DMARC
Tie SPF and DKIM together with policy enforcement and reporting.
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together, telling receivers what to do when authentication fails and providing visibility through aggregate reports.
How DMARC Works
- Publish a DMARC policy in DNS at
_dmarc.example.com - Receiving servers check if the email passes SPF or DKIM
- They verify the authenticated domain aligns with the From header
- Based on your policy, they quarantine, reject, or allow failing emails
- Aggregate reports are sent to the address you specify
DMARC Record Syntax
# DMARC record location _dmarc.example.com # Full DMARC record example v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; fo=1; # Tag breakdown: # v=DMARC1 - Version (required, must be first) # p= - Policy for domain (none, quarantine, reject) # sp= - Policy for subdomains (inherits p= if not set) # adkim= - DKIM alignment (r=relaxed, s=strict) # aspf= - SPF alignment (r=relaxed, s=strict) # pct= - Percentage of messages to apply policy (1-100) # rua= - Aggregate report destination (mailto: or https:) # ruf= - Forensic report destination (often not honored) # fo= - Failure reporting options (0, 1, d, s) # ri= - Reporting interval in seconds (default: 86400)
DMARC Policies
| Policy | Action | Use Case |
|---|---|---|
| p=none | Monitor only, no action taken | Initial deployment, data gathering |
| p=quarantine | Send failing emails to spam/junk | Transition phase, testing enforcement |
| p=reject | Block failing emails entirely | Full protection, production goal |
Safe DMARC Rollout
Don't jump straight to p=reject. Follow this progression to avoid blocking legitimate email:
Monitor Mode (p=none)
v=DMARC1; p=none; rua=mailto:dmarc@example.comCollect reports without affecting delivery. Analyze who's sending as your domain. Run for 2-4 weeks minimum.
Quarantine Mode (p=quarantine)
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.comStart sending failing emails to spam. Begin at pct=10, increase gradually to 100 over several weeks.
Reject Mode (p=reject)
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc@example.comFull protection. Failing emails are rejected outright. This is the goal for maximum security.
Don't Rush to Reject
Moving to p=reject too quickly can block legitimate email from marketing tools, CRM systems, or other third parties you forgot about. Always analyze your DMARC reports thoroughly first.
DMARC Alignment
DMARC requires the authenticated domain to "align" with the From header domain:
- Relaxed alignment (default) — Authenticated domain can be a subdomain of the From domain.
mail.example.comaligns withexample.com - Strict alignment — Authenticated domain must exactly match the From domain. Provides stronger protection but less flexibility.
| From Header | Authenticated Domain | Relaxed | Strict |
|---|---|---|---|
| example.com | example.com | Pass | Pass |
| example.com | mail.example.com | Pass | Fail |
| example.com | other.com | Fail | Fail |
Subdomain Policy (sp=)
By default, subdomains inherit the parent domain's policy. Use sp= to set a different policy for subdomains:
sp=none— Subdomains in monitor mode (useful during transition)sp=reject— Subdomains fully protected (prevents subdomain spoofing)
Example DMARC Records
# Starter: Monitor mode with reports
v=DMARC1; p=none; rua=mailto:dmarc@example.com
# Transition: Quarantine 50% of failing emails
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com
# Full protection: Reject with strict alignment
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc@example.com