DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy telling mail servers what to do with messages that fail SPF or DKIM. Published as a _dmarc.example.com TXT record. Layered over SPF+DKIM: at least one must align with the From domain. Without DMARC the domain remains vulnerable to spoofing.
Below: details, example, related terms, FAQ.
Free online tool — SPF/DKIM/DMARC checker: instant results, no signup.
v=DMARC1; p=none|quarantine|reject; rua=mailto:...; pct=100v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.comDMARC policies are essential for domain owners who wish to protect their email reputation and prevent unauthorized use of their domains. These policies dictate how receiving mail servers should handle emails that fail DMARC checks, which are based on the results of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). The DMARC policy is published in the DNS as a TXT record and can take one of three values:
Implementing a DMARC policy is crucial for maintaining email integrity. Without it, domains are susceptible to phishing attacks and email spoofing, which can lead to reputational damage and loss of trust among users. A well-configured DMARC policy not only protects the domain but also enhances deliverability rates by signaling to receiving servers that the sender is legitimate.
Configuring a DMARC record for your domain is a straightforward process that involves creating a DNS TXT record. Here’s a step-by-step guide to help you set it up:
_dmarc.example.com (replace example.com with your domain). In the value field, input your DMARC policy. For example:v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; pct=100This record specifies that:
Once you save the changes, it may take some time for the DNS records to propagate. It’s advisable to monitor the reports you receive to adjust your policies as needed.
Implementing DMARC can significantly enhance your email security, but improper configurations can lead to delivery issues or inadequate protection. Here are some common misconfigurations and tips on how to avoid them:
rua and ruf tags are valid and monitored. Missing or incorrect addresses can lead to a lack of visibility.By addressing these common pitfalls, domain owners can ensure their DMARC implementation is effective and provides the intended protection against email spoofing and phishing attacks.
DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.
Specify domain and DKIM selector — get the public key and its parameters.
RSA/Ed25519 key length, hash algorithm, flags, and validity period.
If key < 2048 bits — we issue a warning and key rotation instructions.
Direct DNS query in seconds — no waiting for TTL.
pre-send verification
mail server setup
phishing protection audit
email deliverability debug
DKIM check history and DNS monitoring for domain record changes.
Sign up freeYes. SPF/DKIM only authenticate. DMARC tells the receiver what to do if they fail — without DMARC the receiver decides (often accepts).
Always with p=none and rua=mailto:. Monitor for 2 weeks, then quarantine pct=25, then 100, then reject.
DMARC is free. Report aggregators like dmarcian offer a free tier for small domains.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.