/SPF/DMARC checker to validate all three records simultaneously and identify gaps.
  • Send test emails through Google Workspace and check the Authentication-Results header in the raw email source to confirm SPF, DKIM, and DMARC results.
  • Use dig TXT _dmarc.yourdomain.com or nslookup -type=TXT _dmarc.yourdomain.com to confirm the record is published and correctly formatted.
  • Monitor the first 2-4 weeks of aggregate reports for unexpected senders before advancing the policy tier.

Check Your DMARC Configuration

Free DNS scan — validates SPF, DKIM, and DMARC records in 60 seconds.

Check DNS Records Now

FAQ

What does DMARC stand for?

Domain-based Message Authentication, Reporting and Conformance. It protects domains from email spoofing by building on SPF and DKIM.

How does DMARC work?

DMARC checks if emails pass SPF and/or DKIM with domain alignment. If both fail, the DMARC policy (none/quarantine/reject) determines what happens to the email.

Do I need DMARC if I use SPF and DKIM?

Yes. SPF and DKIM alone don't tell receiving servers what to do when authentication fails. DMARC adds enforcement and alignment requirements.

Check Your Website Right Now

Run a free automated security scan — 75 checks in 60 seconds. No signup required.

Run Free Security Scan →

Related security guides