Glossary

DMARC

Definition: Domain-based Message Authentication, Reporting and Conformance — a policy that instructs receiving mail servers how to handle emails that fail SPF or DKIM checks.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication policy that builds on SPF and DKIM. It tells receiving mail servers what to do when an email fails authentication checks and provides reporting so domain owners can monitor abuse.

DMARC Record Example

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100"

DMARC Policy Values (p=)

  • p=none — Monitor only. Take no action on failing emails. Receive reports.
  • p=quarantine — Send failing emails to the spam/junk folder.
  • p=reject — Reject failing emails outright. Strongest protection.

DMARC Alignment

DMARC introduces the concept of alignment — the domain in the email's From header must align with the SPF or DKIM signing domain. This prevents attackers from passing SPF/DKIM on a different domain while spoofing the From header.

DMARC Reporting

  • Aggregate reports (rua) — Daily XML reports summarising authentication results per IP. Useful for monitoring.
  • Forensic reports (ruf) — Individual email failure reports. Less commonly used due to privacy concerns.

Rollout Strategy

  1. Start with p=none and collect reports for 2–4 weeks.
  2. Fix any legitimate email flows that fail DMARC.
  3. Move to p=quarantine with pct=10 (apply to 10% of mail) and gradually increase.
  4. Move to p=reject once confident.
Free Tools