DMARC explained
DMARC is the umbrella over SPF and DKIM: it sets the policy, enforces alignment, and reports abuse. Here's how it works and how to roll it out without blocking your own mail.
What DMARC is
DMARC (Domain-based Message Authentication, Reporting & Conformance) sits on top of
SPF and DKIM and adds the two things they lack on
their own: a policy (what should happen to mail that fails) and reporting (who
is sending as your domain). It is the piece that turns authentication from “nice signal” into
“enforced rule,” and the piece that finally stops others from spoofing your From address.
How it works
When a receiver gets your mail, it checks SPF and DKIM, then asks DMARC’s question: did at least one of them
pass in alignment with the visible From domain? If yes, DMARC passes. If no, the
receiver applies your published policy and logs the result in an aggregate report
it sends back to you. You publish all of this as a single DNS TXT record at
_dmarc.yourdomain.
The policy progression: none → quarantine → reject
This is where most rollouts go wrong. Move through the policies in order, never skip to reject:
| Policy | What happens to failing mail | Protection | Risk | Use when |
|---|---|---|---|---|
p=none | Nothing, delivered as normal | None (monitor only) | None | Start here, gather reports |
p=quarantine | Sent to the spam folder | Partial | Some legit mail may be quarantined | All known senders pass aligned |
p=reject | Blocked outright | Full (spoofing stopped) | Mistakes bounce real mail | You're confident every source aligns |
Sit at none until the reports show every legitimate source passing, often a few weeks. Then
quarantine at pct=100, watch again, then reject. The
deliverability guide covers where DMARC fits among the other reasons mail
lands in spam.
Alignment: why DMARC needs more than a pass
A spammer can publish perfect SPF and DKIM for their own domain. Alignment is what stops them from using that to forge yours: DMARC requires the domain that passed SPF or DKIM to match the domain in the From header. Relaxed alignment (the default) allows subdomains; strict requires an exact match. This is the mechanism that makes DMARC meaningful.
The record
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; adkim=s; aspf=r; pct=100"The common tags:
v=DMARC1 ; version (required, first)
p=quarantine ; policy: none | quarantine | reject
rua=mailto: ; where to send aggregate reports
adkim=s ; DKIM alignment: s(trict) | r(elaxed)
aspf=r ; SPF alignment: s(trict) | r(elaxed)
pct=100 ; percentage of mail the policy applies toFAQ
What does DMARC actually do?
DMARC ties SPF and DKIM to the visible From address and tells receivers what to do when neither passes in alignment: nothing (p=none), send to spam (p=quarantine), or block (p=reject). It also asks receivers to email you reports of who is sending as your domain. It is the policy-and-reporting layer on top of SPF and DKIM.
What is DMARC alignment?
DMARC only passes if SPF or DKIM passes AND the domain it authenticated matches the domain in the visible From header. That match is 'alignment.' Relaxed alignment allows subdomains (mail.example.com aligns with example.com); strict requires an exact match. Without alignment, a spammer could pass SPF for their own domain while forging your From, which is exactly what DMARC closes.
Should I start with p=reject?
No. Start at p=none, which changes nothing about delivery but turns on reporting. Watch the aggregate reports until every legitimate sender (your app, your CRM, your help desk) passes aligned SPF or DKIM, then move to quarantine, then reject. Jumping straight to reject before monitoring is how teams blackhole their own transactional mail.
What's the difference between rua and ruf?
rua receives aggregate reports: daily XML summaries of pass/fail counts per source, this is what you actually use to roll out DMARC safely. ruf receives forensic (failure) reports: per-message samples, which many providers no longer send for privacy reasons. Set rua; ruf is optional and increasingly rare.
Does DMARC require both SPF and DKIM?
It requires at least one of them to pass in alignment. In practice you want both: DKIM survives forwarding while SPF does not, so relying on SPF alone causes legitimate forwarded mail to fail DMARC. Configure both and DMARC has two chances to pass.
Is DMARC mandatory now?
Effectively yes for bulk senders. Since 2024, Google and Yahoo require a DMARC record (at least p=none) for anyone sending large volumes to their users. Beyond compliance, DMARC at quarantine or reject is the only thing that actually stops others from spoofing your domain.
Email authentication is native KB Cafe territory, this domain ran Rmail and documented SMTP when the spoofing
problem DMARC solves was just emerging. This is the modern reference: the policy, the alignment trick, and the
safe rollout that gets you to p=reject without blocking your own mail.