What Is DMARC (Domain‑based Message Authentication, Reporting, and Conformance)?

September 02, 2025By DMARCFlow Team

Domain‑based Message Authentication, Reporting, and Conformance, better known as DMARC, is an email authentication standard designed to stop spammers from impersonating your domain. It gives domain owners a way to tell receiving servers how to handle messages that fail Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) checks. By doing so it helps prevent business email compromise, phishing and other scams that rely on forged sender addresses. DMARC also provides reporting so you can see who is sending on your behalf and whether those emails are passing authentication.

Understanding DMARC and Its Components

DMARC builds on SPF and DKIM. SPF allows a domain owner to publish the IP addresses or mail servers that are authorized to send email on its behalf. DKIM uses cryptographic signatures to prove that an email's content and From field have not been altered in transit. DMARC ties these together: it checks that the domain shown in the From header aligns with the domains used in SPF and DKIM. If either SPF or DKIM passes and the domains are aligned, DMARC passes. Otherwise, it fails.

A DMARC record is a simple text record placed in DNS under the subdomain _dmarc.yourdomain.com. It contains a series of tags and values separated by semicolons. The most important tags include:

  • v: The version of DMARC. It must be DMARC1.
  • p: The policy applied when a message fails authentication. Options are none, quarantine or reject.
  • rua: The address (or addresses) where aggregate reports should be sent. Reports are typically sent once a day.
  • ruf: The address used for failure (forensic) reports. These reports contain header information about individual failed messages and are sent in real time when supported.
  • adkim and aspf: Alignment modes for DKIM and SPF. The value r sets relaxed alignment (the organizational domains must match) while s sets strict alignment (the domains must be identical).
  • pct: The percentage of failing messages to which the policy should be applied. This can be used to roll out enforcement gradually.
  • sp: A separate policy for sub‑domains. If omitted, sub‑domains follow the main policy.

Here is an example of a DMARC record for a domain that wants to reject all emails that fail authentication and receive daily reports:

v=DMARC1; p=reject; rua=mailto:dmarcreports@example.com; ruf=mailto:dmarc-errors@example.com; adkim=s; aspf=s; pct=100;

The policy tag (p) controls how strictly receivers handle non‑compliant messages. Each level is summarised below.

Policy What it means Message handling Use case
none Monitoring only Deliver all messages Initial deployment when gathering data
quarantine Suspicious messages Route to spam or junk Intermediate phase after issues are addressed
reject Strict enforcement Drop non‑compliant messages Final state when confidence is high

How DMARC Works with SPF and DKIM

When a mail server receives an email, it performs a series of checks. First, it looks up the domain in the visible From address and searches DNS for a DMARC record. If there is no record, the mail server falls back to its own anti‑spam policies. If there is a record, the server checks SPF and DKIM as specified by the domain owner:

  1. The server checks the sending IP address against the SPF record for the domain listed in the envelope‑from (return‑path) address. If the IP is authorised and the domain aligns with the visible From domain, the SPF portion of DMARC passes.
  2. The server verifies any DKIM signatures in the email header. If at least one signature is valid and the domain in the d tag aligns with the visible From domain, the DKIM portion of DMARC passes.
  3. If either the SPF or DKIM test passes and the corresponding domain aligns, the overall DMARC test is considered a pass. If both fail or alignment fails, DMARC fails.
  4. Based on the p tag, the server will deliver, quarantine or reject the message. Receivers may also override the policy in certain cases (for example local whitelists) but must report the reason.
  5. Once per day, the receiver compiles an aggregate report and sends it to the address listed in rua. If the ruf tag is present and the receiver supports forensic reports, individual failure reports may be sent in real time.

Alignment is a key concept in DMARC. Strict alignment requires that the domain names in SPF, DKIM and the From header are identical. Relaxed alignment allows them to share the same organizational domain. For example, newsletter.example.com aligns with example.com in relaxed mode but not in strict mode. Choosing the right alignment mode helps maintain deliverability while preventing spoofing.

Why DMARC Matters

Email remains a primary vector for cybercrime. Phishing, business email compromise and ransomware often start with spoofed messages. Research shows that a large portion of network attacks leverage email and that almost 90 percent of phishing attacks do not carry malware, relying instead on social engineering. Without DMARC, attackers can forge your domain in the visible From field even if you have SPF and DKIM configured. They can trick your customers, suppliers or employees and harm your brand.

Adoption of DMARC has grown rapidly. Major providers such as Google, Microsoft and Yahoo support and enforce DMARC when a sender publishes a record. Billions of mailboxes worldwide honour DMARC, and adoption on the sending side continues to rise. More than seven million domains publish DMARC records and the number is increasing each quarter. In October 2023 Gmail and Yahoo announced that bulk senders must have DMARC enabled to ensure inbox delivery. Organizations that lag behind risk having their messages delivered to spam folders or rejected outright.

Implementing DMARC improves email security and enhances deliverability. When receivers know that your domain is protected by DMARC they are more likely to trust your messages. DMARC also unlocks other standards such as Brand Indicators for Message Identification (BIMI) that display your brand logo in compatible inboxes. Beyond security, DMARC gives visibility into who is sending email for your domain. The reports highlight legitimate senders, misconfigured services and malicious actors. This insight allows you to tighten your authentication and remove unauthorised sources.

DMARC Reporting and Monitoring

DMARC reporting is a core component of the protocol. Aggregate reports are sent in extensible markup language (XML) format and summarise all authentication results for your domain over a period of time, usually a day. Each record shows the sending IP address, the number of messages, and whether SPF and DKIM passed or failed. Aggregated data makes it easier to identify patterns and see which sources are legitimate and which are suspicious.

