What is DMARC?

Definition: DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication policy that tells receiving mail servers how to handle messages that claim to be from your domain but fail authentication. It works by checking whether a message aligns with either SPF (the sending server is authorized) or DKIM (the message is cryptographically signed by your domain), and then applies your policy—none, quarantine, or reject—to spoofed or unauthenticated mail. If you’re searching for what is DMARC, think of it as a public instruction manual in DNS that says, “Here’s how to verify us, and here’s what to do when a message doesn’t check out,” plus a reporting loop that shows you who’s sending in your name.

‍

Why DMARC Matters Now

Email remains the workhorse of business—and the favorite costume of attackers. Brand impersonation leads to wire fraud, credential theft, and malware outbreaks. Meanwhile, mailbox providers are raising the bar for bulk and commercial senders: authenticate cleanly or expect the spam folder. Here’s the trap: teams enable SPF or DKIM on a few systems and assume they’re safe. They aren’t. Without alignment—and without a published DMARC policy—spoofers can still pass through gaps in forwarding, marketing tools, and delegated senders. Our view: DMARC is the difference between hoping your email is trusted and proving it, with the added benefit of visibility into every source that claims to be you.

For practical deliverability guidance, see our post Stop Wasting Emails: How to Make Sure Every Message Reaches the Inbox.

‍

How DMARC Works (Policy → Alignment → Decision)

At a high level, DMARC adds a decision layer on top of SPF and DKIM:

1. Publish policy in DNS. You create a TXT record at _dmarc.yourdomain.com that declares your policy (p=none|quarantine|reject) and where to send reports (rua= aggregate, ruf= forensic).
2. Receiver evaluates messages. When a message arrives, the receiver checks SPF and DKIM.
3. Check alignment. At least one must align with the visible From: domain:
   • SPF alignment: The domain in SPF (the “envelope-from”/Return-Path) must match the visible From domain (relaxed = same org domain; strict = exact match).
   • DKIM alignment: The d= domain in the DKIM signature must match the visible From domain (relaxed or strict).
4. Apply policy. If neither aligned SPF nor aligned DKIM is present, the receiver follows your policy: monitor (none), send to spam (quarantine), or block (reject).
5. Report back. Receivers send aggregate XML reports (RUA) showing pass/fail by source IP and domain, plus optional forensic (RUF) samples where allowed.

Key idea: DMARC does not replace SPF or DKIM—it coordinates them and gives receivers permission to act on failures with your explicit instructions.

‍

The Record: Anatomy of a DMARC Policy

A typical policy looks like this:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com;
adkim=s; aspf=s; pct=100; sp=quarantine


• p= — Policy for your organizational domain: none (monitor), quarantine (spam), or reject (block).
• rua= / ruf= — Report URIs (aggregate and forensic). Start with rua and add ruf thoughtfully.
• adkim= / aspf= — Alignment mode: r (relaxed, default) or s (strict).
• pct= — Percentage of mail to which the policy applies (helpful during ramp-up).
• sp= — Subdomain policy (e.g., apply a different policy to *.sub.yourdomain).
• fo= — Forensic options (what failure types trigger ruf reports).

Start relaxed, then move to strict alignment when you’re confident your senders are standardized.

‍

SPF, DKIM, and Alignment (Why “Pass” Isn’t Enough)

A message can “pass SPF” because a gateway relayed it—but if the domain that passed SPF doesn’t match your visible From, DMARC still fails. Similarly, a message can “pass DKIM” signed by a marketing vendor’s domain; if it’s not your domain in d=, DMARC alignment fails. DMARC requires at least one aligned pass. In practice, aligned DKIM is the most reliable path because it survives forwarding and list servers that break SPF.

‍

Reports That Make You Smarter (RUA vs. RUF)

• RUA (aggregate) reports: Daily XML summaries from receivers that show source IPs, sending domains, pass/fail counts, and why. These power your inventory of legitimate senders, highlight misconfigurations, and surface spoof attempts.
• RUF (forensic) reports: Redacted copies of failed messages (where permitted). Useful for investigations but noisy and privacy-sensitive; many organizations skip or limit RUF.

You’ll need a tool or service to parse RUA XML into dashboards—otherwise, you’ll drown in files.

‍

Implementation Roadmap (Practical and Phased)

You don’t need a moonshot. You need a clean inventory and a controlled ramp to enforcement.

1. Inventory every sender. List all platforms that send “as” your domain: product, marketing, CRM, support, billing, HR, IT tools, scanners, even printers. Shadow senders are common.
2. Standardize the From strategy. Decide which systems send from the organizational domain and which should use subdomains (e.g., notify.yourdomain.com, promos.yourdomain.com).
3. Enable aligned DKIM per sender. Turn on DKIM and publish selectors under your domain so d=yourdomain.com (or your subdomain). Use unique selectors per platform.
4. Harden SPF for each domain. Authorize only the real sending hosts. Keep records short and avoid excessive include: chains.
5. Publish p=none. Start with monitoring plus rua=. Watch reports for 2–4 weeks. Fix DKIM/SPF alignment by sender until 95–99% of volume is aligned.
6. Move to quarantine. Start with pct=20 and step up weekly (50 → 100) as you confirm alignment.
7. Enforce with reject. When aligned volumes are stable and exceptions are resolved, switch to p=reject. Keep watching reports; new vendors will appear.
8. Govern ongoing. Create a checklist for onboarding any new sender: DKIM selector, SPF entry, test, verify alignment, then go live.

