autoemail

Glossary

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email standard that tells receiving servers what to do with messages that fail SPF and DKIM checks - none, quarantine, or reject - and sends you reports on who is sending email using your domain.

DMARC is the policy layer that sits on top of SPF and DKIM. SPF and DKIM each let a receiving server verify a piece of a message's origin, but on their own they do not tell the receiver what to do when a check fails, and they give the domain owner no visibility into abuse. DMARC fixes both gaps: it publishes your enforcement policy in DNS and turns on reporting so you can see exactly who is sending mail as your domain.

Technically, DMARC is a TXT record published at _dmarc.yourdomain.com. A receiving server reads it, evaluates SPF and DKIM, and then checks alignment - whether the domain those checks passed for matches the domain in the visible From address. A message passes DMARC if at least one of SPF or DKIM passes and is aligned. If neither aligns, the server applies your policy: p=none (take no action, just report), p=quarantine (deliver to spam), or p=reject (refuse the message outright).

DMARC matters because spoofing your From address is the basis of most phishing and business-email-compromise attacks. Without a published policy, anyone can send mail that appears to come from your domain and inbox providers have no instruction to stop it. A reject policy makes impersonation of your exact domain fail at the receiving server. It also matters for legitimate senders: major mailbox providers now expect a DMARC record on bulk-sending domains, and missing or misconfigured DMARC is a common reason good mail lands in spam.

Set it up in stages. Start at p=none with a reporting address (rua=) so you collect aggregate reports without affecting delivery: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Read those reports to confirm every legitimate sending source (your mail provider, marketing platform, support desk, outreach tool) passes SPF or DKIM with alignment. Once your sources are clean, move to p=quarantine, then to p=reject for full protection. The most common mistake is jumping straight to reject before alignment is verified, which silently blocks your own newsletters and invoices.

Key points

  • DMARC is a DNS TXT record at _dmarc.yourdomain.com that builds on SPF and DKIM.
  • It sets the policy for failures: p=none (monitor), p=quarantine (spam), or p=reject (block).
  • Alignment is the key concept: the authenticated domain must match the visible From domain.
  • Aggregate reports (rua=) reveal every service sending as your domain - legitimate or not.
  • Roll out gradually: none -> quarantine -> reject, only after confirming your real senders pass.

Frequently asked questions

SPF lists which servers may send for your domain. DKIM adds a cryptographic signature that proves a message was not altered and came from your domain. DMARC ties the two together: it tells receivers what to do when SPF and DKIM fail, requires the passing domain to align with the From address, and reports abuse back to you.

Keep reading

What is SPF?The sender list DMARC checks alignment against.What is DKIM?The cryptographic signature DMARC relies on.Free SPF / DKIM / DMARC checkerValidate all three records in one place - no signup.Why your emails go to spamThe deliverability guide DMARC is one part of.AutoEmail pricingReview-first AI email with built-in deliverability scoring.
autoemail

Put AI on every reply. Keep yourself in the loop.

Connect one inbox, watch AutoEmail draft every reply, and approve before anything sends. Free to start, no card required.

Start freeSee pricing

30-day money-back guarantee

Try any paid plan risk-free. If AutoEmail is not saving you time inside 30 days, email us and we refund you in full - no forms, no friction.