When a spammer sends email pretending to be from your domain, it damages your reputation and puts your customers at risk. Even though you never sent the message, recipients associate the phishing attack with your brand. These spoofing attacks cost businesses millions annually in lost revenue, damaged relationships, and eroded customer trust.
DMARC (Domain-based Message Authentication, Reporting & Conformance) solves this problem by building on SPF and DKIM to give you control over how receiving servers handle messages that fail authentication. It provides both policy enforcement (telling servers what to do with suspicious emails) and detailed reporting (showing you who's sending email using your domain).
In February 2024, Gmail and Yahoo made DMARC mandatory for bulk senders, signaling that email authentication is no longer optional—it's essential. Whether you're a developer building transactional email systems, an IT manager protecting corporate domains, or a business owner concerned about brand abuse, understanding and implementing DMARC is critical in 2026.
This comprehensive guide will walk you through everything you need to know about DMARC: what it is, how it works, how to set it up safely, and how to interpret the reports it generates. By the end, you'll have a clear roadmap to protect your domain from spoofing while ensuring legitimate emails reach their destination.
Quick reference needed? For a shorter overview of DMARC basics, see our What is DMARC? post. This guide provides comprehensive implementation details.
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. Created in 2012 through collaboration between major email providers (Google, Microsoft, Yahoo), DMARC is an email authentication protocol that builds on two existing technologies: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
At its core, DMARC serves two primary functions:
Policy Enforcement: It tells receiving email servers what to do with messages that fail authentication checks (deliver them, send to spam, or reject entirely).
Reporting: It provides feedback about who is sending email using your domain, helping you identify legitimate senders, misconfigurations, and potential spoofing attempts.
Think of DMARC as the final piece of the email authentication puzzle. SPF verifies the sending IP address is authorized. DKIM verifies the domain signed the message. DMARC checks that the authenticated domain matches the "From" header your recipients see and gives you control of what happens next. This alignment check stops attackers from sending from their own servers while spoofing your domain in the visible From field. It's especially important if you're using an ESP to send email, where you'll be sending from shared IP addresses that other customers use too.
DMARC doesn't replace SPF or DKIM, it requires at least one of them to be properly configured. When a receiving server processes an incoming email, it checks the DMARC policy published in your domain's DNS records, verifies that either SPF or DKIM pass and align with your domain, then applies the policy you've specified.
The email security landscape has changed dramatically. In February 2024, Gmail and Yahoo made DMARC mandatory for anyone sending more than 5,000 messages daily to their users. By November 2025, they tightened enforcement further—non-compliant emails now face temporary or permanent rejection. What was once a best practice became a hard requirement.
The threat landscape backs this up. The FBI reported $16.6 billion in total cybercrime losses in 2024, with Business Email Compromise alone accounting for $2.77 billion. The Anti-Phishing Working Group recorded 892,494 phishing attacks in Q3 2025, down from a peak of 1.13 million in Q2. More recently AI has made it easier to create phishing emails that are far harder to detect than some of the garbage we used to see.
DMARC helps you to ensure that emails are really coming from your domain and not from a malicious actor, sending them to SPAM or outright rejecting them.
Stop spoofing attacks: Email spoofing doesn't just harm recipients—it damages your domain's sender reputation. When spammers use your domain, receiving servers may start blocking legitimate messages from your actual infrastructure. DMARC ensures only authorized senders can use your domain.
Maintain email deliverability: Receiving servers favor authenticated email. With Gmail and Yahoo enforcing DMARC requirements, domains without proper authentication face delivery problems. Domains with strong DMARC policies signal they take security seriously, often resulting in better inbox placement.
Protect your brand: Phishing attacks that impersonate your brand erode customer trust. Even when victims realize the email was fake, the association between your brand and the attack lingers. DMARC stops these impersonation attempts before they reach inboxes.
