Email

DMARC (Domain-based Message Authentication)

An email protocol that builds on SPF and DKIM to prevent email spoofing.

DMARC tells receiving mail servers what to do when SPF or DKIM checks fail. It also provides reporting so you can monitor authentication results.

DMARC Policy Options:

p=none: Monitor only, take no action (start here)
p=quarantine: Send failing emails to spam
p=reject: Block failing emails entirely

DMARC Record Structure:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Key DMARC Tags:

v=DMARC1: Version (required)
p=: Policy for domain (required)
sp=: Policy for subdomains
rua=: Email for aggregate reports
ruf=: Email for forensic reports
pct=: Percentage of messages to apply policy

Recommended Rollout:

Phase 1 (Monitor):

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Run for 4-6 weeks, review reports.

Phase 2 (Quarantine):

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com

Apply to 50% of traffic, monitor.

Phase 3 (Reject):

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Full protection achieved.

Why It Matters

DMARC is the final piece of email authentication. It provides clear instructions for handling failures and gives you visibility into who's sending email using your domain—legitimate or not.

Practical Example

With DMARC set to p=reject, if a spammer tries to send email pretending to be from your domain, the receiving server will reject it outright because it fails SPF/DKIM checks.

Related Terms

DKIM (DomainKeys Identified Mail)

An email authentication method that adds a digital signature to verify message authenticity.

SPF (Sender Policy Framework)

An email authentication method that specifies which servers can send email from your domain.

Explore More Terms

Browse our complete glossary of domain name terminology.

View Glossary Domain Generator