Resourcesarrow right
Inbox Warm-Up Agentarrow right
DMARC

DMARC

Learn how DMARC policies protect your domain from spoofing, and how to align SPF and DKIM for maximum inbox protection.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells inbox providers what to do when emails fail SPF or DKIM, and sends you reports about who is using your domain to send email.

What it is

DMARC is a policy you publish in DNS that connects SPF and DKIM and gives instructions: accept, quarantine, or reject emails that fail these checks.

Why it matters for deliverability

With DMARC, you protect your brand from spoofing and phishing, and improve deliverability by clearly telling inbox providers how to handle suspicious emails.

How it works

You create a DMARC TXT record on `_dmarc.yourdomain.com`. Receiving servers check SPF and DKIM. Based on your DMARC policy (none, quarantine, reject), they decide what to do with emails that do not align with your domain, and they can send you XML reports.

Example DMARC DNS record

Basic DMARC TXT record for `example.com`:

Host/Name: _dmarc.example.com

Type: TXT

Value: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; fo=1

  • `p=none` — only monitor, do not block.
  • `p=quarantine` — send failures to spam.
  • `p=reject` — block emails that fail DMARC.
Common problems
  • DMARC record missing completely, so mailbox providers have to guess your policy.
  • Policy set to `reject` too early, causing legitimate emails from tools like CRMs or support systems to be blocked.
  • DMARC record placed on the wrong host (for example, `example.com` instead of `_dmarc.example.com`).
  • Incorrect formatting such as missing semicolons or invalid tags.
  • No reporting address (`rua`) set, so you cannot see who is sending mail using your domain.
How to improve
  • Start with a relaxed policy like `p=none` to collect data without affecting delivery.
  • Review DMARC reports to find all services sending from your domain and make sure they use correct SPF and DKIM.
  • Gradually move from `p=none` to `p=quarantine` and then to `p=reject` as you gain confidence.
  • Add an aggregate report address (`rua`) to monitor activity: `rua=mailto:dmarc-reports@yourdomain.com`.
  • Keep your DMARC record simple and valid; only use tags you really need.
Best practices
  • Always publish at least a monitoring DMARC record (`p=none`) for each sending domain.
  • Use DMARC reports to detect unauthorized senders abusing your brand.
  • Align your visible From address with your SPF and DKIM domains to pass DMARC alignment.
  • Use a dedicated mailbox or DMARC-reporting tool to collect and analyze DMARC reports.
  • Update your DMARC policy when you add or remove email sending services.