Meet compliance requirements: Many industries now require email authentication as part of security compliance. Financial services, healthcare, and government contractors increasingly mandate DMARC implementation.
The cost of not implementing DMARC is no longer theoretical—it's measurable in blocked emails, successful phishing attacks, and damaged sender reputation. With major email providers enforcing authentication requirements, implementing DMARC is essential for maintaining email deliverability in 2026.
To understand DMARC, we need to look at how it fits into the broader email authentication ecosystem. When an email arrives at a receiving server, the authentication process follows this sequence:
SPF Check The receiving server looks at the "envelope from" address (also called the Return-Path or MAIL FROM) and queries the sender's SPF DNS record. This record lists the IP addresses and servers authorized to send email for that domain. If the sending server's IP is on the list, SPF passes.
DKIM Check The server looks for a DKIM signature in the email headers. This cryptographic signature proves that the email came from the domain that signed it and hasn't been modified in transit. The server retrieves the public key from the sender's DNS records to verify the signature. If valid, DKIM passes.
For more information on SPF and DKIM, see our What are DKIM and SPF? post.
DMARC Alignment Test Here's where DMARC adds its crucial layer. It's not enough for SPF or DKIM to pass—they must also align with the "From" address that recipients see in their email client. This alignment check prevents a common spoofing technique where attackers use a legitimate domain in the envelope but spoof the visible From address.
DMARC Policy Enforcement Based on the DMARC check result, the receiving server applies the policy specified in your DMARC record.
DMARC Report Generation The receiving server generates a DMARC report detailing what happened with the email.
DMARC offers two alignment modes for both SPF and DKIM, relaxed and strict:
Relaxed alignment (aspf=r or adkim=r): The authenticated domain must
match the organizational domain of the From address. For example,
mail.example.com aligns with example.com. This is the default mode.
Strict alignment (aspf=s or adkim=s): The domains must match exactly.
mail.example.com does NOT align with example.com.
The key rule: DMARC passes if either SPF or DKIM pass AND align. Both don't need to pass—just one with proper alignment.
Based on the DMARC check result, the receiving server applies the policy specified in your DMARC record:
| Policy | Description |
|---|---|
p=none |
No action taken. The email is delivered normally, but a report is generated. |
p=quarantine |
Failed emails are typically sent to spam/junk folders. |
p=reject |
Failed emails are outright rejected and never reach the recipient. |
Finally, the receiving server generates a DMARC report detailing what happened
with the email: which IPs sent messages, whether SPF and DKIM passed, whether
alignment succeeded, and what policy was applied. These reports are sent to the
address you specify in your DMARC record (the rua= tag).
This entire process happens automatically for every email, providing both immediate protection (policy enforcement) and long-term visibility (reports) into your email ecosystem.
A DMARC policy is published as a TXT record in your domain's DNS at the
subdomain _dmarc.yourdomain.com. Here's what a typical DMARC record looks
like:
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com; aspf=r; adkim=r; sp=none;"
Let's break down each component:
| Tag | Required? | Description | Example Values |
|---|---|---|---|
v |
Yes | Version identifier. Must always be DMARC1. |
v=DMARC1 |
p |
Yes | Policy for the domain. Tells receivers what to do with emails that fail DMARC. | none, quarantine, reject |
rua |
Recommended | Aggregate report destination. Where daily XML reports are sent. | rua=mailto:reports@example.com |
pct |
Optional | Percentage of emails to apply policy to. Useful for gradual rollout. Default is 100. | pct=25 (apply to 25%) |
aspf |
Optional | SPF alignment mode. r (relaxed) allows subdomains. s (strict) requires exact match. Default is r. |
aspf=r |
adkim |
Optional | DKIM alignment mode. Same logic as aspf. Default is r. |
adkim=r |
sp |
Optional | Subdomain policy. If omitted, subdomains inherit the main policy. | sp=reject |
ruf |
Optional | Forensic report destination. Rarely used due to privacy concerns (includes message samples). | ruf=mailto:forensics@example.com |
fo |
Optional | Forensic report options. Controls when forensic reports are generated. | fo=1 (any failure) |
ri |
Optional | Reporting interval in seconds. Most providers ignore this and send daily reports. | ri=86400 (daily) |
Real-World Example: Let's look at Google's DMARC record:
_dmarc.google.com. IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com"
Google uses an aggressive p=reject policy with 100% enforcement, meaning any
email failing authentication is completely blocked. They handle DMARC reporting
internally.
