What is DMARC?

The one-sentence version

DMARC tells mailbox providers (Gmail, Microsoft, Yahoo) what to do with mail that claims to be from your domain but doesn't pass authentication checks: ignore it, spam-folder it, or reject it outright.

Why it matters

Anyone can put your domain in the From: address of an email. There's nothing inherent in SMTP that prevents it. Spammers, phishers, and "we accidentally CC'd legal" operations all rely on this. DMARC closes the gap by giving mailbox providers a published rule to follow: "if a message says it's from acme.com but doesn't actually pass our SPF or DKIM checks, here's what to do with it."

Without DMARC, you're trusting every mailbox provider on earth to make their own judgment call about whether mail "from" your domain is real. With DMARC at p=reject, you're publishing a clear answer: not real, throw it away.

How it fits with SPF and DKIM

SPF and DKIM are the two existing authentication mechanisms. DMARC sits on top of both:

• SPF says "these are the IP addresses allowed to send mail for my domain." A receiving mailbox checks the sending IP against your SPF record.
• DKIM attaches a cryptographic signature to outgoing mail. The receiving mailbox verifies the signature against a public key you publish in DNS.
• DMARC says "if neither SPF nor DKIM passes and aligns with my From: domain, here's what to do." Alignment is the part most people miss — SPF and DKIM can pass technically but for a different domain (e.g. your transactional ESP), which is why DMARC adds the alignment requirement.

You don't need to fully understand all three to get value from DMARC. Publishing a DMARC record at p=none is enough to start collecting reports — the data those reports contain will tell you what your real mail flows look like.

What's in a DMARC record?

A DMARC record is a single TXT record at _dmarc.<your-domain>. It looks like this:

v=DMARC1; p=none; rua=mailto:reports@example.com; pct=100

The interesting parts:

• p= — the policy. none = monitor only. quarantine = send failing mail to spam. reject = bounce failing mail outright.
• rua= — where to send aggregate reports. This is the address that gets a daily summary of what mail providers saw. (This is what we ingest at trustyourinbox.)
• pct= — what percentage of failing mail to apply the policy to. Useful for ramping up. Most start at pct=10 when moving past p=none.

Why "monitor only" is a real first step

p=none doesn't block anything. It just asks mailbox providers to keep sending you reports about what they saw. This is genuinely valuable on its own — within a few days you'll see exactly which IP ranges are sending mail in your name (your CRM, your transactional ESP, your billing platform, plus anything you didn't know about).

Once you've watched p=none for 4-8 weeks and know what "normal" looks like, you progress: p=quarantine pct=10 → quarantine pct=50 → quarantine pct=100 → p=reject. The whole arc usually takes 2-3 months for a typical small business.

Common gotchas

Forgetting your transactional ESP. You publish DMARC, then ramp top=reject, then everyone's password-reset emails start bouncing because your ESP's signing domain wasn't aligned. Fix: configure DKIM signing on your ESP with explicit aligned signatures (CNAME the DKIM keys onto a subdomain you control).

Subdomain leakage. If your p=reject is on acme.com but you don't set sp=, then marketing.acme.com inherits the policy by default. Sometimes that's fine. Sometimes it isn't. Set sp= explicitly.

Mailing lists. If your CEO posts to a mailing list, the list relays the message but rewrites the headers. SPF passes for the list's server, but DKIM signature breaks because the list edits the body. The forwarded copy fails DMARC at p=reject. There's no perfect fix; ARC and List-Unsubscribe-Post help.

Up next

Concrete next steps: Setting up DMARC for the first time →

Related

• DMARC alignment, in plain English — why a message can pass SPF but still fail DMARC.
• Counting your SPF lookups — the RFC 7208 10-cap and how to stay under it.
• Why 1024-bit DKIM keys are being phased out — and how to rotate to 2048-bit safely.