Failure reports, sometimes called forensic reports, provide more detailed information about individual messages that failed DMARC. They include portions of the offending email's header, the sending IP address and the reason for failure. Forensic reports are valuable for debugging misconfigurations, though not all providers support them because they may expose personal data. In those cases, aggregate reports remain the primary tool.

Monitoring DMARC reports manually can be challenging. The XML format is verbose and the volume of data can be large, particularly for domains with high email traffic. Turning raw data into actionable insight requires parsing tools and expertise. Effective monitoring involves tracking pass rates, identifying new senders, spotting spikes in failures and investigating anomalies. This can become time‑consuming, especially when you manage multiple domains.

Implementing DMARC Step by Step

Deploying DMARC requires preparation and careful rollout. The following steps provide a high‑level framework:

  1. Prepare your domain. Ensure that you have functional SPF and DKIM records. List all legitimate mail servers and services that send on behalf of your domain. Set up mail forwarding or third‑party services to use your domain correctly.
  2. Publish a monitoring record. Create a DMARC record with p=none, include a rua address and choose relaxed alignment as a starting point. This configuration collects reports without affecting mail delivery.
  3. Analyse reports and fix issues. Review aggregate data to confirm which senders are legitimate and which services are failing authentication. Correct any misconfigurations or update SPF and DKIM. Remove or reconfigure unauthorised senders. Continue monitoring until pass rates are consistent.
  4. Increase enforcement. Change the policy to p=quarantine, optionally starting with a lower pct value to apply the policy to a subset of failing messages. Continue monitoring to ensure that legitimate email is not misdirected.
  5. Move to reject. Once you are confident that all legitimate email is passing authentication, set p=reject and remove or adjust the pct tag. This policy instructs receivers to drop all spoofed messages. Continue monitoring to detect new issues or senders.
  6. Maintain and adapt. DMARC is not a set‑and‑forget technology. Update your records when you add new services or domains. Review reports regularly. Adjust alignment or policies if needed. Consider adding BIMI and monitoring for changes in provider requirements.

During deployment, be aware of potential challenges. Mailing lists and forwarders can break DKIM signatures or alter the From field, causing DMARC to fail for legitimate messages. Some providers rewrite the From address to avoid this. Ad networks, contact forms and other third‑party services can also send on your behalf; they must be configured correctly. Starting with a none policy and gradually increasing enforcement helps catch these issues before they impact delivery.

Why Choosing the Right DMARC Solution Matters

Managing DMARC can be complicated, particularly for organisations with multiple domains, global operations or limited technical resources. Parsing XML reports, tracking hundreds of sending sources and maintaining consistent SPF and DKIM alignment requires time and expertise. Automation and analytics tools simplify this task by collecting reports, normalising data and presenting clear insights.

DMARCFlow is one such solution. Rather than positioning itself as just another vendor, DMARCFlow takes a holistic approach to email authentication. The platform offers:

  • AI‑powered monitoring. Machine learning models detect anomalies, unusual sending patterns and potential spoofing attempts more quickly than manual review. This reduces response time when threats emerge.
  • User‑friendly dashboards. Reports are converted into visual charts and clear summaries. Even non‑technical users can see which sources send email, how many messages pass or fail and where problems arise.
  • Guided setup and record generation. DMARCFlow provides wizards to create SPF, DKIM and DMARC records correctly. It helps flatten complex SPF records and manage multiple selectors, avoiding the common ten‑lookup limit.
  • Cross‑domain management. Organisations can manage many domains and sub‑domains from one interface. Policies can be applied at group level and exceptions handled individually.
  • Comprehensive reporting. Daily and weekly reports summarise both aggregate and forensic data. Visual dashboards highlight trends, new senders and potential abuse. Alerts notify administrators of sudden changes.
  • European data protection. DMARCFlow stores all data exclusively in the European Union and adheres to General Data Protection Regulation (GDPR) requirements. Personal data is not retained. This makes DMARCFlow particularly suitable for European businesses and any organisation subject to strict privacy laws.
  • Rapid deployment. Initial setup can be completed in minutes. A guided wizard walks you through adding DNS records and validating them. There is no need for deep DNS expertise.
  • Transparent pricing and real support. DMARCFlow offers clear plans without hidden fees or volume‑based penalties. Real people assist with setup and troubleshooting, which is valuable when navigating complex email infrastructures.

In practice these features make DMARCFlow well suited to organisations that want strong email security without building in‑house expertise. The AI engine helps catch issues that humans might miss. The focus on GDPR compliance ensures that sensitive data remains within European jurisdictions. The record generator and risk scanner reduce the chance of misconfiguration. For companies that already have some email security in place, DMARCFlow complements secure email gateways and endpoint protection by addressing authentication and brand impersonation.

Conclusion

DMARC is a powerful tool that helps protect your domain from spoofing, phishing and other forms of email abuse. It builds on SPF and DKIM, aligns the visible From address with underlying authentication domains, and gives you control over how non‑compliant messages are handled. It also provides valuable reporting that shines a light on your mail streams. Implementing DMARC takes planning, monitoring and ongoing maintenance, but the benefits are clear: better security, improved deliverability and increased trust.

Choosing the right DMARC solution can make the journey much smoother. With its AI‑powered monitoring, easy‑to‑use dashboards, guided setup and strong data‑protection stance, DMARCFlow offers a pragmatic way to achieve DMARC compliance and stay ahead of evolving email threats. Whether you manage a single domain or many, adopting DMARC and partnering with a capable platform will strengthen your email security posture and protect your brand.