DMARC is the final layer of email authentication. It ties together SPF and DKIM, enforces a policy on what to do with failing emails, and — crucially — sends you reports on everything happening with your domain.
You can have perfect SPF and DKIM configuration — but without DMARC, those checks don't fully protect you. Here's why:
SPF checks the envelope sender (the technical "from" used during SMTP delivery). DKIM checks the cryptographic signature. But neither of them directly protects the header From address — the address your recipients actually see in their email client.
An attacker can craft an email where the SPF-checked envelope address passes (because they control the sending domain), but the visible From header still shows your domain. DMARC closes this gap by requiring alignment — the authenticated domain must match the visible From address.
DMARC is published as a TXT record in DNS at _dmarc.yourdomain.com. When an email arrives, the receiving server:
1. Checks SPF and DKIM results.
2. Checks alignment — does the authenticated domain match the From header?
3. Applies your DMARC policy — what to do if the checks fail.
4. Sends you an aggregate report about what it saw.
_dmarc.yourcompany.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100"
v=DMARC1 — required version tag.
p=quarantine — the policy (see below).
rua=mailto:... — where to send aggregate reports. This is the address that receives the XML reports.
pct=100 — apply the policy to 100% of failing emails. Can be reduced during testing (e.g. pct=10 for 10%).
p=none — monitor only. Emails are delivered regardless of whether they pass. Reports are still sent. Use this when you first set up DMARC to understand your email landscape before enforcing anything.
p=quarantine — failing emails are sent to the recipient's spam/junk folder. A good intermediate step before full enforcement.
p=reject — failing emails are rejected outright and never delivered. This is full protection. The goal for all organisations.
p=none for 2–4 weeks and read your reports. Move to p=quarantine; pct=10 to test. Gradually increase pct to 100. Then move to p=reject once you're confident all legitimate senders are covered.
One of DMARC's most valuable features is aggregate reporting. Major email providers (Google, Microsoft, Yahoo) send XML reports to your specified rua address, typically once a day. These reports contain:
• Every IP address that sent email claiming to be from your domain
• How many emails each IP sent
• Whether SPF and DKIM passed or failed
• Whether DMARC alignment passed or failed
• Which policy was applied
This visibility is invaluable — you can see legitimate services you forgot to add to SPF, and detect attackers spoofing your domain before your recipients start complaining.
In 2024, Google and Yahoo introduced requirements for bulk email senders: SPF, DKIM, and a p=none DMARC policy are now mandatory for anyone sending more than 5,000 emails per day to Gmail addresses. Microsoft followed with similar guidance for Microsoft 365.
Even if you're not a bulk sender, these requirements signal the direction of the industry. Organisations without DMARC are increasingly likely to find their emails flagged as spam.
We'll parse your DMARC XML reports automatically and send you a plain-English monthly digest — who's sending as your domain, what's passing, what's failing, and what to do about it. No XML. No guesswork.
Register Your Interest