Glossary · 3 min read

What Is DMARC?

Understand DMARC, how it builds on SPF and DKIM with alignment checks, policy options (none, quarantine, reject), and aggregate vs forensic reporting per RFC 7489.

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM by adding a policy layer and a reporting mechanism. Defined in RFC 7489, DMARC lets domain owners instruct receiving mail servers on how to handle messages that fail authentication checks and provides visibility into who is sending email using their domain.

How DMARC Works

DMARC ties together SPF and DKIM through the concept of alignment. For a message to pass DMARC, at least one of the following must be true:

  1. SPF alignment. The domain in the SMTP envelope sender (MAIL FROM) matches the domain in the visible From header, and SPF passes.
  2. DKIM alignment. The domain in the DKIM signature's d= tag matches the domain in the visible From header, and DKIM passes.

Alignment can be strict (exact domain match) or relaxed (organizational domain match, meaning subdomains are allowed). Relaxed alignment is the default.

The DMARC Record

DMARC policies are published as DNS TXT records at _dmarc.domain.com:

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100"

Key Tags

  • v=DMARC1 -- Version (required).
  • p= -- Policy for the domain (required). Values: none, quarantine, reject.
  • sp= -- Policy for subdomains. Defaults to the p= value if omitted.
  • rua= -- URI for aggregate reports (recommended).
  • ruf= -- URI for forensic/failure reports (optional).
  • pct= -- Percentage of messages to which the policy applies (default 100).
  • adkim= -- DKIM alignment mode: r (relaxed, default) or s (strict).
  • aspf= -- SPF alignment mode: r (relaxed, default) or s (strict).

Policy Options

Policy Behavior
none Monitor only. No enforcement. Messages are delivered normally but reports are generated.
quarantine Failing messages are sent to the spam/junk folder.
reject Failing messages are rejected outright at the SMTP level.

Most organizations start with p=none to collect data, then move to quarantine, and finally reject once all legitimate senders are authenticated.

Aggregate vs. Forensic Reports

Aggregate reports (rua) are XML files sent daily by receiving mail servers. They summarize authentication results for all messages seen from your domain, including source IPs, SPF/DKIM results, and alignment outcomes. These reports are essential for identifying unauthorized senders and misconfigurations.

Forensic reports (ruf) contain details about individual messages that failed DMARC. They are useful for debugging but are not sent by all receivers (Gmail, notably, does not send forensic reports) and may raise privacy concerns.

Gmail, Outlook, and Yahoo Requirements

As of 2024, Gmail and Yahoo require bulk senders (5,000+ messages/day) to have a published DMARC record with at least p=none. Outlook followed with similar requirements in 2025. Without a DMARC record, your messages face increased scrutiny and potential delivery failures at these providers.

Check Your DMARC Configuration

Use our DMARC analysis tool to validate your record syntax, policy settings, and reporting addresses. For a complete view of your authentication setup, run a full domain analysis that checks SPF, DKIM, and DMARC together.

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.

More glossary terms

DNS Ports Explained

Understand which network ports DNS uses, including port 53 for standard queries, port 443 for DNS over HTTPS, and port 853 for DNS over TLS.

DNS Record Types: A Complete Reference Guide

A technical reference for all major DNS record types including A, AAAA, MX, CNAME, TXT, NS, SOA, PTR, SRV, and CAA. Includes example values and use cases.

How Do IP Addresses Work?

Understand how IP addresses work, including IPv4 vs IPv6 formats, public vs private addresses, static vs dynamic assignment, NAT, and CIDR notation.

SMTP Ports Explained: 25, 465, 587, and 2525

Understand the four SMTP ports, when to use each one, the difference between STARTTLS and implicit TLS, and why ISPs block port 25.

What Is DKIM (DomainKeys Identified Mail)?

Learn how DKIM uses cryptographic signatures to authenticate email, including selector records, public/private key pairs, and the verification process per RFC 6376.

What Is DNS (Domain Name System)?

Learn how the Domain Name System works, including recursive and iterative queries, root servers, caching, and TTL values. A technical overview referencing RFC 1035.

What Is Secure DNS (DoH and DoT)?

Learn about secure DNS protocols including DNS over HTTPS, DNS over TLS, and DNSSEC. Understand why standard DNS is insecure and how to protect your queries.

What Is a Domain Name?

Learn what a domain name is, how domains map to IP addresses via DNS, the difference between TLD types, and how subdomains, URLs, and hostnames relate.

What Is a Gateway IP Address?

Learn what a gateway IP address is, how default gateways route traffic between networks, and how to find your gateway address on any operating system.

What Is a Reverse Lookup?

Understand reverse lookups including reverse DNS (PTR records), reverse IP lookups, and reverse email lookups. Learn how each works, common use cases, and limitations.

What Is a Reverse Proxy?

Learn how reverse proxies work, the difference between forward and reverse proxies, and common use cases including load balancing, SSL termination, and caching.

What Is an Email Bounce?

Understand email bounces, the difference between hard and soft bounces, common SMTP error codes, and how bounces affect sender reputation.

What Is an Email Domain Name?

Learn what an email domain is, how the @domain.com part of email addresses works with MX records to route messages, and the difference between free and custom email domains.

What Is an SMTP Server?

Learn how SMTP servers work, the difference between MTA, MSA, and MDA, and how email is delivered hop by hop using the SMTP protocol defined in RFC 5321.

What Is an SPF Record?

Understand SPF records, how they authorize email senders, the TXT record format, and how receivers evaluate SPF results including pass, fail, and softfail.

What Is an SSL Certificate?

Learn how SSL/TLS certificates encrypt internet traffic, how the chain of trust works, the difference between DV, OV, and EV certificates, and why TLS replaced SSL.