What Is DMARC
Learn what DMARC is, how policies work, alignment with SPF and DKIM, reporting, and safe enforcement progression.
Introduction
DMARC builds on SPF and DKIM by adding policy and reporting. A message needs at least one of SPF or DKIM to pass and align with the From domain for DMARC to pass.
DMARC aggregate reports (rua) help you see who sends mail using your domain before enforcing strict policies.
Quick answer
DMARC tells receiving mail servers what to do when SPF or DKIM fail or do not align with the visible From address. It is published as a TXT record at _dmarc.yourdomain.com. Start with p=none to monitor, then move to quarantine or reject when legitimate mail passes consistently.
What it means
DMARC policies include p=none (monitor), p=quarantine (spam folder), and p=reject (block). Alignment means the authenticated domain matches the From domain.
- Published at _dmarc.domain — note the underscore prefix
- p= tag sets policy for the organizational domain
- rua= sends aggregate reports to an email address
- Requires working SPF and/or DKIM with alignment
- sp= sets subdomain policy when needed
Where you see this:
- Brand protection against domain spoofing
- Email authentication compliance for major providers
- Monitoring unauthorized senders via aggregate reports
- Progressive enforcement: none → quarantine → reject
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
Do not use p=reject until legitimate senders pass DMARC consistently. Strict enforcement without preparation can block real mail.
Why this matters
Without DMARC, you have no published policy for authentication failures and limited visibility into spoofing. Weak DMARC leaves your domain easier to abuse in phishing.
How to check it
- Run DMARC Checker on your domain.
- Confirm TXT exists at _dmarc.yourdomain.com (not root).
- Verify v=DMARC1 and p= policy tag are present.
- Check SPF and DKIM pass and align in test message headers.
- Review aggregate reports before tightening policy.
Check DMARC record
Use DMARC Checker to verify policy, alignment and reporting addresses.
Common mistakes
No _dmarc record published
HighDomain has no DMARC policy in DNS.
Next step: Add starter record with p=none and rua reporting.
DMARC added to root domain
HighRecord at example.com instead of _dmarc.example.com.
Next step: Move DMARC TXT to the _dmarc hostname.
p=reject before SPF/DKIM ready
HighLegitimate mail fails while authentication is still broken.
Next step: Start with p=none, fix sources, then enforce gradually.
Multiple DMARC records
HighMore than one DMARC TXT at _dmarc is invalid.
Next step: Keep a single merged DMARC record.
Example
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
Frequently asked questions
Where does DMARC go in DNS?
At _dmarc.yourdomain.com as a TXT record.
What is DMARC alignment?
The domain that passes SPF or DKIM must match the visible From domain (exact or relaxed per policy).
Can DMARC work without SPF and DKIM?
No. DMARC depends on at least one of SPF or DKIM passing and aligning.
What are DMARC aggregate reports?
XML summaries (rua) showing sending sources and pass/fail results, usually sent daily.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Glossary guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!