What Is DMARC and How Do I Set It Up the Right Way?
Email Deliverability

What Is DMARC and How Do I Set It Up the Right Way?

Muhammad Muhammad Ziauldin | | 7 min read | 0 Comments | 0 Views
Share:

Overview

DMARC, short for Domain-based Message Authentication, Reporting, and Conformance, is the policy layer that ties SPF and DKIM together. It tells receiving mail servers what to do when a message claiming to be from your domain fails authentication, and it sends you reports so you can see who is sending mail in your name.

This guide explains how DMARC builds on SPF and DKIM, what alignment means, the three policy options, how to read aggregate reports, and a safe rollout plan that takes you from monitoring to full protection without blocking your own legitimate email.

What is DMARC and why does it matter?

DMARC is a DNS record that gives receivers instructions and gives you visibility. Without it, SPF and DKIM can each pass or fail, but nothing tells a receiving server how to treat a failure, and nobody reports back to you. That gap is exactly what spoofers exploit.

With a DMARC record in place, you can instruct Gmail, Outlook, Yahoo, and every other major provider to quarantine or reject forged messages, and you receive daily reports showing every source sending email under your domain. This matters because domain spoofing is a common route for phishing, and major inbox providers now expect bulk senders to have a DMARC policy published.

How does DMARC build on SPF and DKIM?

DMARC does not replace SPF and DKIM, it sits on top of them and adds two things they lack: alignment and a policy. SPF checks whether the sending server is authorized. DKIM checks whether the message was signed and unchanged. DMARC then asks a further question that neither handles alone: does the domain that passed SPF or DKIM match the domain a human sees in the From address?

A message passes DMARC if it passes SPF or DKIM and the passing check is aligned with the visible From domain. You only need one of the two to pass and align, which is why keeping both configured gives you a safety net if one breaks in transit.

What is DMARC alignment?

Alignment means the domain verified by SPF or DKIM matches the domain in the From header that recipients actually read. This is the heart of DMARC, because spoofers often pass SPF using their own domain while displaying yours in the From line.

There are two alignment modes:

  • Relaxed alignment is the default and accepts a match at the organizational domain level. Mail from news.example.com aligns with example.com.
  • Strict alignment requires an exact match of the full domain. Only example.com aligns with example.com.

Most senders start with relaxed alignment because subdomains and email platforms are common, and strict mode can reject legitimate mail if you are not careful.

What are the three DMARC policies?

DMARC has three policy values, set with the p= tag, that tell receivers how to handle mail that fails authentication and alignment.

  • p=none means monitor only. Failing mail is still delivered, but you receive reports. This is the observation phase and it changes nothing for your recipients.
  • p=quarantine means send failing mail to spam or a holding area. This is a middle ground that protects users while you fine tune.
  • p=reject means block failing mail outright so it never reaches the inbox. This is full protection and the goal for most domains.

A basic record with a monitoring policy looks like this, published as a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

What are aggregate reports and the rua tag?

Aggregate reports are daily XML summaries that show every source sending email using your domain, and the rua tag is where you tell receivers to send them. Each report lists sending IP addresses, message counts, and whether they passed SPF, DKIM, and alignment.

Raw XML is hard to read, so most people forward these reports to a DMARC monitoring service that turns them into a readable dashboard. The reports are how you discover legitimate senders you forgot about, such as an invoicing tool or a support desk, before you turn on a strict policy that might block them. You can add a second address with rua=mailto:dmarc@yourdomain.com,mailto:reports@analyzer.com to send reports to both yourself and an analyzer.

How do I set up DMARC the right way?

The right way to set up DMARC is a staged rollout, not an instant jump to reject. Rushing to p=reject before you know all your senders is the fastest way to block your own newsletters and receipts. Follow this sequence over a few weeks.

  1. Confirm SPF and DKIM first. DMARC depends on both, so make sure each is published and passing before you begin. If you are unsure, verify all three records at once. Running a full authentication scan with an email deliverability platform like Mailthentic shows you at a glance whether SPF, DKIM, and DMARC are aligned and healthy.
  2. Publish p=none. Add the monitoring record with a rua address. Nothing changes for recipients, but reports start flowing.
  3. Read reports for two to four weeks. Identify every legitimate sending source and fix any that fail alignment by adding DKIM or adjusting SPF.
  4. Move to p=quarantine. Once your legitimate mail passes cleanly, tighten to quarantine, often with a percentage tag like pct=25 to apply it gradually.
  5. Move to p=reject. When quarantine causes no problems, raise it to reject and increase the percentage to 100. Your domain is now protected from spoofing.

Keep monitoring reports even after you reach reject, because new tools and vendors get added over time and each one needs to be aligned.

What do the tags in a DMARC record mean?

A DMARC record is a set of tags separated by semicolons, and each tag controls one part of the policy. Once you recognize them, reading and editing a record becomes straightforward. Here are the ones you will actually use:

  • v=DMARC1 declares the version and must come first. Without it the record is ignored.
  • p= sets the policy for your main domain: none, quarantine, or reject.
  • sp= sets a separate policy for subdomains. If you leave it out, subdomains inherit the p value.
  • rua= is the address that receives aggregate reports, written as a mailto link.
  • ruf= is the address for forensic reports on individual failures. Many providers no longer send these for privacy reasons, so rua is the one that matters.
  • pct= applies your policy to a percentage of failing mail, useful for a gradual rollout.
  • adkim= and aspf= set alignment mode to relaxed (r) or strict (s) for DKIM and SPF.

A fuller record putting several of these together might read: v=DMARC1; p=quarantine; sp=reject; pct=50; adkim=r; aspf=r; rua=mailto:dmarc@yourdomain.com. Start simple and add tags only as you need them.

Frequently asked questions

Do I need SPF and DKIM before DMARC?

Yes, DMARC relies on SPF and DKIM to work. DMARC checks the results of those two standards and adds alignment, so publishing a DMARC record without a working SPF or DKIM setup gives you reports but no reliable protection.

How long should I stay on p=none?

Stay on p=none for about two to four weeks, or long enough to see a full cycle of your sending. The goal is to identify every legitimate source in your reports before you enforce, so give slower monthly senders like billing systems time to appear.

Will DMARC hurt my email deliverability?

Done correctly, DMARC improves deliverability rather than harming it. A staged rollout that starts at monitoring means you fix problems before enforcing, and mailbox providers tend to trust domains with a published, enforced DMARC policy.

What does pct do in a DMARC record?

The pct tag applies your policy to only a percentage of failing mail. Setting pct=25 with quarantine means one in four failing messages is quarantined, which lets you test enforcement gradually before applying it to all mail.

Written by

Muhammad Ziauldin

Muhammad Ziauldin is an experienced software engineer based in Birmingham, specialising in Python, JavaScript, Django, REST APIs and SaaS development. He enjoys building scalable digital products and sharing practical insights about technology, software engineering and online business.

Comments (0)

No comments yet. Be the first to share your thoughts!

Leave a Comment

Your email address will not be published. Required fields are marked *

Newsletter

Stay Updated with Reedablez

Get the latest articles delivered straight to your inbox. No spam, ever.

Join 1,000+ readers. Unsubscribe anytime.