DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS record that builds on SPF and DKIM. It tells receiving servers what to do with mail that fails authentication — monitor, quarantine or reject — and sends you reports on who is using your domain.
DMARC is the policy layer that makes SPF and DKIM enforceable. It requires authentication to "align" with your visible From domain, instructs receivers how to handle failures, and provides reporting so you can see spoofing attempts and misconfigured senders.
Check your website
See how your site handles dmarc: the policy that ties email authentication together — free, no account needed.
For business owners
DMARC is what actually stops criminals from sending phishing emails that look like they come from your company. Major providers like Google and Yahoo now require it for bulk senders. Beyond protecting your brand and customers, a strong DMARC policy improves deliverability and gives you visibility into every service sending mail as you.
How it works (technical)
DMARC is a TXT record at _dmarc.yourdomain:
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100
The policy p= is none (monitor only), quarantine (spam folder) or reject (block). DMARC passes only if SPF or DKIM passes and the authenticated domain aligns with the From header. rua receives aggregate reports; adkim/aspf set strict or relaxed alignment. Roll out gradually: start at p=none, read the reports, fix senders, then move to quarantine and finally reject.
Real-world example
A finance firm was targeted by invoice-fraud emails spoofing its domain. It deployed DMARC at p=none, used the aggregate reports to authorise its three legitimate senders, then escalated to p=reject. Spoofed mail was rejected at the receiving server and the fraud attempts stopped reaching customers.
Why it matters
DMARC turns SPF and DKIM into enforceable protection and is increasingly mandatory for bulk senders. Scanners check that a DMARC record exists and flag a weak p=none policy left in place indefinitely.
How to fix it
Ensure SPF and DKIM are working first — DMARC depends on them.
Publish a
TXTrecord at_dmarc.yourdomainstarting withv=DMARC1.Begin with
p=noneand aruareporting address to gather data safely.Use the reports to authorise every legitimate sender and fix alignment.
Escalate the policy to
quarantineand thenrejectonce clean.
Best practices
Treat
p=noneas a temporary monitoring phase, not a destination.Collect and review aggregate (rua) reports before enforcing.
Aim for
p=rejectwith strict alignment for full anti-spoofing protection.
Common mistakes
Publishing DMARC before SPF and DKIM are aligned, blocking legitimate mail.
Leaving the policy at
p=noneforever, so it never actually protects you.Ignoring the reports that reveal misconfigured or unauthorised senders.
Frequently asked questions
What does DMARC alignment mean?
The domain authenticated by SPF or DKIM must match the domain in the visible From header. Alignment is what stops attackers passing SPF/DKIM on their own domain while spoofing yours.
Should I start with p=reject?
No. Start at p=none to monitor, fix any legitimate senders using the reports, then escalate to quarantine and reject to avoid blocking your own mail.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free