DMARC
What is DMARC?
Domain-based Message Authentication, Reporting & Conformance
Domain-based Message Authentication, Reporting and Conformance (DMARC) is a DNS TXT record at `_dmarc.your-domain.com` that tells receiving mail servers what to do when a message from your domain fails SPF or DKIM checks. Options are: `none` (monitor only), `quarantine` (send to spam), `reject` (bounce).
In more detail
DMARC works with SPF and DKIM: SPF says which IPs can send as your domain, DKIM cryptographically signs outgoing messages, DMARC says what receivers should do when those checks fail. Without DMARC, receivers can still deliver spoofed email — DMARC is what tells them to reject.
Start with `p=none` and watch DMARC reports to see which services are sending email on your behalf. Once you have all legitimate senders authenticated, upgrade to `p=quarantine` and eventually `p=reject`.
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100Why this matters
Why builders care
As of 2024, Gmail and Yahoo require DMARC for bulk senders. Without it, your transactional emails (password resets, notifications) can land in spam. It also stops attackers from phishing your users while impersonating your domain.
FAQ
Frequently asked questions
- What if I do not send email from my domain?
- Set `v=DMARC1; p=reject` and `v=spf1 -all`. This tells receivers to reject any email claiming to be from your domain.
Fix guides
Fix DMARC issues
Missing DMARC record
DMARC tells receiving mail servers what to do with email that fails SPF or DKIM — quarantine, reject, or nothing. Here is how to set it up.
Read moreMissing SPF record
Without SPF, anyone can send email that looks like it came from your domain. Here is the one DNS record you need to stop that.
Read moreMissing DKIM record
DKIM signs your outgoing email so receivers can verify it was not tampered with. Here is how to enable it through your email provider.
Read moreFree tools
Check it yourself
Related terms
Keep learning
Sender Policy Framework
SPF is a DNS record listing which IP addresses are allowed to send email from your domain. The first line of email authentication.
Read moreDomainKeys Identified Mail
DKIM is a digital signature on outgoing email, letting receivers verify it came from you and was not tampered with.
Read moreSee where your site stands
Paste a URL, get a score in 60 seconds. Free, no signup.