Glossary Guides

What Is DMARC

Learn what DMARC is, how policies work, alignment with SPF and DKIM, reporting, and safe enforcement progression.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 5 min read Beginner

Introduction

DMARC builds on SPF and DKIM by adding policy and reporting. A message needs at least one of SPF or DKIM to pass and align with the From domain for DMARC to pass.

DMARC aggregate reports (rua) help you see who sends mail using your domain before enforcing strict policies.

Quick answer

Quick answer

DMARC tells receiving mail servers what to do when SPF or DKIM fail or do not align with the visible From address. It is published as a TXT record at _dmarc.yourdomain.com. Start with p=none to monitor, then move to quarantine or reject when legitimate mail passes consistently.

What it means

DMARC policies include p=none (monitor), p=quarantine (spam folder), and p=reject (block). Alignment means the authenticated domain matches the From domain.

  • Published at _dmarc.domain — note the underscore prefix
  • p= tag sets policy for the organizational domain
  • rua= sends aggregate reports to an email address
  • Requires working SPF and/or DKIM with alignment
  • sp= sets subdomain policy when needed

Where you see this:

  • Brand protection against domain spoofing
  • Email authentication compliance for major providers
  • Monitoring unauthorized senders via aggregate reports
  • Progressive enforcement: none → quarantine → reject
Example
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

Do not use p=reject until legitimate senders pass DMARC consistently. Strict enforcement without preparation can block real mail.

Why this matters

Why this matters

Without DMARC, you have no published policy for authentication failures and limited visibility into spoofing. Weak DMARC leaves your domain easier to abuse in phishing.

How to check it

  1. Run DMARC Checker on your domain.
  2. Confirm TXT exists at _dmarc.yourdomain.com (not root).
  3. Verify v=DMARC1 and p= policy tag are present.
  4. Check SPF and DKIM pass and align in test message headers.
  5. Review aggregate reports before tightening policy.

Check DMARC record

Use DMARC Checker to verify policy, alignment and reporting addresses.

Run DMARC Check →

Common mistakes

No _dmarc record published

High

Domain has no DMARC policy in DNS.

Next step: Add starter record with p=none and rua reporting.

DMARC added to root domain

High

Record at example.com instead of _dmarc.example.com.

Next step: Move DMARC TXT to the _dmarc hostname.

p=reject before SPF/DKIM ready

High

Legitimate mail fails while authentication is still broken.

Next step: Start with p=none, fix sources, then enforce gradually.

Multiple DMARC records

High

More than one DMARC TXT at _dmarc is invalid.

Next step: Keep a single merged DMARC record.

Example

Starter DMARC record
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

Frequently asked questions

Where does DMARC go in DNS?

At _dmarc.yourdomain.com as a TXT record.

What is DMARC alignment?

The domain that passes SPF or DKIM must match the visible From domain (exact or relaxed per policy).

Can DMARC work without SPF and DKIM?

No. DMARC depends on at least one of SPF or DKIM passing and aligning.

What are DMARC aggregate reports?

XML summaries (rua) showing sending sources and pass/fail results, usually sent daily.

Use these free tools to verify your configuration after applying changes.

Browse all Glossary guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.