DMARC: Domain-based Message Authentication

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer that ties SPF and DKIM together. It tells receiving mail servers what to do when an email fails authentication — accept it, quarantine it, or reject it — and sends you reports about who is sending email from your domain. DMARC is now required by Google and Yahoo for bulk senders, and strongly recommended for everyone.

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

01. What Is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication standard defined in RFC 7489. It builds on top of SPF and DKIM to solve a problem that neither can solve alone: domain alignment.

SPF verifies that the sending server is authorized, but it checks the envelope sender (Return-Path), not the visible “From” address. DKIM verifies that the message was signed by an authorized key, but it doesn’t specify what to do if the signature fails. Neither one prevents an attacker from spoofing the “From” address that users actually see.

DMARC fixes this by adding two things:

• Alignment — DMARC requires that the domain in the visible “From” address matches the domain that passed SPF or DKIM. This prevents attackers from using a legitimate sending server but forging the “From” address.
• Policy — DMARC tells receiving servers what to do when alignment fails: do nothing (none), send to spam (quarantine), or reject the email entirely (reject).

DMARC also provides a reporting mechanism that sends you daily aggregate reports showing which IPs are sending email from your domain, and whether those emails are passing or failing authentication.

02. How DMARC Works

1. An email arrives at the recipient’s mail server claiming to be from yourdomain.com.
2. The server checks SPF and DKIM to see if either passes.
3. The server checks alignment. For DMARC to pass, at least one of these must be true:
   • SPF passes and the envelope sender domain aligns with the “From” domain
   • DKIM passes and the signing domain aligns with the “From” domain
4. The server looks up the DMARC record at _dmarc.yourdomain.com to find the domain owner’s policy.
5. The server applies the policy. If DMARC passes, the email is delivered normally. If DMARC fails, the server follows the policy: none (deliver anyway), quarantine (send to spam), or reject (bounce the email).
6. The server sends a report to the address specified in the DMARC record’s rua tag.

03. DMARC Record Syntax

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. Here are the tags and what they mean:

Required tags:

• v=DMARC1 — version identifier (always DMARC1)
• p= — the policy for your domain. Values: none, quarantine, reject

Recommended tags:

• rua=mailto:address@yourdomain.com — where to send aggregate reports (daily XML summaries)
• ruf=mailto:address@yourdomain.com — where to send forensic reports (individual failure details; not all providers send these)
• sp= — policy for subdomains (defaults to the p= value if not specified)
• adkim= — DKIM alignment mode: r (relaxed, default) or s (strict)
• aspf= — SPF alignment mode: r (relaxed, default) or s (strict)
• pct= — percentage of messages the policy applies to (default 100). Useful for gradual rollout.

Example records:

Monitoring only (start here):

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Quarantine failures (send to spam):

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com

Reject failures (strictest):

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; adkim=s; aspf=s

Gradual rollout (apply quarantine to 25% of failing messages):

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com

04. Setting Up DMARC

Before setting up DMARC, make sure you have working SPF and DKIM records for your domain. DMARC builds on these — without them, DMARC has nothing to evaluate.

1. Verify SPF and DKIM are working. In cPanel, go to Email → Email Deliverability and confirm both show green checkmarks for your domain.
2. Add the DMARC record. In cPanel → Domains → Zone Editor, add a new TXT record:
   • Name: _dmarc.yourdomain.com
   • Type: TXT
   • Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
3. Monitor reports. Over the next 2-4 weeks, review the aggregate reports to identify all legitimate sources sending email from your domain.
4. Tighten the policy. Once you are confident all legitimate sources pass DMARC, change p=none to p=quarantine (sends failures to spam) or p=reject (blocks failures entirely).

05. DMARC Policies: None, Quarantine, Reject

p=reject — the strictest policy. Emails that fail DMARC are rejected entirely and never delivered. The sender receives a bounce notification. Use this once you are fully confident that all legitimate email passes DMARC.

Recommended rollout path:

1. Start with p=none for 2-4 weeks
2. Review reports and fix any SPF/DKIM alignment issues
3. Move to p=quarantine; pct=25 (apply to 25% of failures)
4. Increase to pct=50, then pct=100
5. Once stable, move to p=reject

06. Understanding DMARC Reports

DMARC aggregate reports are XML files sent daily by major mail providers (Google, Yahoo, Microsoft, etc.) to the email address in your rua= tag. Each report shows:

• Which IP addresses sent email from your domain
• How many messages were sent from each IP
• Whether SPF and DKIM passed or failed for each source
• Whether alignment passed or failed
• What policy was applied (none/quarantine/reject)

The raw XML can be hard to read. Free tools like Postmark’s DMARC Digests or dmarcian can parse and visualize your reports. You can also use a dedicated reporting address like dmarc-reports@yourdomain.com and review them periodically.

07. Verifying Your DMARC Record

After adding your DMARC record, verify it is correctly published:

Ultra Web Hosting DMARC Lookup Tool: Enter your domain at tools.ultrawebhosting.com/dmarc-lookup to see your published DMARC record, check the syntax, and verify the policy settings.

Send a test email: Send an email to Gmail, click the three dots → “Show original.” Look for dmarc=pass in the Authentication-Results header.

Command line:

dig TXT _dmarc.yourdomain.com +short

This should return your DMARC record starting with v=DMARC1.

08. Troubleshooting

1. dmarc=fail in email headers. Either SPF and DKIM both failed, or neither one aligned with the “From” domain. Check that your SPF record includes the sending server and that DKIM is properly signing outgoing mail.
2. Legitimate email going to spam after enabling quarantine. A sending source is failing DMARC alignment. Check reports to identify the source, then fix its SPF or DKIM setup. Consider rolling back to p=none temporarily.
3. Third-party service emails failing DMARC. The service sends email “from” your domain, but its sending IP is not in your SPF record and/or it is not signing with DKIM using your domain. Add the service’s include: to your SPF record and set up their DKIM key in your DNS.
4. Forwarded email failing DMARC. Email forwarding breaks SPF because the forwarding server’s IP is not in your SPF record. If DKIM is set up and the forwarding server does not modify the message, DMARC can still pass via DKIM alignment. This is why DKIM is essential.
5. No reports received. Check that the rua= email address is correct and that the mailbox exists. Some smaller mail providers do not send DMARC reports. Reports from Google and Microsoft usually start arriving within 24-48 hours.
6. Subdomain spoofing. If your DMARC record only has p=reject but does not specify sp=reject, subdomains inherit the policy by default. However, you can set sp=reject explicitly to be sure. Attackers sometimes spoof subdomains like support.yourdomain.com to bypass domain-level DMARC.

Quick Recap: DMARC Setup

1. Set up SPF and DKIM first — DMARC requires both to be in place
2. Start with p=none — monitor before enforcing
3. Add the TXT record at _dmarc.yourdomain.com
4. Review aggregate reports to find and fix alignment issues
5. Gradually tighten from none → quarantine → reject

Last updated March 2026 · Browse Email articles · See also: DMARC Lookup · DMARC Generator