What Is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It's an email authentication protocol that gives domain owners control over what happens when someone sends an email claiming to be from their domain but fails authentication checks.
Without DMARC, anyone can send emails that appear to come from your domain. Your customers, suppliers, and staff have no reliable way to tell whether an email genuinely came from you or from an attacker impersonating you. DMARC solves this by publishing a policy in your domain's DNS records that tells receiving mail servers exactly what to do with unauthenticated messages.
Why Email Spoofing Is Dangerous
Email spoofing is trivially easy. The "From" address in an email is just a text field — there's nothing in the basic email protocol (SMTP) that verifies it. An attacker can send an email that appears to come from your domain without ever accessing your mail server.
This is a serious problem for organisations of any size. Spoofed emails are used for:
- Phishing attacks — tricking recipients into revealing credentials or sensitive information by impersonating a trusted sender
- Business email compromise (BEC) — convincing employees or suppliers to transfer funds or share confidential data
- Brand damage — spam or malicious emails sent "from" your domain erode trust with your customers and partners
- Deliverability issues — if your domain is associated with spoofed spam, legitimate emails from your organisation may start landing in junk folders
How DMARC Works
DMARC doesn't work alone. It builds on two existing email authentication standards: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Think of DMARC as the policy layer that ties SPF and DKIM together and tells receiving servers what action to take when checks fail.
When a receiving mail server gets an email claiming to be from your domain, it performs these steps:
- Checks the SPF record to see if the sending server is authorised to send on behalf of your domain
- Checks the DKIM signature to verify the email hasn't been tampered with in transit
- Checks alignment — does the domain in the "From" header match the domain authenticated by SPF or DKIM?
- Looks up your DMARC policy to decide what to do if the email fails these checks
DMARC Policies: None, Quarantine, and Reject
Your DMARC record includes a policy tag (p=) that tells receiving servers how to handle messages that fail authentication. There are three options:
- p=none — Monitor only. Failing messages are still delivered, but you receive reports about authentication results. This is the recommended starting point.
- p=quarantine — Failing messages are sent to the recipient's spam or junk folder. This signals to receivers that you're serious about authentication but allows some margin for misconfiguration.
- p=reject — Failing messages are blocked entirely. This is the strongest protection and the ultimate goal for most organisations.
DMARC Reporting
One of the most valuable features of DMARC is its reporting capability. By adding a rua tag to your DMARC record, you tell receiving servers to send you aggregate reports showing which emails passed and failed authentication.
These reports reveal:
- Which IP addresses are sending email on behalf of your domain
- Whether those emails are passing SPF and DKIM checks
- How many messages are being sent — including any you didn't authorise
The ruf tag enables forensic reports, which provide more detailed information about individual failed messages. However, not all receivers send forensic reports due to privacy concerns.
Benefits of Implementing DMARC
Implementing DMARC delivers tangible benefits for any organisation:
- Prevents email spoofing — stops attackers from sending phishing emails that appear to come from your domain
- Improves email deliverability — authenticated emails are more likely to reach the inbox rather than spam folders
- Provides visibility — aggregate reports show you exactly who is sending email using your domain
- Protects brand reputation — ensures your domain isn't associated with spam or malicious emails
- Meets compliance requirements — many industry standards and government mandates now require DMARC
Getting Started with DMARC Dashboard
The first step is understanding where you stand. Use DMARC Dashboard to check your domain's current email authentication configuration for free. Our tool analyses your DMARC, SPF, DKIM, and MX records in seconds and gives you a clear grade with specific recommendations.
If you don't have a DMARC record yet, start with a monitoring policy (p=none) and add a reporting address. Review your aggregate reports to identify all legitimate email sources, then gradually tighten your policy to quarantine and eventually reject. This phased approach ensures you don't accidentally block legitimate email during the transition.