What is RFC 7489 (DMARC)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

SPF checks the sending server. DKIM checks the message signature. Both are useful, but neither one helps ensure the email actually comes from the domain you see in the From field. That's the gap RFC 7489 was written to close.

RFC 7489 is the technical standard that defines DMARC (Domain-based Message Authentication, Reporting, and Conformance). At its core, DMARC adds one critical rule that SPF and DKIM don't enforce on their own: alignment. The domain authenticated by SPF or DKIM has to match the domain in the visible From address. If it doesn't, DMARC treats the message as failing, even if SPF and DKIM individually passed.

That alignment check is what stops sophisticated spoofing. Without it, an attacker could send from a domain they control (passing SPF), while displaying your domain in the From field. Your recipients would see your name, not theirs.

RFC 7489 also gives domain owners a way to tell receiving servers what to do when a message fails. That's the policy part, and it has three settings:

  • none. Take no action, just send reports. Good for monitoring while you're getting set up.
  • quarantine. Send failing messages to the spam folder.
  • reject. Block failing messages outright. This is full protection.

The third thing RFC 7489 defines is reporting. When a server receives a message claiming to be from your domain, it can send you a report. Aggregate reports (rua) summarize what's passing and failing across all senders using your domain. Forensic reports (ruf) give detail on individual failures. These reports are how you find out about misconfigured third-party senders or someone trying to impersonate your domain (and you'd be surprised how often that's happening quietly in the background).

In practice, a DMARC record lives in your DNS and looks something like this:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

That one line tells receiving servers your policy and where to send aggregate reports. Starting at p=none while you review reports is the sensible approach. Once you're confident your legitimate senders are all authenticating cleanly, you move to quarantine, then reject.

Still if you want to see what your DMARC record currently says (or whether you even have one), you can check it with our free DMARC Parser. And if you're starting from scratch, the DMARC Generator will build your first record in about 60 seconds.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build my DMARC plan

I want to set up DMARC on my domain. Based on my current sending setup, can you help me figure out where to start? Please ask me: 1) whether I have SPF and DKIM already configured, 2) which platforms or tools send email on my behalf (ESP, CRM, help desk, etc.), 3) whether I currently have any DMARC record, and 4) my main goal (monitoring, spam protection, or full enforcement). Then give me a recommended starting policy, a sample DNS record, and the order of steps to move toward p=reject safely.

Edit the yellow boxes, then send to the AI of your choice.