What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving mail servers what to do when SPF or DKIM fails.
It protects your domain from:
- Spoofing
- Phishing
- Brand impersonation
DMARC also provides reporting so you can see who is sending email as your domain.
Is DMARC required?
DMARC is strongly recommended for all domains sending email.
Major providers (Gmail, Yahoo, Outlook) increasingly expect DMARC.
What happens without DMARC?
- Emails may still deliver, but with lower trust
- Spoofed emails are harder to detect
- Domain reputation is weaker
Recommended DMARC starter policy
Start with monitoring mode (safe and non-disruptive).
Recommended DMARC record:
Explanation:
p=none→ monitor only (no blocking)rua→ aggregate reportsruf→ forensic reports (optional)fo=1→ generate reports on any failure
Should I use “quarantine” or “reject”?
Only after:
- SPF is passing
- DKIM is passing
- You understand DMARC reports
Advanced policies:
Using reject too early can block legitimate mail.
How long does DMARC take to work?
- Policy applies after DNS propagation
- Reports may take 24–72 hours to start arriving
Where do DMARC reports go?
Reports are sent to the email address specified in:
You may use:
- A dedicated mailbox
- A third-party DMARC reporting service
