DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.
It’s an email authentication protocol that helps protect your domain from email spoofing, phishing, and fraud, and it improves email deliverability.
What DMARC does (in simple terms)
DMARC tells receiving mail servers how to handle emails that claim to come from your domain but fail authentication checks.
It works on top of:
- SPF (Sender Policy Framework) – verifies the sending server
- DKIM (DomainKeys Identified Mail) – verifies the message hasn’t been altered
DMARC ties these together and adds policy + reporting.
How DMARC works
When an email is received:
- The server checks SPF
- The server checks DKIM
- DMARC checks whether either SPF or DKIM aligns with your domain
- Based on your DMARC policy, the email is:
- Allowed
- Sent to spam
- Rejected outright
DMARC policies
You define a policy in your DNS record:
p=none→ Monitor only (no blocking)p=quarantine→ Send failing emails to spamp=reject→ Block failing emails completely
Example:
v=DMARC1; p=reject;
Why DMARC is important
- 🛡️ Prevents email spoofing and phishing
- 📬 Improves email deliverability
- 📊 Provides reports showing who is sending email on behalf of your domain
- 🏢 Required or strongly recommended by major providers (Google, Yahoo, Microsoft)
Example DMARC record
v=DMARC1; p=quarantine; rua=mailto:[email protected];
This means:
- Use DMARC version 1
- Quarantine emails that fail checks
- Send aggregate reports to
[email protected]