Skip to content

What is DMARC

Key idea:

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy telling mail servers what to do with messages that fail SPF or DKIM. Published as a _dmarc.example.com TXT record. Layered over SPF+DKIM: at least one must align with the From domain. Without DMARC the domain remains vulnerable to spoofing.

Below: details, example, related terms, FAQ.

Check your site →

Details

  • Syntax: v=DMARC1; p=none|quarantine|reject; rua=mailto:...; pct=100
  • Three strictness levels: p=none (monitor) → p=quarantine (spam folder) → p=reject (hard-fail)
  • rua= aggregate reports, ruf= forensic reports for specific fails
  • adkim=s/r, aspf=s/r — strict vs relaxed alignment. Default is relaxed
  • Gmail and Yahoo since February 2024 require DMARC for bulk senders (>5000/day)

Example

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com

Related Terms

Understanding DMARC Policies and Their Importance

DMARC policies are essential for domain owners who wish to protect their email reputation and prevent unauthorized use of their domains. These policies dictate how receiving mail servers should handle emails that fail DMARC checks, which are based on the results of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). The DMARC policy is published in the DNS as a TXT record and can take one of three values:

  • none: This policy indicates that no specific action should be taken on emails that fail DMARC checks. It is primarily used for monitoring.
  • quarantine: Emails that fail the DMARC check are treated suspiciously and may be placed in the recipient's spam or junk folder.
  • reject: This is the strictest policy, instructing mail servers to reject any emails that do not pass DMARC validation.

Implementing a DMARC policy is crucial for maintaining email integrity. Without it, domains are susceptible to phishing attacks and email spoofing, which can lead to reputational damage and loss of trust among users. A well-configured DMARC policy not only protects the domain but also enhances deliverability rates by signaling to receiving servers that the sender is legitimate.

How to Configure DMARC Records: Step-by-Step Guide

Configuring a DMARC record for your domain is a straightforward process that involves creating a DNS TXT record. Here’s a step-by-step guide to help you set it up:

  1. Access your DNS Management Console: Log in to your domain registrar or DNS hosting provider.
  2. Create a new TXT record: In your DNS settings, look for an option to add a new record. Choose the TXT record type.
  3. Enter the DMARC policy: In the hostname field, enter _dmarc.example.com (replace example.com with your domain). In the value field, input your DMARC policy. For example:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; pct=100

This record specifies that:

  • v=DMARC1: Indicates the version of DMARC.
  • p=reject: Indicates that emails failing the DMARC checks should be rejected.
  • rua: Provides an email address where aggregate reports will be sent.
  • ruf: Provides an email address for forensic reports.
  • pct=100: Applies the policy to 100% of the emails.

Once you save the changes, it may take some time for the DNS records to propagate. It’s advisable to monitor the reports you receive to adjust your policies as needed.

Common DMARC Misconfigurations and How to Avoid Them

Implementing DMARC can significantly enhance your email security, but improper configurations can lead to delivery issues or inadequate protection. Here are some common misconfigurations and tips on how to avoid them:

  • Not aligning SPF and DKIM: For DMARC to pass, at least one of SPF or DKIM must align with the From domain. Ensure that both SPF and DKIM settings are correctly configured to prevent alignment failures.
  • Using a 'none' policy too long: While starting with a 'none' policy is common for monitoring, keeping it indefinitely can leave your domain vulnerable. Transition to 'quarantine' or 'reject' as soon as you have sufficient data.
  • Overlooking report analysis: Failing to analyze DMARC reports can result in missing critical insights into unauthorized usage of your domain. Regularly review reports to identify and address issues.
  • Improper email addresses for reports: Ensure that the email addresses specified in the rua and ruf tags are valid and monitored. Missing or incorrect addresses can lead to a lack of visibility.

By addressing these common pitfalls, domain owners can ensure their DMARC implementation is effective and provides the intended protection against email spoofing and phishing attacks.

Public KeyDKIM key in DNS TXT record
Key LengthRSA-1024, 2048, or Ed25519
Quick TestDomain + selector = result
ValidationSyntax and parameters of DKIM TXT

Why teams trust us

DKIM
signature check
SPF
SPF + DMARC audit
DNS
TXT record check
Free
no limits

How it works

1

Enter domain and selector

2

Fetch DKIM TXT record

3

Validate public key

What is DKIM?

DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.

Selector-based Check

Specify domain and DKIM selector — get the public key and its parameters.

Key Analysis

RSA/Ed25519 key length, hash algorithm, flags, and validity period.

Recommendations

If key < 2048 bits — we issue a warning and key rotation instructions.

Instant Result

Direct DNS query in seconds — no waiting for TTL.

Who uses this

Email marketers

pre-send verification

Sysadmins

mail server setup

Security

phishing protection audit

Developers

email deliverability debug

Common Mistakes

Using 1024-bit key1024 bits is considered weak. Gmail and Outlook require at least 2048 bits.
Not rotating keysSame key for years — risk of compromise. Rotate keys every 6–12 months.
Wrong selectorEach ESP uses its own selector. Ensure the correct key is in DNS for each.
Not checking after ESP changeWhen changing email service, always verify the new provider's DKIM.

Best Practices

Use 2048-bit keysThis is the current recommended minimum. Ed25519 is a more modern alternative.
Set up DMARC with DKIMWithout DMARC, even correct DKIM signing doesn't protect from Display-From spoofing.
Check after migrationWhen changing DNS provider, DKIM records are often lost. Check immediately after.
Document all selectorsKeep a list of all DKIM selectors — useful during rotation and auditing.

Get more with a free account

DKIM check history and DNS monitoring for domain record changes.

Sign up free

Learn more

Frequently Asked Questions

Do I need DMARC if I have SPF and DKIM?

Yes. SPF/DKIM only authenticate. DMARC tells the receiver what to do if they fail — without DMARC the receiver decides (often accepts).

Where to start?

Always with p=none and rua=mailto:. Monitor for 2 weeks, then quarantine pct=25, then 100, then reject.

Is there a cost?

DMARC is free. Report aggregators like dmarcian offer a free tier for small domains.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.