What is DMARC?

How DMARC works

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on top of SPF and DKIM. It adds two things: a policy for handling failing messages, and a reporting mechanism.

DMARC also introduces alignment: the domain in the visible From: header must align with the domain that passed SPF or DKIM. This closes the gap that allows spammers to forge the visible From: header even when SPF passes.

DMARC policies: none, quarantine, reject

DMARC has three policy levels set with the p= tag:

p=none — Monitoring only. Failing messages are delivered normally. Reports are sent but no action is taken. Use this during initial deployment.

p=quarantine — Failing messages are moved to the spam or junk folder.

p=reject — Failing messages are rejected at the SMTP level before delivery. This is the strongest protection and your long-term goal.

Why p=none is only monitoring

Many domains stop at p=none, believing they are protected. They are not. A DMARC record with p=none tells receiving servers to do nothing — failing messages still reach the inbox.

p=none is a starting point. Collect aggregate reports (rua:) to identify all sources sending email on your behalf. Once you are confident every legitimate sender passes SPF or DKIM, move to p=quarantine and then p=reject.

DMARC alignment

DMARC alignment requires that the domain in the From: header matches the domain authenticated by SPF or DKIM.

Relaxed alignment (the default, adkim=r / aspf=r) allows organisational domain matches — mail from mail.example.com can pass alignment for example.com.

Strict alignment (adkim=s / aspf=s) requires an exact domain match.

How to check your DMARC record

Use MXFend's free DMARC Checker to verify your DMARC record exists, check the policy level, and identify configuration issues.