DMARC for Beginners: Policies, Alignment and Enforcement
Learn what DMARC is, how SPF and DKIM alignment work, what p=none, quarantine and reject mean, and how to enforce DMARC safely.
Introduction
DMARC, or Domain-based Message Authentication, Reporting and Conformance, is an email authentication policy that tells receiving mail servers what to do when messages fail authentication checks.
DMARC works with SPF and DKIM. It checks whether SPF or DKIM passes and whether the authenticated domain aligns with the visible From domain. This helps domain owners monitor abuse, reduce spoofing and gradually move toward stronger enforcement.
Quick answer
DMARC tells receiving mail servers how to handle messages that fail SPF and DKIM alignment. A basic DMARC record is published at _dmarc.example.com and includes a policy such as p=none, p=quarantine or p=reject. Start with p=none for monitoring, then move toward enforcement after reviewing reports.
What is DMARC?
DMARC is an email authentication policy published as a DNS TXT record. It helps domain owners control how receivers handle messages that appear to come from their domain but fail authentication.
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
This example tells receivers to monitor DMARC results and send aggregate reports to dmarc@example.com.
DMARC does not work alone. It depends on SPF and DKIM being configured correctly.
How DMARC works
- A receiving mail server receives a message.
- It checks SPF and DKIM authentication.
- It checks whether SPF or DKIM aligns with the visible From domain.
- It looks up the domain’s DMARC policy.
- It applies the policy if authentication and alignment fail.
- It may send aggregate reports to the address listed in rua.
A message can pass DMARC if either SPF alignment passes or DKIM alignment passes. Both are not always required, but at least one aligned method should pass.
DMARC policies
p=none
- Meaning: Monitor only.
- Effect: Receivers collect/report results but are not instructed to block or quarantine.
- Best use: Starting point while discovering legitimate senders.
v=DMARC1; p=none; rua=mailto:dmarc@example.com
p=quarantine
- Meaning: Treat failing mail as suspicious.
- Effect: Receivers may place failing messages into spam or quarantine.
- Best use: Intermediate enforcement after reports are reviewed.
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
p=reject
- Meaning: Reject failing mail.
- Effect: Receivers are instructed to reject messages that fail DMARC.
- Best use: Strong enforcement after all legitimate senders are authenticated.
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Do not jump directly to p=reject unless SPF, DKIM and legitimate senders are already reviewed.
DMARC alignment
DMARC alignment means the authenticated SPF or DKIM domain must match, or be related to, the visible From domain.
Example — visible From: user@example.com. Aligned DKIM domain: example.com. Aligned SPF / Return-Path domain: example.com or a valid aligned subdomain, depending on alignment mode.
This is why SPF or DKIM can pass but DMARC can still fail. The authentication must align with the domain users see in the From address.
Relaxed alignment is common in many provider setups, but the authenticated domain still needs to align with the visible From domain according to DMARC rules.
Why this matters
DMARC matters because it gives domain owners visibility and control over mail claiming to come from their domain. Without DMARC, spoofed messages may be harder to detect, and domain owners may not receive reports about authentication failures.
DMARC also helps protect brand trust, but it must be deployed carefully to avoid blocking legitimate mail.
How to check DMARC
Use DMARC Checker to inspect the DMARC TXT record, policy, reporting addresses and alignment settings.
When checking DMARC, review
These five checks help confirm DMARC is configured correctly.
Record location
DMARC should be published at _dmarc.yourdomain.com.
Policy
Check whether the domain uses p=none, p=quarantine or p=reject.
Reporting address
Check whether rua is present if reports are needed.
SPF and DKIM readiness
DMARC enforcement should not move ahead until legitimate senders pass SPF or DKIM alignment.
Subdomain policy
Check whether sp is configured if subdomains send mail independently.
Check DMARC now
Use DMARC Checker to verify your policy, reporting tags and alignment settings.
Common problems
DMARC record missing
MediumNo DMARC TXT record exists at _dmarc.yourdomain.com.
Next step: Start with a monitoring record such as p=none and a valid rua address.
DMARC record added at wrong hostname
HighThe record may be added at the root domain instead of _dmarc.yourdomain.com.
Next step: Publish the TXT record at the correct _dmarc hostname.
No reporting address
LowA policy without rua may work, but you will not receive aggregate reports.
Next step: Add a monitored reporting address or DMARC report service.
Policy too strict too soon
HighMoving to quarantine or reject before legitimate senders are aligned can block real mail.
Next step: Review reports and fix SPF/DKIM alignment before enforcement.
SPF or DKIM not aligned
MediumSPF or DKIM may pass but not align with the visible From domain.
Next step: Configure provider authentication and domain alignment.
Subdomains not covered intentionally
LowSubdomains may inherit policy or use separate DMARC records depending on setup.
Next step: Review subdomain mail flows and add sp or subdomain records where needed.
Multiple DMARC records
HighPublishing more than one DMARC TXT record can cause validation problems.
Next step: Merge settings into a single DMARC record.
How to set up DMARC
-
Step 1: Fix SPF and DKIM first
Make sure legitimate sending services can pass SPF or DKIM and preferably align with the visible From domain.
-
Step 2: Start with monitoring
Publish a basic DMARC record with p=none to collect reports without enforcement.
-
Step 3: Add a reporting address
Use rua to receive aggregate reports, ideally to a mailbox or service designed for DMARC reports.
-
Step 4: Review reports
Identify legitimate senders, unknown sources, forwarding behavior and authentication failures.
-
Step 5: Fix legitimate senders
Enable DKIM, adjust SPF and configure provider domains so legitimate mail aligns.
-
Step 6: Move gradually to enforcement
After reports look clean, consider p=quarantine, then p=reject.
-
Step 7: Monitor after enforcement
Continue reviewing reports after policy changes.
DMARC examples
v=DMARC1; p=none; rua=mailto:dmarc@example.com
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
v=DMARC1; p=quarantine; sp=none; rua=mailto:dmarc@example.com
dig _dmarc.example.com TXT
dig +short _dmarc.example.com TXT
These examples are illustrative. Use a reporting address you control and do not move to enforcement before checking legitimate senders.
DMARC reports
DMARC aggregate reports show which sources are sending mail for your domain and whether SPF, DKIM and alignment passed. Reports are usually sent in XML format to the address listed in the rua tag.
Raw DMARC reports can be difficult to read manually. Many domains use a DMARC report service to parse and summarize them.
Moving to enforcement
- p=none for monitoring
- Fix SPF and DKIM alignment
- p=quarantine for partial enforcement
- p=reject for strong enforcement
Some domains also use pct to apply enforcement gradually, but beginners should understand reports first.
Frequently asked questions
Can I start DMARC with p=none?
Yes. p=none is the recommended starting point for monitoring because it does not instruct receivers to quarantine or reject mail.
Does DMARC replace SPF or DKIM?
No. DMARC depends on SPF and DKIM results and alignment.
What is DMARC alignment?
Alignment means the authenticated SPF or DKIM domain matches, or is related to, the visible From domain.
Can SPF pass but DMARC fail?
Yes. SPF can pass but fail DMARC alignment if the authenticated domain does not align with the visible From domain.
What is the difference between quarantine and reject?
quarantine tells receivers to treat failing mail as suspicious, often spam. reject tells receivers to reject failing mail.
Should I move directly to p=reject?
Only if you have already verified all legitimate senders and authentication alignment. Most domains should monitor first.
Do I need DMARC reports?
Reports are very useful because they show who is sending mail for your domain and whether authentication passes.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!