What Is DMARC?
Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM. It tells receiving servers what to do when messages fail authentication checks and provides a reporting mechanism.
Prerequisites
- A valid SPF record published for your domain
- DKIM signing configured for outgoing mail
- An email address to receive DMARC reports
DMARC Record Format
Create a TXT record at _dmarc.example.com:
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1;Policy Options
| Tag | Values | Meaning |
|---|---|---|
p | none / quarantine / reject | Policy for failing messages |
sp | none / quarantine / reject | Subdomain policy |
pct | 0-100 | Percentage of messages to apply policy to |
rua | mailto: URI | Aggregate report destination |
ruf | mailto: URI | Forensic report destination |
fo | 0, 1, d, s | Failure reporting options |
Recommended Rollout
- Monitor: Start with
p=noneand collect reports for 2-4 weeks - Quarantine: Move to
p=quarantine; pct=10and gradually increase - Reject: Once confident, set
p=rejectfor full protection
Reading DMARC Reports
Aggregate reports (rua) arrive as XML files, typically daily. They show which IPs sent mail for your domain and whether messages passed SPF/DKIM alignment. Use tools like DMARC Analyzer or parsedmarc to make them readable.