DMARC — Domain-based Message Authentication

What is DMARC

DMARC sits on top of SPF and DKIM and tells receivers one thing: "if these fail, here is what I want you to do with the email".

Additionally, DMARC sends you reports (aggregate and forensic) with statistics about who is sending emails as "you" — extremely useful for discovering unauthorised use of your domain or legitimate services you forgot to authorise.

DMARC policies

• p=none — monitoring only, no action taken. Good for getting started.
• p=quarantine — send failures to the spam folder.
• p=reject — reject them outright. The goal after monitoring.

Example DMARC record

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100; aspf=s; adkim=s"

Fields:

• v=DMARC1 — version
• p=quarantine — policy for the main domain
• rua=mailto:... — where aggregate reports are sent (XML, daily)
• pct=100 — apply to 100% of messages
• aspf=s, adkim=s — strict alignment (the From: domain must match exactly)

Alignment — the most misunderstood part

It is not enough for SPF/DKIM to pass for some domain — it must pass for the same domain that appears in the From: header. This is called alignment.

• Strict (s): exact match (example.com == example.com)
• Relaxed (r): subdomains are allowed (mail.example.com aligns with example.com)

Recommended adoption path

1. Weeks 1–4: p=none + rua. Collect reports.
2. Months 2–3: analyse and fix any legitimate senders that are failing.
3. Month 4: p=quarantine; pct=10 → pct=50 → pct=100.
4. Month 6+: p=reject and you have full protection against spoofing.

DMARC is also a prerequisite for BIMI — if you want your logo to appear in Gmail, you need p=quarantine or p=reject.