What is DMARC? Email spoofing protection, explained

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It connects SPF and DKIM to the From address people actually see, tells receivers what to do when authentication fails, and sends you reports showing who is using your domain. That combination turns two technical checks into practical protection against domain spoofing.

Updated July 14, 2026

What DMARC does

Without DMARC, a scammer can place you@yourdomain.com in the visible From field even when the message came from infrastructure you have never authorized. SPF checks a separate envelope address, and DKIM checks the domain attached to a cryptographic signature. DMARC requires at least one passing method to also align with the visible From domain.

This matters because authentication without alignment can prove that a sending platform authenticated its own domain while doing nothing to prove it was allowed to use yours. DMARC alignment closes that gap.

How a DMARC check works

  1. A message arrives with a visible From domain such as example.com.
  2. The receiver evaluates SPF against the envelope sender and DKIM against each signature.
  3. DMARC checks whether a passing SPF or DKIM domain aligns with example.com.
  4. If neither aligned method passes, DMARC fails and the receiver consults the policy published at _dmarc.example.com.
  5. The receiver may include the result in an aggregate report sent to the address in the record's rua= tag.

DMARC uses an OR rule: aligned SPF or aligned DKIM is enough. In practice you should configure both. Forwarding commonly breaks SPF, while mailing-list modifications can break DKIM; using both avoids a single point of failure.

The three DMARC policies

PolicyWhat receivers are asked to doBest use
p=noneDeliver normally and send reportsDiscover every legitimate sender before enforcement
p=quarantineTreat failing mail as suspicious, usually spamA cautious enforcement stage
p=rejectRefuse failing mailFull protection after legitimate senders align
A receiver ultimately controls delivery, but major providers generally honor valid DMARC policies.

Start with visibility, not bravado. A new p=reject record can block invoices, support tickets, or marketing mail sent through a forgotten service. Publish p=none, review reports, fix every legitimate source, then move through quarantine to reject. See the detailed DMARC policy comparison.

What a DMARC record looks like

Host:  _dmarc.example.com
Type:  TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
A safe monitoring-only starting record.

v=DMARC1 identifies the record, p=none sets the policy, and rua= asks participating receivers to send aggregate XML reports. Those reports contain authentication results and sending-source counts, not message bodies. Use the DMARC generator to create a valid record and read DMARC record tags explained before adding advanced options.

How to adopt DMARC safely

  1. Make sure every legitimate sender has SPF and preferably DKIM configured.
  2. Publish one DMARC record at _dmarc.yourdomain.com with p=none and an aggregate-report destination.
  3. Collect reports for long enough to observe normal business cycles, including monthly billing or seasonal tools.
  4. Align or remove every legitimate source that fails.
  5. Move to p=quarantine, watch for unexpected failures, then move to p=reject.
  6. Keep monitoring: new SaaS tools and DNS changes can create fresh failures months later.

You can check the public record immediately with the DMARC checker. To see the real-world senders behind it, HealthCheck Email turns aggregate reports into a readable source list and alerts you when authentication changes.

Sources and further reading

Common questions

Does DMARC improve deliverability?+

DMARC is primarily an authentication and anti-spoofing control, not a guarantee of inbox placement. Correctly aligned authentication is now a baseline expectation at major mailbox providers, so it removes one major deliverability risk; reputation, complaints, content, and sending behavior still matter.

Do I need both SPF and DKIM before DMARC?+

DMARC can pass with either aligned SPF or aligned DKIM, but configuring both is strongly recommended. SPF often breaks during forwarding, and DKIM can break when an intermediary modifies a signed message.

Where do I publish DMARC?+

Publish it as a TXT record at `_dmarc.yourdomain.com`, not at the root domain. A domain should have exactly one DMARC record at that name.

Will p=none stop spoofing?+

No. It provides visibility and reports but asks receivers to take no special delivery action. Quarantine and reject are the enforcement policies.