‍

Common Pitfalls (And How to Avoid Them)

Here’s the trap we see repeatedly: “We turned on DMARC and deliverability tanked.” That happens when teams jump straight to reject without aligning all senders. Other pitfalls:

• SPF-only dependence. Forwarding and list servers break SPF. Always enable aligned DKIM.
• Vendor-signed DKIM (d=vendor.com). Make vendors sign as your domain via a TXT/CNAME you publish.
• Overlong SPF chains. Providers nesting include: records push you over the 10-lookup limit. Flatten or consolidate.
• No subdomain policy. Attackers pivot to random.sub.yourdomain.com. Set sp=reject once your subdomains are covered.
• Unmonitored reports. RUA to a dead mailbox means blind enforcement. Parse, visualize, act.
• Inconsistent From domains. Marketing uses info@brand.com; product uses noreply@mail.brand.io. Standardize sender identity.

‍

Multi-Sender Reality (SaaS, Partners, and Delegation)

Most organizations send from multiple platforms. That’s fine—if each is configured to authenticate as you with aligned DKIM and vetted SPF. Use per-vendor DKIM selectors (e.g., s=promos-2025) and consider subdomains for high-volume or externally managed flows (billing.brand.com, promos.brand.com) so each stream can be tuned—and throttled—independently. When a vendor can’t sign as your domain, push for it or fence them off behind a subdomain with its own DMARC policy.

‍

Security, Deliverability, and Brand (BIMI & Beyond)

DMARC is not just a deliverability lever; it’s a security control. Enforcing p=reject blocks look-alike traffic that would otherwise trick customers and staff. On the deliverability side, strong DMARC improves domain reputation and unlocks BIMI (brand logos in inboxes) with the right prerequisites. The bigger win is trust: customers learn that mail from your domain is either authentic—or rejected.

For the human side of getting emails to land and drive action, see Stop Wasting Emails: How to Make Sure Every Message Reaches the Inbox.

‍

Metrics That Matter (Proving DMARC Is Working)

Executives don’t buy acronyms; they buy outcomes. Track:

• Aligned volume % by sender and domain (target 98%+ at reject).
• Spoofed attempts blocked (messages failing both SPF and DKIM under reject).
• DKIM auth pass rate and SPF pass rate per sender.
• Deliverability KPIs: inbox placement, bounce codes, complaint rates around policy changes.
• Time-to-onboard a new sender (from request to aligned in production).

Tie improvements to risk reduction (blocked spoofs) and revenue (higher deliverability for marketing and product emails).

‍

Governance & Runbook (Owning DMARC Long-Term)

DMARC succeeds when it’s part of your operating model:

• RACI & ownership: Name owners for DNS, selectors, SPF management, and RUA monitoring.
• Change control: No new sender goes live without DKIM/SPF alignment checks in a shared checklist.
• Quarterly health checks: Sample messages from each sender; confirm dkim=pass and DMARC alignment; verify subdomain policy.
• Incident response: If a DKIM key leaks or a vendor is compromised, rotate selectors immediately and tighten SPF; monitor RUA for drift.
• Education: Train marketing, product, and IT on why From domains, selectors, and SPF records matter.

‍

Implementation Example (From Monitoring to Enforcement)

A SaaS company consolidates marketing, product notifications, and support into three subdomains: promos.brand.com, notify.brand.com, support.brand.com. Each platform signs with aligned DKIM using dedicated selectors (promos-2025, notify-2025, support-2025). SPF is flattened for each subdomain to stay under the 10-lookup limit. The team publishes a root DMARC of p=none; sp=quarantine and watches RUA. After two weeks, they move promos.brand.com to p=quarantine pct=50, fix a misconfigured regional sender, and step to pct=100. Within a month, all domains sit at p=reject with aligned volumes above 99% and spoofed attempts dropping to near zero.

‍

The Future of DMARC (Tighter Policies, Better Signals)

Expect mailbox providers to enforce authentication more strictly, especially for bulk senders, and to favor aligned DKIM. Adoption of Ed25519 keys for DKIM will reduce DNS bloat, and ARC (Authenticated Received Chain) will help preserve auth results across complex relays. The through-line remains: clear identity, aligned authentication, and explicit policy win the inbox.

‍

Related Solutions

DMARC becomes far more effective when it’s embedded in a broader email and security stack. Secure Email Gateway (SEG) adds layered malware/phishing controls and policy enforcement in front of your users. Security Information and Event Management (SIEM) and a Security Operations Center (SOC) correlate DMARC failures with other identity and network signals for faster response. Governance, Risk and Compliance (GRC) systems track your DMARC/ SPF/ DKIM controls and evidence for audits. For suite hardening, Microsoft 365 and Google Workspace configuration baselines ensure signing order, routing, and transport rules don’t break alignment. Finally, Security Awareness Training (SAT) helps employees spot the rare phish that slips through—because technology plus trained people is what stops loss. When these elements align, DMARC isn’t just a DNS record; it’s a durable trust signal for your brand.