Why It Matters
DMARC is the enforcement layer. SPF and DKIM verify identity, but without DMARC, receiving servers can still choose to deliver emails that fail those checks. DMARC adds a policy — none, quarantine, or reject — that instructs the server what to do with failures. It's also a requirement for BIMI (brand logos in the inbox) and, as of 2024, a requirement for anyone sending more than 5,000 emails per day to Gmail.
How It Works
DMARC is published as a DNS TXT record at _dmarc.yourdomain.com. It specifies your policy (p=none, p=quarantine, or p=reject) and a reporting email address (rua=). Receiving servers check whether incoming emails pass SPF or DKIM and align with your domain. If they don't, the server follows your DMARC policy.
"Alignment" is the key concept. SPF alignment means the domain in the Return-Path matches the From domain. DKIM alignment means the d= domain in the signature matches the From domain. DMARC passes if either one aligns.
Quick Tips
- Start with p=none to collect reports without affecting delivery. Analyze the reports to find legitimate services you've forgotten to authenticate.
- Move to p=quarantine after 2-4 weeks of clean reports, then to p=reject once you're confident all legitimate sending sources are authenticated.
- Use a DMARC report analyzer (like Postmark's free tool or dmarcian) — the raw XML reports are practically unreadable without one.
- Set your reporting address to a dedicated mailbox. DMARC reports from large recipients can flood a regular inbox.