Guide
DMARC, explained — and how to set it up
DMARC is the record that actually stops people spoofing your domain. Here's how it works and how to roll it out safely.
Check your DMARC record →What it is
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS record that ties SPF and DKIM together. It tells receiving mail servers what to do when a message claims to be from your domain but fails authentication — and asks them to send you reports on everything sent in your name.
SPF and DKIM prove a message is legitimate; DMARC is the policy that says "if it isn't, reject it." It's the only one of the three that can actively stop impersonation.
Why it matters
Since February 2024, Google, Yahoo and Microsoft require bulk senders to publish a DMARC record — without one, your mail is far more likely to be filtered or rejected.
Without DMARC at enforcement, anyone can send email that looks exactly like it came from your domain: fake invoices, CEO-fraud, phishing aimed at your customers. A DMARC policy of quarantine or reject is what shuts that down.
How to set it up
- 1Get SPF and DKIM working first — DMARC relies on at least one of them passing and aligning with your domain.
- 2Publish a DMARC record at _dmarc.yourdomain.com starting with p=none. This monitors without affecting delivery.
- 3Add a rua= address so you receive the daily aggregate reports, then review them to find every legitimate sender.
- 4Once all your real senders pass, tighten the policy to p=quarantine, and finally p=reject — optionally using pct= to roll out gradually.
Record structure & options
A policy record that tells receivers what to do with mail that fails SPF/DKIM alignment, and where to send you reports about it.
v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com; adkim=s; aspf=s; pct=100
- v=DMARC1
- Version — always first, required.
- p=
- Policy (required): none = monitor only, quarantine = spam folder, reject = block. reject is the goal.
- sp=
- Separate policy for subdomains (defaults to p=).
- rua=mailto:
- Where daily aggregate reports are sent — the data that shows who's sending as you.
- ruf=mailto:
- Where per-message failure (forensic) reports go — many providers no longer send these.
- pct=
- Percentage of mail the policy applies to — use for a gradual rollout (e.g. pct=25).
- adkim= / aspf=
- Alignment strictness: r = relaxed (default), s = strict.
- fo= / ri=
- Forensic options, and report interval in seconds (default 86400 = daily).
Start at p=none to watch, then move to quarantine, then reject once your reports show all legitimate senders pass.
Common problems
- Why isn't DMARC stopping spoofing at p=none?
- p=none only monitors — it tells receivers to take no action. You have to move to p=quarantine and then p=reject for DMARC to actually block impersonation.
- Legitimate email is failing DMARC — why?
- Almost always an alignment problem: the domain in the visible From address doesn't match the domain that passed SPF or DKIM. Check the reports to see which sender fails, then fix its SPF include or DKIM signing.
- I published DMARC but get no reports.
- You need a rua= address, and mailbox providers only report on mail they actually receive from you — low-volume domains see fewer reports. Sending reports to a different domain also needs an authorisation record there.
Check it — then keep it healthy
Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.