SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
high DNS

DMARC Record

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties together SPF and DKIM to tell receiving mail servers what to do when an email fails authentication. It also sends you reports so you can see who is sending email using your domain.

What SecurityStatus Checks

  • Whether a DMARC TXT record exists at _dmarc.yourdomain.com
  • DMARC policy level — p=none (monitor only), p=quarantine, or p=reject
  • Whether a reporting address (rua=) is configured to receive aggregate reports
  • Alignment mode — strict vs relaxed for SPF and DKIM alignment
  • Percentage setting (pct=) — what portion of failing mail the policy applies to

Why This Matters

DMARC is the only mechanism that ties email authentication directly to the visible From header that recipients see. Without DMARC, even a perfect SPF and DKIM setup can be bypassed because those checks happen on different parts of the email. DMARC with p=reject is the gold standard for domain spoofing protection.

How to Fix It

  1. 1

    Start with p=none to gather data

    Add this TXT record at _dmarc.yourdomain.com: `v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com`. This monitors without blocking anything. Use an email alias or a DMARC reporting service like Postmark or Dmarcian.

  2. 2

    Analyse your DMARC reports

    After a week of data collection, review the aggregate reports. You will see which IPs are sending email from your domain and whether they are passing SPF and DKIM. Add any legitimate senders to your SPF record and set up DKIM for them.

  3. 3

    Move to p=quarantine

    Once your reports show only legitimate senders passing auth, change to `p=quarantine; pct=25`. Start with 25% to test the impact, then increase to 100% over a few weeks.

  4. 4

    Move to p=reject

    Once p=quarantine is stable at 100%, move to `p=reject`. This is the strongest policy — emails failing DMARC are rejected outright, not delivered to spam.

  5. 5

    Add forensic reporting

    Optionally add `ruf=mailto:dmarc-forensic@yourdomain.com` for failure reports that include the actual failing message headers. Note that many providers have stopped sending ruf reports for privacy reasons.

Frequently Asked Questions

What is DMARC alignment?
Alignment means the From header domain must match the domain used in the SPF or DKIM check. Relaxed alignment allows subdomain matches. Strict alignment requires an exact match.
Does DMARC replace SPF and DKIM?
No. DMARC depends on SPF and/or DKIM being in place. DMARC is the policy layer that uses their results. All three work together.
Will DMARC break my email?
Starting with p=none carries zero risk — it only reports. Moving to quarantine or reject can break email from services you forgot to configure. Always analyse your reports thoroughly before raising the policy level.
What do the DMARC reports look like?
Aggregate reports (rua) are XML files sent daily by mail receivers. They show sending IP, volume, and pass/fail results for SPF and DKIM. Services like Dmarcian, Postmark, or Google Postmaster Tools parse these into readable dashboards.

Related Guides

high SPF Record Read Guide medium DKIM Record Read Guide critical Email Spoofing Risk Read Guide

Check Your Domain Now

Run all 38 security checks including DMARC Record and get your domain's security grade in under 2 minutes.

Scan Your Domain Free