What DMARC policy should I start with?

Always start with p=none to monitor your email traffic without affecting delivery. Analyze DMARC reports for several weeks, fix any issues with legitimate senders, then gradually move to p=quarantine and finally p=reject.

What is DMARC alignment?

DMARC alignment requires the domain in the From: header to match the domain authenticated by SPF or DKIM. Relaxed alignment allows subdomains (mail.example.com aligns with example.com), while strict requires exact matches.

How do I get DMARC reports?

Add the rua= tag to your DMARC record with a mailto: address, like rua=mailto:dmarc@example.com. Receiving mail servers will send aggregate reports (usually daily XML files) showing email authentication results.

DMARC Record Email Auth

Q: What is a DMARC record?

A DMARC record is a DNS TXT record at _dmarc.yourdomain.com that defines what to do with emails that fail SPF and DKIM authentication. It can tell receivers to do nothing (p=none), quarantine (p=quarantine), or reject (p=reject) failing emails.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It tells receiving servers what to do when authentication fails and provides reporting so you can monitor who's sending email using your domain.

Look Up DMARC Records

Check DMARC records for any domain using our free DNS lookup tool.

Look Up DMARC Records →

What Is a DMARC Record?

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that:

Defines policy — What should happen to emails that fail authentication (none, quarantine, reject)
Enables reporting — Where to send aggregate and forensic reports about email authentication
Specifies alignment — How strictly the From: domain must match SPF/DKIM domains

DMARC Record Format

DMARC records are always placed at _dmarc.domain.com:

Example DMARC Record

_dmarc.example.com.    3600    IN    TXT    "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"

This record tells receivers to reject emails failing authentication and send aggregate reports to [email protected].

DMARC Tags

Tag	Required	Description
`v=DMARC1`	Yes	DMARC version (must be "DMARC1")
`p=`	Yes	Policy: none, quarantine, or reject
`rua=`	No	Aggregate report destination (mailto: URI)
`ruf=`	No	Forensic report destination (mailto: URI)
`pct=`	No	Percentage of messages to apply policy (default: 100)
`sp=`	No	Subdomain policy (defaults to p= value)
`adkim=`	No	DKIM alignment: r=relaxed (default), s=strict
`aspf=`	No	SPF alignment: r=relaxed (default), s=strict
`fo=`	No	Forensic report options (0, 1, d, s)
`ri=`	No	Aggregate report interval in seconds (default: 86400)

DMARC Policies

The p= tag defines what to do with failing emails:

p=none Monitor Only

Take no action on failing emails, but send reports. Use this to start monitoring before enforcement.

v=DMARC1; p=none; rua=mailto:[email protected]

p=quarantine Mark as Spam

Failing emails should be treated as suspicious (typically moved to spam folder).

v=DMARC1; p=quarantine; rua=mailto:[email protected]

p=reject Block Completely

Failing emails should be rejected outright. Maximum protection but requires careful testing first.

v=DMARC1; p=reject; rua=mailto:[email protected]

Start with p=none

Always start with p=none and analyze reports before moving to quarantine or reject. Jumping straight to reject can block legitimate email from misconfigured services.

How DMARC Authentication Works

For an email to pass DMARC, it must pass either SPF or DKIM with alignment:

SPF Check — Is the sending IP authorized by the domain's SPF record?
SPF Alignment — Does the envelope-from domain match the header From: domain?
DKIM Check — Is the DKIM signature valid?
DKIM Alignment — Does the DKIM signing domain match the header From: domain?

If either (SPF + alignment) OR (DKIM + alignment) passes, DMARC passes.

DMARC Alignment

Mode	Requirement	Example
Relaxed (r)	Domains must share organizational domain	mail.example.com aligns with example.com
Strict (s)	Domains must match exactly	example.com must match example.com

Common DMARC Configurations

1. Monitoring Mode (Start Here)

v=DMARC1; p=none; rua=mailto:[email protected]

2. Gradual Rollout (25% Quarantine)

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

3. Full Quarantine

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]

4. Full Reject (Maximum Protection)

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]

5. Strict Alignment

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:[email protected]

Understanding DMARC Reports

Aggregate Reports (rua)

Daily XML reports showing authentication results for all emails claiming to be from your domain. These reports help you identify:

Legitimate services you forgot to authorize
Misconfigured email systems
Spoofing attempts against your domain

Forensic Reports (ruf)

Individual reports for each failed email. These contain more detail but raise privacy concerns and many receivers don't send them. Use carefully.

DMARC Best Practices

Implement SPF and DKIM first — DMARC builds on these protocols. Get them working before adding DMARC.
Start with p=none — Monitor for several weeks before enforcing.
Use a DMARC reporting service — Raw XML reports are hard to read. Use a service to parse and visualize them.
Gradually increase enforcement — Move from none → quarantine (25%) → quarantine (100%) → reject.
Set subdomain policy — Use sp= to control subdomains, or they inherit the main policy.
Enable reports for all receiving domains — If using external report addresses, configure DMARC authorization records.

External Report Destinations

To send DMARC reports to an address outside your domain, the destination domain must authorize it:

<!-- If your DMARC has: rua=mailto:[email protected] -->
<!-- analyzer.com must have: -->
example.com._report._dmarc.analyzer.com.    TXT    "v=DMARC1"

Troubleshooting DMARC

Common issues and solutions:

Legitimate email failing DMARC — Check that all sending services are in your SPF and have DKIM configured.
Forwarded emails failing — Email forwarding breaks SPF. DKIM should still pass if the message isn't modified.
Mailing lists failing — Many mailing lists rewrite the From: header, breaking alignment. ARC helps with this.
Not receiving reports — Verify the rua address is valid and check spam folders. Some receivers don't send reports.
Policy not applied — Ensure the record is at _dmarc.yourdomain.com, not the root domain.

Check Your DMARC Record

Use our DNS Record Finder to look up and validate DMARC records for any domain.