DMARC is the most impactful email security record most domain owners don't have. It stops spoofing and gives you visibility into every email sent from your domain.
The Problem Without DMARC
Anyone can send email appearing to come from your domain. Attackers do this to phish your customers. Receiving servers have no way to tell the difference without DMARC.
How DMARC Works
DMARC checks that incoming email claiming to be from your domain passes SPF or DKIM, and the authenticated domain aligns with the From header. If it fails, DMARC tells the receiver what to do.
The Three Policies
- p=none — Monitor only, no action. You receive reports. Start here.
- p=quarantine — Failed emails go to spam. Stops most spoofing.
- p=reject — Failed emails rejected outright. Maximum protection.
Safe Implementation Steps
Week 1–4: Monitor
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"Week 5–8: Quarantine
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=25Start at pct=25 (25% of failures quarantined), increase to 100 over a week.
Week 9+: Reject
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100Reading DMARC Reports
DMARC sends XML reports to your rua address. Services like DMARC Analyzer, Valimail, or Postmark's free analyzer parse them into readable dashboards. Look for unauthorized senders and legitimate sources failing authentication.
After DMARC, warm up your domain to maximize inbox placement.