DMARC
A policy that sits on top of SPF and DKIM, telling receivers what to do with mail that fails authentication — and emailing you reports of who's sending as you.
In plain English
If SPF is the guest list and DKIM is the wax seal, DMARC is the security guard's instruction sheet: “if a message fails both checks, here's what to do with it.” It also mails you a daily summary of everyone sending email in your name — including impersonators and forgotten services.
Without DMARC, spoofers can still slip mail past SPF and DKIM by hiding behind a different envelope address. DMARC closes that gap, and Gmail/Yahoo now require it for bulk senders.
How to fix / set it up
- Set up SPF and DKIM first.
- Publish
v=DMARC1; p=none; rua=mailto:[email protected]at_dmarc.yourdomain.com. - Read the reports for a few weeks, then tighten to
p=quarantineand finallyp=reject.
DMARC Checker →DMARC Generator →
The technical detail
DMARC is a TXT record at _dmarc.yourdomain.com, e.g. v=DMARC1; p=none; rua=mailto:[email protected]. p is the policy: none (monitor), quarantine (spam), reject (block). rua receives aggregate reports.
Roll out in stages: start at p=none with rua to watch, then move to quarantine, then reject once every legitimate sender aligns.
FAQ
Where does the DMARC record go?
As a TXT record at _dmarc.yourdomain.com — not on the root domain.
What policy should I start with?
p=none with a rua address, so you can watch safely before enforcing.