DMARC Record

What is this?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record at _dmarc.yourdomain.com. It builds on SPF and DKIM to give receiving email servers a clear instruction: if an email claiming to be from us fails authentication, here's what to do with it.

There are three policies:

• p=none - do nothing, just send me reports (monitoring mode)
• p=quarantine - move suspicious emails to spam
• p=reject - drop suspicious emails entirely

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Why it matters

Without DMARC:

• Email spoofing is trivially easy. Anyone can send a phishing email that looks exactly like it's from [email protected], and it'll be delivered normally to your customers.
• Gmail and Outlook penalize you. Since 2024, both require DMARC for bulk senders, and both use DMARC as a quality signal even for low-volume senders.
• You're flying blind. Without a DMARC record, you have no visibility into whether someone is impersonating your domain right now.

How to fix it

1. Make sure you have SPF and DKIM set up first - DMARC enforces them, so they need to work.
2. Add a TXT record at _dmarc.yourdomain.com:

   v=DMARC1; p=quarantine; rua=mailto:[email protected]

3. Replace the rua address with your own, or use a free DMARC reporting service (see below).
4. If unsure whether all your legitimate email will pass, start with p=none to observe for a week, then escalate to p=quarantine, then p=reject.

Providers & tools

Free DMARC report monitoring:

• Postmark DMARC: dmarc.postmarkapp.com - free weekly digest
• MXToolbox: mxtoolbox.com/dmarc.aspx - instant lookup and validation
• Dmarcian: dmarcian.com - free tier for small senders
• EasyDMARC: easydmarc.com - free monitoring dashboard