Plunk logo
Plunk

What is DMARC? Policy, Setup & Reporting Explained

Learn how DMARC works with SPF and DKIM to protect your domain. Understand DMARC policies (none, quarantine, reject), how to set up a DMARC record, and read reports.

Updated December 20, 2025
9 min read

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM to protect your domain from email spoofing and phishing.

While SPF and DKIM authenticate emails, DMARC tells receiving servers what to do when authentication fails and provides reports about your email authentication status.

How DMARC Works

DMARC adds a policy layer on top of SPF and DKIM. Here's how it works:

1. Email Authentication

When an email is received, the server first checks SPF and DKIM authentication. At least one of these must pass for DMARC to pass.

2. Alignment Check

DMARC checks if the domain in the "From" header aligns with the domain that passed SPF or DKIM. This is called "identifier alignment."

3. Policy Application

If authentication and alignment pass, the email is delivered. If they fail, the receiving server follows your DMARC policy: none (monitor only), quarantine (send to spam), or reject (block completely).

4. Reporting

Receiving servers send daily reports to your specified email address, showing authentication results for all emails claiming to be from your domain.

DMARC Requires SPF or DKIM

DMARC doesn't work alone—you must have SPF and/or DKIM configured first. DMARC builds on these protocols to provide policy enforcement and reporting.

DMARC Record Syntax

A DMARC record is a TXT record published at _dmarc.yourdomain.com. Here's an example:

Example DMARC Record
_dmarc.yourdomain.com  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100; adkim=r; aspf=r"

# Breaking down the components:
# v=DMARC1                           -> DMARC version
# p=quarantine                       -> Policy (none, quarantine, or reject)
# rua=mailto:dmarc@yourdomain.com   -> Aggregate report email
# ruf=mailto:forensic@yourdomain.com -> Forensic report email
# pct=100                            -> Percentage of mail to apply policy (100%)
# adkim=r                            -> DKIM alignment mode (r=relaxed, s=strict)
# aspf=r                             -> SPF alignment mode (r=relaxed, s=strict)

DMARC Policy Tags

TagDescriptionRequired
vDMARC version (always DMARC1)Yes
pPolicy: none, quarantine, or rejectYes
ruaAggregate report email addressRecommended
rufForensic report email addressOptional
pctPercentage of mail to filter (0-100)Optional
spPolicy for subdomainsOptional
adkimDKIM alignment: r (relaxed) or s (strict)Optional
aspfSPF alignment: r (relaxed) or s (strict)Optional

Understanding DMARC Policies

DMARC offers three policy levels. You should implement them progressively:

1

p=none (Monitor Mode)

No action is taken on failed emails—they're still delivered. Use this initially to monitor your email authentication without affecting delivery.

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Best for: Initial setup, gathering data, testing configuration

2

p=quarantine (Quarantine Failed Mail)

Emails that fail authentication are sent to spam/junk folders. This is a good middle ground that protects your domain while minimizing delivery issues.

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Best for: After monitoring, when you're confident in your setup

3

p=reject (Block Failed Mail)

Emails that fail authentication are completely rejected and not delivered. This provides maximum protection but requires perfect configuration.

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

Best for: Mature implementations with complete authentication coverage

Progressive Implementation

Always start with p=none and monitor for at least 2-4 weeks. Review DMARC reports, fix any authentication issues, then gradually move to p=quarantine and finally p=reject.

How to Set Up DMARC

1

Ensure SPF and DKIM are Working

DMARC requires either SPF or DKIM (or both) to be configured. Verify these are working before implementing DMARC.

2

Create a Mailbox for Reports

Set up an email address to receive DMARC reports (e.g., dmarc@yourdomain.com). These reports can be large and frequent, so use a dedicated mailbox.

3

Create Your DMARC Record

Start with a monitoring-only policy:

dns
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100
4

Add to DNS

Add the DMARC record as a TXT record at _dmarc.yourdomain.com

5

Monitor Reports

Review DMARC reports for 2-4 weeks. Look for failed authentications and identify any legitimate sources that need SPF/DKIM configuration.

6

Gradually Increase Policy

Once confident, update to p=quarantine, monitor again, then move to p=reject if desired.

Frequently asked questions

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM to protect your domain from spoofing and phishing. It tells receiving mail servers what to do when an email fails authentication checks—none (monitor), quarantine (spam), or reject (block)—and provides detailed reports about who is sending email using your domain.

What is a DMARC policy?

A DMARC policy (the "p=" tag) determines how receiving mail servers handle emails that fail authentication. p=none means monitor only and take no action; p=quarantine sends failed emails to spam; p=reject completely blocks failed emails. Start with p=none to gather data, then progressively tighten to quarantine and reject as you confirm all your legitimate senders are properly authenticated.

What does p=reject mean in DMARC?

p=reject is the strictest DMARC policy. Emails that fail DMARC authentication are completely rejected and not delivered to the recipient. This provides maximum protection against phishing and spoofing, but requires that all your legitimate email sources (newsletters, CRMs, transactional tools) are properly configured with SPF and DKIM before enabling it.

How do I add a DMARC record?

Add a TXT record in your DNS with the name _dmarc.yourdomain.com. Start with a monitoring-only value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. This records email activity without affecting delivery. After reviewing reports for 2-4 weeks and confirming your SPF and DKIM setup, gradually strengthen to p=quarantine then p=reject.

Is DMARC required for email deliverability?

Since February 2024, Google and Yahoo require DMARC authentication (with at least p=none) for bulk senders sending more than 5,000 emails per day to Gmail or Yahoo addresses. While not strictly required for smaller senders, implementing DMARC is strongly recommended for all domains to improve deliverability, prevent phishing, and meet industry best practices.