DMARC (Domain-based Message Authentication, Reporting and Conformance) is the email authentication standard that ties SPF and DKIM together and tells receiving servers what to do when a message fails authentication. Without DMARC, attackers can still spoof your domain even if SPF and DKIM are in place.
How DMARC works
You publish a TXT record at _dmarc.yourdomain.com that declares your policy and a reporting address. When a server receives email from your domain, it checks SPF and DKIM, then consults your DMARC record to know whether the message should be delivered, quarantined or rejected — and where to send a daily report.
The three DMARC policies
| Policy | What it does | When to use it |
|---|---|---|
p=none | Monitor only — deliver everything, send reports | Always start here for 2–4 weeks |
p=quarantine | Send unauthenticated mail to spam | After SPF/DKIM are stable for all senders |
p=reject | Reject unauthenticated mail outright | Final state for full protection |
Sample DMARC record
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Key tags: p = policy, rua = aggregate reports, ruf = forensic reports, fo=1 = report any failure. See configure DMARC with Mailpro for the recommended setup.
Reading DMARC reports
Receivers send daily XML reports to your rua address. They show how many messages passed/failed and from which IPs. Use a free DMARC analyzer to turn the XML into a readable dashboard. Mailpro’s DMARC monitoring guide explains what to look for.
DMARC + SPF + DKIM
DMARC is only as strong as the standards it enforces. Make sure both SPF and DKIM are configured for every sending source before tightening the policy.
Add DMARC in 5 minutes
Mailpro provides ready-to-paste DMARC records and aggregate report monitoring. Visit the DMARC configuration page and read the full DMARC FAQ.