Back to Glossary
Authentication

DMARC(Domain-based Message Authentication, Reporting, and Conformance)

An email authentication policy that tells receivers how to handle emails that fail SPF and DKIM checks.

Definition

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to specify how receiving servers should handle emails that fail authentication checks and provides reporting on authentication results. DMARC also requires 'alignment' between the visible From address and the authenticated domain, closing a loophole that SPF and DKIM alone do not address.

Why It Matters

DMARC is becoming essential for email deliverability. Major providers like Google and Yahoo now require DMARC for bulk senders sending over 5,000 emails per day. Beyond deliverability, DMARC protects your brand from email spoofing and phishing attacks that could damage customer trust. Without DMARC, attackers can send emails that pass SPF/DKIM but still appear to come from your domain.

How It Works

When an email arrives, the receiving server checks SPF and DKIM, then compares the results against the sender's DMARC policy (published in DNS as a TXT record at _dmarc.yourdomain.com). The policy specifies what to do with failed emails (p=none, p=quarantine, or p=reject) and where to send aggregate reports (rua=) and forensic reports (ruf=). DMARC also checks 'alignment' - whether the From domain matches the SPF or DKIM authenticated domain.

Example

Here is a DMARC record:

_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"

Breaking it down: - v=DMARC1 declares this is a DMARC record - p=reject tells receivers to reject emails that fail authentication - rua=mailto:[email protected] specifies where to send daily aggregate reports - pct=100 means apply the policy to 100% of emails

When someone tries to spoof example.com from an unauthorized server, receiving servers will reject the email and send a report to the domain owner showing the attempted abuse.

Best Practices

  • 1Start with p=none to collect reports without affecting delivery
  • 2Monitor DMARC reports to identify all legitimate sending sources
  • 3Gradually move to p=quarantine, then p=reject as you gain confidence
  • 4Set up a dedicated email address or use a DMARC reporting service
  • 5Ensure all your sending services pass either SPF or DKIM alignment

DMARC Compliance

Sequenzy ensures full DMARC alignment for all emails sent through our platform.

Learn More

Frequently Asked Questions

A DMARC policy tells receiving servers what to do with emails that fail authentication. Options are: p=none (monitor only, no action), p=quarantine (send to spam folder), and p=reject (block entirely). Start with 'none' to monitor, then gradually move to 'reject' for maximum protection.

DMARC aggregate reports are XML files sent daily to the address in your rua= tag. They are hard to read raw, so use a DMARC reporting service like Postmark, DMARCian, or Valimail to parse and visualize them. Reports show which IPs are sending email for your domain and their authentication results.

Yes, positively. Emails from domains with DMARC are more trusted by receiving servers. Google and Yahoo require DMARC for sending over 5,000 emails per day. A strong DMARC policy (p=reject) also enables BIMI, allowing your brand logo to appear next to emails in supported inboxes.