DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email standard that tells receiving servers what to do when a message fails SPF or DKIM checks. It stops attackers from spoofing your domain, protects your brand, and sends you reports showing who sends mail as you.
What does DMARC actually do?
DMARC ties together two older checks, SPF and DKIM, and adds a policy plus reporting layer on top. It lets a domain owner publish a rule in DNS that instructs mailbox providers to quarantine or reject unauthenticated mail. Receivers then send back reports on every source using your domain.
Before DMARC, a receiving server could see that a message failed SPF, but it had no instruction from you about what to do next. Some filters dropped the mail, others let it through. The result was inconsistent, and spoofers took advantage. DMARC removes that guesswork. You state your preference once in a DNS TXT record, and compliant mailbox providers such as Gmail, Outlook, and Yahoo honor it.
The name spells out the job. Authentication verifies the sender. Reporting feeds you data. Conformance is the policy that enforces a decision. DMARC has been an open standard since 2015 and is now published by the overwhelming majority of large senders, from banks to retailers to SaaS platforms.
How DMARC alignment works with SPF and DKIM
Alignment is the piece that makes DMARC stronger than SPF or DKIM alone. SPF checks the envelope sender, the hidden Return-Path address. DKIM checks a cryptographic signature tied to a signing domain. Neither one looks at the From address your recipient actually sees. DMARC does. It requires that the domain in a passing SPF or DKIM check match the visible From domain.
That match is called alignment, and it comes in two modes. Relaxed alignment accepts subdomains, so mail.yourdomain.com aligns with yourdomain.com. Strict alignment demands an exact match. A message passes DMARC when at least one of SPF or DKIM both passes and aligns. If both fail to align, your policy decides the outcome. This is why a message can pass raw SPF yet still fail DMARC. Getting alignment right is the whole game.
What are the three DMARC policies?
DMARC supports three policies: none, quarantine, and reject. None only monitors and collects reports without affecting delivery. Quarantine sends failing mail to spam. Reject blocks it outright. Most domains start at none to gather data, then move to quarantine, then reject once legitimate sources pass.
| Policy tag | What receivers do | When to use it |
|---|---|---|
| p=none | Deliver as normal, just report | First 2 to 4 weeks of monitoring |
| p=quarantine | Send failing mail to spam | After legit sources authenticate |
| p=reject | Block failing mail outright | Full protection once alignment is clean |
Do not jump straight to reject. If a real sender such as your invoicing tool or your CRM is not authenticated yet, a strict policy will bury its mail in spam or bounce it. Start at none, watch the reports, bring every legitimate source into alignment, then enforce. Rushing enforcement causes more damage than no DMARC at all.
What do DMARC reports tell you?
DMARC reports come in two forms: aggregate and forensic. Aggregate reports are daily XML summaries listing every IP that sent mail using your domain, plus their SPF and DKIM results. Forensic reports capture individual failing messages. Together they show you who sends as you, real senders and impersonators alike.
Raw aggregate reports are dense XML, hard to read by eye. Most teams pipe them into a DMARC monitoring service that turns the data into a dashboard. You will quickly spot two things: sending services you forgot about, like a marketing platform or a help desk, and unfamiliar IPs trying to send as your domain. Both are worth acting on before you tighten your policy.
Reading reports is where DMARC pays off. You cannot fix impersonation you cannot see. Once you know every source, tightening the policy is safe.
DMARC keeps impostors from sending as your domain. Clean lists keep your real mail out of the spam folder. Before your next send, run your addresses through the Free Email Verifier to strip invalids, duplicates, and disposable domains, with your first checks needing no signup. If you would rather skip list building entirely, Synthisia books meetings for you using verified contacts.
Check your list right now, free
10 checks a day with no signup. 100 a day with just your email.
Why DMARC matters for email delivery
DMARC does two jobs at once. It protects your brand from exact-domain spoofing, the kind of attack where a scammer sends invoices or password resets that appear to come from you. And it improves your own deliverability. Mailbox providers trust authenticated, aligned mail more, so a clean DMARC setup helps your legitimate campaigns reach the inbox instead of the spam folder.
There is also a compliance angle. Since 2024, Google and Yahoo require bulk senders, those pushing more than 5,000 messages a day, to publish a DMARC record. Miss it and your mail gets throttled or rejected. Authentication is now table stakes for anyone sending at volume, not an optional extra for security teams. Getting DMARC right is the difference between smooth delivery and a throttled domain.
Authentication is only half the delivery equation. DMARC proves the mail is really from you, but it says nothing about whether the addresses you send to actually exist. Sending to dead mailboxes drives up bounce rates, and high bounces hurt the same sender reputation DMARC is helping you build. Before a campaign, clean your list. The Free Email Verifier flags invalid syntax, duplicates, and disposable domains in your browser, then runs MX and SMTP-level checks on the rest, so you keep bounce rate under 2% and protect the reputation your DMARC record depends on.
How do you set up DMARC?
Setting up DMARC takes one DNS TXT record, but do it in order. First get SPF and DKIM passing for every sending source. Then publish a DMARC record at p=none to monitor. Read the reports for a few weeks, fix any gaps, and only then tighten to quarantine and reject.
- Inventory every service that sends mail as your domain: your mail platform, CRM, invoicing tool, marketing software, and help desk.
- Set up SPF and DKIM for each of those sources so they authenticate correctly.
- Publish a DMARC record at p=none, for example: v=DMARC1; p=none; rua=mailto:[email protected].
- Collect aggregate reports for two to four weeks and bring any missing sources into alignment.
- Raise the policy to p=quarantine, monitor again, then move to p=reject for full enforcement.
DMARC is not a one-time task. New tools get added, vendors change IPs, and reports need occasional review. Set a reminder to check yours each quarter. A DMARC record you set and forget drifts out of date, and a stale record can start blocking mail you actually want delivered. Pair steady authentication with a clean, verified list, and both your security and your delivery stay in good shape. Treat it as living infrastructure, not a checkbox.