CloudMailin Tip: When you set up DMARC monitoring with CloudMailin, each domain gets a unique RUA address. Find yours in your domain settings. CloudMailin automatically collects and parses all reports—no XML parsing needed.
Implementing DMARC safely requires a phased approach. Jumping straight to
p=reject without monitoring can block legitimate emails if you have
misconfigured authentication or forgotten third-party senders. Follow these
steps carefully:
Before creating your DMARC record, ensure these are in place:
You can verify your SPF and DKIM setup by sending test emails and checking the
Authentication-Results header in the received message. There's a guide to
doing this in our
documentation (Verify DKIM).
Need help with SPF and DKIM? Check our guide: What are DKIM and SPF?. We also have a deliverability checker in beta—contact us for access.
DMARC reports are sent as XML files (often compressed) via email. You have three options:
Option 1: CloudMailin (Recommended) CloudMailin provides automatic DMARC report collection and parsing with a visual dashboard. Each domain gets a unique RUA email address—just add it to your DMARC record and reports appear in your dashboard automatically.
Option 2: Your Own Email Inbox You can receive reports at any email address
(e.g., dmarc@yourdomain.com). However, reports are raw XML files that require
manual parsing or specialized software to interpret. For domains with moderate
to high email volume, this quickly becomes unmanageable.
Option 3: Third-Party DMARC Service Standalone DMARC reporting services range in price depending on email volume and features. Good option if you need enterprise features, but often quite expensive.
CloudMailin Dashboard: View parsed DMARC reports with automatic 4-category sender classification. Currently in beta—free for all users. Learn more
Start with a monitoring-only policy. This allows you to collect data without risking email delivery:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:YOUR_RUA_ADDRESS; aspf=r; adkim=r;"
Replace YOUR_RUA_ADDRESS with your chosen destination:
dmarc@yourdomain.com (remember to create this email
address first)Important parameters:
p=nonemeans no enforcement—emails are delivered normally regardless of DMARC result.aspf=randadkim=rset relaxed alignment, which is more forgiving and recommended for most setups.
How you add the record depends on your DNS provider:
_dmarc (or _dmarc.yourdomain.com depending on your
provider's interface)Use the dig command (Mac/Linux) or a similar tool to verify your record:
dig _dmarc.example.com TXT
You should see your DMARC record in the response. Online tools can also verify your record and check for syntax errors if needed.
After your DNS record is live, receiving servers will start sending reports:
During this monitoring phase, your goal is to identify all legitimate senders using your domain. This includes:
You will almost certainly discover some senders that are not legitimate and need to be blocked, we'll do this later as we don't want to block legitimate senders by being too hasty.
We recommend taking at least 4-6 weeks in monitoring mode before progressing to enforcement. This ensures you capture weekly/monthly senders that might not email daily.
If you've chosen to receive DMARC reports in your own inbox, you're about to encounter a significant pain point: the reports are complex XML documents that are extremely difficult to interpret manually.
Here's a snippet of what a typical DMARC report looks like:
<?xml version="1.0" encoding="UTF-8"?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<report_id>15419518948742338944</report_id>
<date_range>
<begin>1590969600</begin>
<end>1591055999</end>
</date_range>
</report_metadata>
<policy_published>
<domain>example.com</domain>
<p>none</p>
<sp>none</sp>
</policy_published>
<record>
<row>
<source_ip>203.0.113.42</source_ip>
<count>147</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>example.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>mail.example.com</domain>
<result>fail</result>
</spf>
</auth_results>
</record>
</feedback>
And this is just ONE record from ONE report. Imagine receiving dozens of these daily, each containing multiple records, from different reporting organizations (Google, Yahoo, Microsoft, etc.).
