DMARC

DMARC is the policy layer that tells receivers what to do with mail that fails SPF or DKIM — and sends you forensic reports on everything claiming to be from your domain.

What it is

DMARC, defined in RFC 7489, is the missing piece SPF and DKIM left behind. Both of the older standards authenticate something — the envelope, or selected headers and body — but neither requires that the authenticated identity match the From address a user actually sees. DMARC closes that gap. It says: for an email to pass, the From domain must align with either a passing SPF identity or a passing DKIM signature. And it lets you publish, in DNS, exactly what receivers should do when alignment fails.

How it works

A DMARC record lives at _dmarc.your-domain.com. Its job is twofold: declare a policy and request reports.

The p= tag carries one of three values: none (monitor only), quarantine (route failures to spam), or reject (refuse delivery). The rua tag tells receivers where to ship aggregate XML reports — daily summaries of every IP claiming to send as your domain, broken down by SPF and DKIM result. The cautious path is to start at p=none, watch reports for a few weeks, fix sources you forgot about, and only then move to quarantine and reject.

Why it matters

In February 2024 Gmail and Yahoo made DMARC mandatory for anyone sending more than 5,000 messages a day to their users. The minimum bar is p=none with a valid rua, but the providers reserve the right to throttle senders who stay there forever. A real enforcement policy is now table stakes.

DMARC also lights up a class of attack you cannot otherwise see. Without it, an attacker can spoof your domain freely and you never find out. With it, every receiver in the world sends you a daily forensic record. That visibility alone is worth the half hour of work.

Related

• SPF
• DKIM
• Sender reputation
• Cold email deliverability checklist
• How NeverSpam pairs with DMARC enforcement