What is DMARC?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've set up SPF. You've set up DKIM. Someone still sends phishing emails that look like they're from you, because neither SPF nor DKIM check whether the signing or sending domain actually matches what your recipients see in the "From" header. That's the gap DMARC fills.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy layer that sits on top of SPF and DKIM. It does two things: alignment and policy.
Alignment means DMARC checks whether the domain in your SPF result or DKIM signature actually matches the domain in the visible "From" header. If it does, DMARC passes. If it doesn't, DMARC fails, even if SPF and DKIM individually passed on their own terms.
Policy means you get to tell receiving servers what to do with messages that fail DMARC. There are three options: p=none (do nothing, just send me reports), p=quarantine (put failing messages in spam), or p=reject (don't deliver them at all).
DMARC also generates reports. Every day, inbox providers that support DMARC send aggregate XML reports showing you who's sending email using your domain, from which IPs, and whether they're passing authentication. That visibility is often how organizations first discover unauthorized senders using their domain.
To set up DMARC, you publish a TXT record in your DNS at _dmarc.yourdomain.com. A minimal monitoring record looks like:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
This starts collecting reports without affecting mail flow. You can parse these reports with our free DMARC parser.
DMARC is most effective as part of a complete authentication setup. SPF and DKIM are the prerequisites. DMARC is the enforcement and reporting layer that makes them meaningful for anti-spoofing.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.