DMARC

For an in-depth treatment, see How DMARC Works. This page is a quick reference.

The DMARC record

A DMARC record is a TXT record at _dmarc. in front of the domain:

_dmarc.example.com.   IN TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100; adkim=r; aspf=r; sp=reject"

Fields:

• v=DMARC1 — version tag (required, first).
• p= — policy: none, quarantine, or reject.
• rua= — aggregate report destination (email address).
• pct= — percentage of failing messages the policy applies to (1-100; default 100).
• adkim= — DKIM alignment mode (r=relaxed, s=strict).
• aspf= — SPF alignment mode (r=relaxed, s=strict).
• sp= — subdomain policy. If absent, subdomains inherit p=.
• fo= — forensic options.

The three policy modes

How DMARC evaluates a message

The receiver checks:

1. Did SPF pass? If yes, does the MAIL FROM domain align with the From: domain?
2. Did DKIM pass? If yes, does the d= signing domain align with the From: domain?
3. If at least one passed AND aligned → DMARC pass.
4. If neither passed AND aligned → DMARC fail. Apply policy (none, quarantine, reject).

Alignment matters more than people think

The "alignment" requirement is what makes DMARC powerful. SPF authenticates the envelope sender; DKIM authenticates the signing domain. Neither directly authenticates the visible From: header that users see. DMARC adds the requirement that at least one of those authenticated domains MUST match the From: domain.

This prevents the classic phishing pattern: an attacker passes SPF for attacker.com (their own domain), sets the visible From: to ceo@yourcompany.com, and sends spoofed mail. Without DMARC, SPF passes and the message arrives. With DMARC, the SPF-authenticated domain doesn't align with the From: domain, so DMARC fails — and your published policy (quarantine or reject) handles the rest.

Aggregate reports (rua)

Receivers send daily XML summaries to the address in rua=. Each report contains:

• Per source IP, the count of messages claiming to be from your domain.
• SPF and DKIM results per source.
• Whether each result aligned.
• What DMARC policy was applied.

Parse these with a tool — dmarcian, EasyDMARC, parsedmarc, Postmark DMARC Monitoring. The reports reveal every server in the world claiming to be your domain, which is essential for safely rolling out p=reject without breaking legitimate mail.

The safe rollout

1. Publish p=none with rua= (2-4 weeks). Reports flow in; no impact on delivery.
2. Identify all legitimate senders from reports. Make sure each one has aligned SPF or DKIM.
3. Move to p=quarantine (2-4 weeks). Failures go to spam; recoverable for false positives.
4. Move to p=reject. Failures bounce. Domain is now spoof-protected.

Skipping straight to p=reject reliably breaks legitimate mail from sources you forgot about. The 6-8 week rollout is the experienced operator's pattern.

Gmail/Yahoo 2024 requirements

Since February 2024, Gmail and Yahoo require all senders exceeding 5000 daily messages to those receivers to:

• Pass and align both SPF and DKIM.
• Publish a DMARC record at minimum p=none.
• Include List-Unsubscribe header with one-click support for bulk mail.
• Keep spam complaint rate under 0.3%.

The DMARC requirement is for the existence of a record, not a strict policy. p=none satisfies the rule; stricter policies provide actual protection.

Frequently Asked Questions

What are the three DMARC policy modes?

p=none (monitor only — deliver normally but send aggregate reports), p=quarantine (deliver to spam folder), p=reject (bounce the message at SMTP). Standard rollout: start with p=none for 2-4 weeks to discover legitimate senders via reports, then move to p=quarantine for another 2-4 weeks, then p=reject. Going straight to p=reject reliably breaks legitimate mail from sources you forgot about.

What is DMARC alignment?

Alignment is DMARC's requirement that the domain in the visible From: header matches the domain that SPF or DKIM authenticated. Relaxed alignment (default) accepts Organizational Domain match — From: news@mail.example.com aligns with DKIM d=example.com. Strict alignment requires exact match. An SPF or DKIM pass that doesn't align with From: provides no DMARC protection.

What is an aggregate (rua) report?

An aggregate report is a daily XML summary sent by receivers to the address in DMARC's rua= tag. It contains counts of messages per source IP and their authentication results — but no message content. Receivers like Gmail, Microsoft, Yahoo, and Comcast send these daily. They are the primary tool for discovering all legitimate senders during DMARC rollout. Parse with tools like dmarcian, parsedmarc, or EasyDMARC.

Do I need DMARC if I use SPF and DKIM?

Yes for protection of your visible From: domain, and yes for compliance with the Gmail/Yahoo 2024 sender requirements (which mandate p=none minimum for high-volume senders). SPF and DKIM individually authenticate envelope and signing domains; DMARC adds alignment with the visible From: header that users actually see, plus a published policy for handling failures. Without DMARC, an attacker can pass SPF for their own domain while spoofing your From: address.