What is DMARC and Why Does Your Domain Need It?

Updated March 2026 · 10 min read

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. In plain English, it is a rule you publish in your domain's DNS settings that tells email providers like Gmail, Outlook, and Yahoo what to do when someone tries to send an email pretending to be from your domain.

Every day, billions of emails are sent by scammers who forge the "From" address to make their messages look like they come from a trusted business. This is called email spoofing, and it is one of the most common methods behind phishing attacks, invoice fraud, and brand impersonation. DMARC was created specifically to fight this problem.

Without DMARC, anyone on the internet can send an email that appears to come from your domain. Your customers, vendors, and employees have no reliable way to tell the difference between a real message from you and a fake one. With a DMARC policy in place, you instruct email providers to check every message claiming to be from your domain and either allow it, send it to spam, or block it entirely.

DMARC does not work alone. It builds on two older email authentication technologies — SPF and DKIM — and adds a policy layer and reporting mechanism on top. Think of DMARC as the coordinator that ties the entire email authentication system together.

How DMARC Works with SPF and DKIM

Email authentication relies on three technologies working together. Each handles a different piece of the puzzle:

SPF (Sender Policy Framework)

SPF is a DNS record that lists every server and IP address authorized to send email on behalf of your domain. When an email arrives, the receiving server looks up your SPF record and checks whether the sending server is on the approved list. If it is not, the message fails the SPF check.

The limitation of SPF is that it only verifies the envelope sender (the technical return address), not the "From" address that the recipient actually sees. A scammer can pass SPF by using their own server while still forging your domain in the visible "From" field.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic digital signature to outgoing emails. The sending server signs the message with a private key, and the receiving server verifies it using a public key published in your DNS. If the signature matches, the recipient knows the email was not altered in transit and that it was genuinely sent by a server with access to your private key.

DKIM proves that the message content is authentic, but on its own it does not tell the receiving server what to do if the signature is missing or invalid.

DMARC: The Policy Layer

DMARC ties SPF and DKIM together with two critical additions. First, it introduces alignment — the requirement that the domain in the visible "From" header must match the domain verified by SPF or DKIM. This closes the loophole that SPF alone leaves open. Second, DMARC publishes a policy that tells receiving servers exactly what action to take when a message fails authentication: do nothing, quarantine it, or reject it outright.

On top of that, DMARC enables reporting. Email providers send you data about every message they receive that claims to be from your domain, so you can see who is sending mail as you — both legitimate services and unauthorized senders.

Why DMARC Matters for Your Business

If you own a domain and send email — whether that is newsletters, invoices, support tickets, or even just password resets — DMARC is not optional anymore. Here is why:

• Prevent email spoofing and phishing. Without DMARC, attackers can send convincing phishing emails to your customers using your exact domain name. A single successful phishing attack can lead to financial fraud, data breaches, and lasting damage to customer trust.
• Protect your brand reputation. When customers receive spam or scams that appear to come from you, they associate the negative experience with your brand — even though you had nothing to do with it. DMARC stops unauthorized senders from using your domain in the first place.
• Improve email deliverability. Email providers use authentication as a trust signal. Domains with properly configured DMARC, SPF, and DKIM are more likely to have their legitimate emails land in the inbox instead of the spam folder. If your marketing emails or transactional messages are not reaching customers, a missing or misconfigured DMARC record could be part of the problem.
• Meet the new requirements from Google and Yahoo. Since February 2024, both Google and Yahoo require bulk senders (5,000+ messages per day) to have a published DMARC record. Even smaller senders benefit because DMARC is now a core deliverability signal across all major providers.
• Gain visibility into your email ecosystem. DMARC aggregate reports show you every IP address and service sending email using your domain. Many businesses discover third-party tools — marketing platforms, CRM systems, help desk software — that they had forgotten were sending as their domain. This visibility is essential for maintaining security and cleaning up your email configuration.
• Meet compliance requirements. Industries including finance, healthcare, and government increasingly mandate DMARC as part of cybersecurity compliance. Frameworks like PCI-DSS, HIPAA security recommendations, and the UK's Cyber Essentials all reference email authentication best practices that include DMARC.

DMARC Policies Explained

Your DMARC record includes a policy tag (p=) that determines what happens to emails that fail authentication. There are three levels, and you should work through them in order:

Most organizations should start with p=none, spend a few weeks reviewing reports to confirm that all legitimate email is properly authenticated, then move to p=quarantine, and finally to p=reject. Skipping straight to reject without monitoring first can cause legitimate email to be blocked.

