What is DMARC? Email spoofing protection, explained
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It connects SPF and DKIM to the From address people actually see, tells receivers what to do when authentication fails, and sends you reports showing who is using your domain. That combination turns two technical checks into practical protection against domain spoofing.
Updated July 14, 2026
What DMARC does
Without DMARC, a scammer can place you@yourdomain.com in the visible From field even when the message came from infrastructure you have never authorized. SPF checks a separate envelope address, and DKIM checks the domain attached to a cryptographic signature. DMARC requires at least one passing method to also align with the visible From domain.
This matters because authentication without alignment can prove that a sending platform authenticated its own domain while doing nothing to prove it was allowed to use yours. DMARC alignment closes that gap.
How a DMARC check works
- A message arrives with a visible From domain such as
example.com. - The receiver evaluates SPF against the envelope sender and DKIM against each signature.
- DMARC checks whether a passing SPF or DKIM domain aligns with
example.com. - If neither aligned method passes, DMARC fails and the receiver consults the policy published at
_dmarc.example.com. - The receiver may include the result in an aggregate report sent to the address in the record's
rua=tag.
DMARC uses an OR rule: aligned SPF or aligned DKIM is enough. In practice you should configure both. Forwarding commonly breaks SPF, while mailing-list modifications can break DKIM; using both avoids a single point of failure.
The three DMARC policies
| Policy | What receivers are asked to do | Best use |
|---|---|---|
p=none | Deliver normally and send reports | Discover every legitimate sender before enforcement |
p=quarantine | Treat failing mail as suspicious, usually spam | A cautious enforcement stage |
p=reject | Refuse failing mail | Full protection after legitimate senders align |
Start with visibility, not bravado. A new p=reject record can block invoices, support tickets, or marketing mail sent through a forgotten service. Publish p=none, review reports, fix every legitimate source, then move through quarantine to reject. See the detailed DMARC policy comparison.
What a DMARC record looks like
Host: _dmarc.example.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.comv=DMARC1 identifies the record, p=none sets the policy, and rua= asks participating receivers to send aggregate XML reports. Those reports contain authentication results and sending-source counts, not message bodies. Use the DMARC generator to create a valid record and read DMARC record tags explained before adding advanced options.
How to adopt DMARC safely
- Make sure every legitimate sender has SPF and preferably DKIM configured.
- Publish one DMARC record at
_dmarc.yourdomain.comwithp=noneand an aggregate-report destination. - Collect reports for long enough to observe normal business cycles, including monthly billing or seasonal tools.
- Align or remove every legitimate source that fails.
- Move to
p=quarantine, watch for unexpected failures, then move top=reject. - Keep monitoring: new SaaS tools and DNS changes can create fresh failures months later.
You can check the public record immediately with the DMARC checker. To see the real-world senders behind it, HealthCheck Email turns aggregate reports into a readable source list and alerts you when authentication changes.
Sources and further reading
- RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC) — The DMARC policy, alignment, reporting, and record-format specification.