DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a dns-txt-record published at _dmarc.yourdomain.com that tells receiving mail servers how to handle messages that fail spf or dkim checks — pass them through, send them to spam, or reject them outright. It also requests aggregate reports so you can see who is sending mail using your domain.
Why it matters
DMARC is the layer that actually closes the door on domain spoofing. SPF and DKIM only validate that a message is authentic; without DMARC, receivers have no instruction on what to do when those checks fail. A strong DMARC policy stops phishing campaigns that impersonate your brand, protects customers, and is now mandatory for bulk senders to Gmail and Yahoo. The aggregate rua reports are also the easiest way to discover unauthorised or forgotten senders using your domain.
How to roll it out
- Start in monitor mode with
p=noneandrua=mailto:dmarc@example.comto collect reports without affecting delivery. - Review aggregate reports for at least two to four weeks; fix any legitimate sources missing from your spf or dkim records.
- Move to
p=quarantineonce known senders pass cleanly, then top=rejectfor full enforcement. - Set
pct=to ramp enforcement gradually (e.g.pct=25, then 50, then 100). - Make sure SPF and DKIM align with the visible
From:domain — alignment is what DMARC actually checks, not just authentication. - Publish DMARC on every sending domain and on parked domains too (with
p=reject).