How to Check Your DMARC Status

Checking whether your domain has a DMARC record is straightforward. Your DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. A typical record looks like this:

Here is what each part means:

• v=DMARC1 — Identifies this as a DMARC record (required).
• p=reject — The policy for failing emails (none, quarantine, or reject).
• rua=mailto:... — The email address where aggregate reports should be sent.
• pct=100 — Percentage of messages the policy applies to (100% means all messages).
• adkim=s — DKIM alignment mode: strict (s) or relaxed (r).
• aspf=s — SPF alignment mode: strict (s) or relaxed (r).

The fastest way to check your domain is to use our free DMARC Checker tool. Enter your domain name, and it will instantly tell you whether a DMARC record exists, what policy is set, and whether there are any configuration issues.

How to Set Up DMARC — Step by Step

Setting up DMARC does not require deep technical knowledge, but it does require a methodical approach. Follow these steps to get it right:

1. Verify that SPF and DKIM are already in place. DMARC depends on SPF and DKIM to function. Before creating a DMARC record, confirm that your domain has a valid SPF record and that your email provider has enabled DKIM signing. You can use our SPF Checker to verify your SPF configuration.
2. Start with a monitoring-only policy (p=none). Your first DMARC record should use p=none so you can observe who is sending email as your domain without affecting delivery. This lets you catch any legitimate services you may have overlooked.
3. Create the DNS TXT record. Log in to your DNS provider (such as Cloudflare, Namecheap, GoDaddy, or Route 53) and create a new TXT record with the following values:
   Host / Name: _dmarc Type: TXT Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
   Replace dmarc@yourdomain.com with a real email address where you want to receive reports. Some providers require you to enter _dmarc.yourdomain.com as the full hostname — check your provider's documentation.
4. Monitor aggregate reports for 2–4 weeks. Once your record is published, email providers will begin sending XML reports to the address you specified. These reports contain data about every email sent using your domain. Review them to identify all legitimate senders and confirm they pass SPF or DKIM alignment. If you find services that are failing, update their SPF or DKIM configuration before moving to a stricter policy.
5. Move to p=quarantine. After confirming that all your authorized senders are passing authentication, update your DMARC policy to p=quarantine. This sends unauthorized emails to spam while you continue to monitor for any issues.
6. Upgrade to p=reject for full protection. Once you are confident that no legitimate email is being caught, change your policy to p=reject. This is the strongest level of protection and the recommended end state for every domain. Unauthorized emails will be blocked entirely and never reach your recipients.

The entire process from initial setup to full enforcement typically takes 4 to 8 weeks, depending on how many third-party services send email on your behalf and how quickly you can resolve any authentication gaps.

DMARC Reports: Understanding the Data

One of the most valuable features of DMARC is the reporting mechanism. There are two types of reports:

Aggregate Reports (rua)

Aggregate reports are XML files sent by email providers (usually once per day) to the address specified in your DMARC record's rua tag. They contain summary data about all email sent using your domain, including:

• The IP addresses of servers that sent email as your domain.
• Whether each message passed or failed SPF and DKIM.
• Whether SPF and DKIM were aligned with the "From" domain.
• What policy was applied (none, quarantine, or reject).
• The volume of messages from each source.

These reports are essential for understanding your email ecosystem. They reveal legitimate services you may have forgotten about, unauthorized senders attempting to spoof your domain, and configuration issues that need to be fixed before you can safely enforce a stricter policy.

Forensic Reports (ruf)

Forensic reports are detailed, per-message reports sent when an individual email fails DMARC. They can include headers or even the full body of the failing message, which helps you investigate specific spoofing attempts. However, many email providers do not send forensic reports due to privacy concerns, so aggregate reports are the primary data source most organizations rely on.

Raw DMARC XML reports are not easy to read. Tools and services that parse and visualize these reports make the data far more actionable. GuardHound's monitoring features help you make sense of your DMARC data without manually processing XML files.

How GuardHound Monitors Your DMARC

Setting up DMARC is not a one-time task. DNS records can be accidentally deleted, third-party services change their sending infrastructure, and attackers constantly probe for weaknesses. Ongoing monitoring ensures your protection stays intact.

GuardHound helps you stay on top of your DMARC configuration with:

• Instant DMARC analysis. Our free DMARC Checker lets you look up any domain's DMARC record, decode the policy, and identify issues in seconds.
• Continuous monitoring. GuardHound watches your DMARC, SPF, and DKIM records around the clock. If your DMARC record is removed, downgraded, or misconfigured, you are alerted immediately.
• Policy change alerts. Moving from p=reject to p=none — whether by accident or by a well-meaning teammate — leaves your domain exposed. GuardHound detects policy regressions and notifies you right away.
• Complete domain health checks. DMARC is one piece of a larger security picture. Our Domain Health Check evaluates your full configuration including SSL certificates, SPF, DKIM, DMARC, DNS security, and more.