What Is DMARC? Email Security Protocol Explained
DMARC tells receiving mail servers what to do when an email fails authentication checks — reject it, quarantine it, or let it through. It is the enforcement layer that makes SPF and DKIM effective against domain spoofing and email fraud.
Nathan Hill-Haimes
Technical Director
Why DMARC exists
SPF and DKIM each address specific aspects of email authentication, but neither, on its own, tells receiving mail servers what to do when authentication fails. A message could fail SPF — meaning it was sent from an unauthorised IP — and most mail servers would still deliver it, perhaps with a reduced trust score. DMARC (Domain-based Message Authentication, Reporting and Conformance) completes the picture by providing a policy that instructs receiving servers explicitly how to handle authentication failures, and by feeding reporting back to domain owners.
DMARC was created by a coalition of major technology companies and email providers and published as an IETF standard (RFC 7489) in 2015. Adoption has grown significantly since then, particularly following Google and Yahoo's 2024 requirements for bulk email senders. The NCSC recommends DMARC implementation as a baseline email security control for all UK organisations.
How DMARC works
DMARC is published as a TXT record in your domain's DNS at the address _dmarc.yourdomain.co.uk. A typical DMARC record looks like:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.co.uk; ruf=mailto:dmarc-forensics@yourdomain.co.uk; pct=100
The key components are:
- v=DMARC1: Identifies this as a DMARC record
- p=reject: The policy — what to do with email that fails. Options are none (take no action), quarantine (send to spam), or reject (refuse delivery)
- rua=: The email address to receive aggregate reports — summaries of all email from your domain and authentication results
- ruf=: The email address for forensic reports — individual copies of failing messages
- pct=100: The percentage of failing email to apply the policy to. Starting at a lower percentage (e.g., pct=10) during rollout allows gradual implementation
DMARC alignment
DMARC introduces a concept called alignment: for DMARC to pass, the domain used in the SPF or DKIM check must align with the From header domain that recipients see. This closes a gap where an attacker might construct a message that passes SPF (from an authorised server for a different domain) but displays a spoofed From header.
There are two alignment modes:
- Strict alignment: The domains must match exactly
- Relaxed alignment (default): The authenticated domain can be a subdomain of the From header domain —
mail.amvia.co.ukauthenticating foramvia.co.ukwould pass relaxed alignment
For most businesses, relaxed alignment is appropriate. Strict alignment is occasionally needed to prevent subdomain impersonation in high-security environments.
DMARC aggregate reports (RUA)
Aggregate reports are sent daily by participating receiving mail servers and provide a summary of all email from your domain, including: the sending IP addresses, whether SPF and DKIM passed or failed, which policy was applied, and the volume of messages processed. These reports are in XML format and require a DMARC reporting service or tool to parse into readable dashboards.
Services such as DMARC Analyzer, Postmark DMARC, Valimail and DMARCian provide free or low-cost reporting dashboards. Reading your aggregate reports during the initial DMARC rollout is essential — they reveal all the services sending email on behalf of your domain, including those you may have forgotten about or not intended to permit.
The rollout process
Jumping directly to p=reject is risky without preparation, as it can block legitimate email from services that are not yet properly authenticated. The safe rollout process is:
- Configure SPF and DKIM for all legitimate sending sources
- Deploy DMARC with p=none and configure RUA reporting
- Review aggregate reports over 2-4 weeks to identify all sending sources and their authentication pass rates
- Resolve any SPF or DKIM failures on legitimate sources
- Advance to p=quarantine (initially at low pct, increasing to 100%)
- Monitor for false positives over 2-4 weeks
- Advance to p=reject
The entire rollout typically takes 6-12 weeks. Attempting to shortcut this process frequently results in legitimate email being blocked and pressure to revert to p=none.
DMARC and subdomain policy
By default, a DMARC policy applies to the exact domain and its subdomains. The sp= tag allows a separate policy for subdomains. This is relevant for organisations that use subdomains for different purposes (marketing email from mail.domain.co.uk, transactional email from notify.domain.co.uk) and want different policies to apply.
AMVIA configures DMARC from initial deployment through to p=reject enforcement for UK businesses, managing the reporting analysis and SPF/DKIM remediation that a safe rollout requires.
What Is Your Current DMARC Policy?
Many businesses have DMARC in monitoring mode (p=none) and have never progressed to enforcement. AMVIA can review your current configuration and manage the rollout to p=reject safely.
Frequently Asked Questions
p=none is monitoring mode — failing emails are still delivered but data is collected in reports. p=quarantine instructs receiving servers to deliver failing emails to the spam folder rather than the inbox. p=reject instructs receiving servers to refuse delivery of failing emails entirely. p=reject provides the strongest protection against domain spoofing.
A correctly configured DMARC policy improves deliverability for legitimate email by providing receiving servers with clear authentication signals. Problems only arise if legitimate sending sources have not been correctly configured for SPF and DKIM before advancing to quarantine or reject. DMARC aggregate reports identify these sources before enforcement, allowing issues to be resolved.
DMARC stops spoofing of your exact domain in the From header. It does not prevent typosquatting (using a domain that looks similar to yours), display name spoofing (where the From header shows a name but a different domain), or compromised legitimate account attacks. These require additional controls: domain monitoring, email gateway impersonation detection, and user awareness.
Yes. Without DMARC, receiving servers that detect SPF or DKIM failures have no policy instruction from you — they apply their own default handling, which may or may not include rejecting spoofed messages. DMARC is the mechanism that turns SPF and DKIM authentication into active protection against spoofing of your domain.
Review your DMARC aggregate reports to identify all sending sources, then verify SPF and DKIM for: your primary Microsoft 365 or Google Workspace email, marketing automation platforms (Mailchimp, HubSpot), transactional email services (SendGrid, Mailgun), helpdesk systems (Zendesk, Freshdesk), CRM platforms that send email, and any other service that sends email on behalf of your domain.
From February 2024, Google and Yahoo require bulk email senders — defined as those sending more than 5,000 emails per day to Gmail or Yahoo addresses — to have a DMARC policy of at least p=none. This requirement applies to any organisation that sends marketing email at scale, and practically functions as a requirement for all organisations that want reliable delivery to major consumer email providers.
Related Reading
What Is DKIM?
How DKIM's cryptographic signing complements DMARC to prevent email tampering and impersonation.
Email Spoofing: How to Detect and Prevent It
How DMARC, DKIM and SPF work together to prevent your domain being spoofed in phishing attacks.
Email Security Fundamentals
Understanding DMARC in the context of the four pillars of complete email security.