Common pain points reported by IT teams:
Traditional solutions are limited:
This is why automated dashboards have become essential for any serious DMARC implementation.
CloudMailin Solution: Automatic XML parsing converts reports into visual dashboards with charts and categorized senders. No manual parsing required. Just add your unique RUA address to your DMARC record, and reports appear automatically in your dashboard. Learn more
Once you've solved the parsing challenge, understanding what the reports tell you is the next step.
DMARC defines two report types:
These are the reports you'll use most. Sent typically once per day by each receiving organization (Google, Yahoo, etc.), aggregate reports provide:
Aggregate reports are statistical summaries—they don't include actual message content, making them privacy-safe and the most useful tool for monitoring your email ecosystem.
These are sent in real-time when a DMARC check fails (depending on your fo=
setting). Forensic reports contain:
Important: Forensic reports are rarely used in practice due to privacy concerns. Many receivers don't send them at all, and including message content can violate data protection regulations (GDPR, etc.). We recommend focusing on aggregate reports.
When viewing parsed DMARC reports, you're looking for patterns in sender behavior. Here's how to categorize what you see:
✅ Fully Compliant Senders
⏩ Possible Forwarding
⚠️ SPF-Only Senders
🚨 Unknown Senders / Threats
CloudMailin categorizes senders automatically:
- Compliant: Both DKIM and SPF aligned (trusted senders)
- Forwarded: DKIM aligned or ARC present (often legitimate forwards)
- Accepted: SPF aligned only (passes DMARC but no DKIM)
- Failed: Neither aligned (potential spoofing)
We also highlight the disposition (none/quarantine/reject) showing the action the receiver actually took.
Pay attention to these key fields in reports:
CloudMailin enriches this data automatically with PTR record lookups and even fetches favicons from sender domains to make identification easier.
Now that you understand DMARC reports, it's time to move from monitoring to enforcement. This must be done gradually to avoid blocking legitimate emails.
p=none) — Duration: 4-6 Weeks Minimumv=DMARC1; p=none; rua=mailto:YOUR_RUA_ADDRESS; aspf=r; adkim=r;
Don't rush this phase. If you send monthly newsletters, wait at least a month to ensure that sender is captured. If you have quarterly reports, you may need even longer (or test those systems manually before progressing).
p=quarantine) — Duration: 4-6 WeeksSending email to spam/junk folders is the next step in the progression.
v=DMARC1; p=quarantine; pct=100; rua=mailto:YOUR_RUA_ADDRESS; aspf=r; adkim=r;
However, we recommend a gradual rollout using the pct= parameter:
v=DMARC1; p=quarantine; pct=10; rua=mailto:YOUR_RUA_ADDRESS; aspf=r; adkim=r;
The pct= parameter lets you apply the policy to only a percentage of emails:
pct=10 (policy applies to 10% of failing emails)pct=25 (increase to 25%)pct=50 (increase to 50%)pct=100 (full enforcement)This phased approach minimizes risk. If something goes wrong, only a small percentage of emails are affected initially.
pct= while resolvingpct=100 quarantine for at least 2 weeksp=reject) — Duration: OngoingFinally, we can move to the strictest policy of all, p=reject.
v=DMARC1; p=reject; pct=100; rua=mailto:YOUR_RUA_ADDRESS; aspf=r; adkim=r;
Or start with gradual rollout:
v=DMARC1; p=reject; pct=10; rua=mailto:YOUR_RUA_ADDRESS; aspf=r; adkim=r;
⚠️ Warning: No undo button Unlike quarantine (where emails go to spam and can be recovered), rejected emails disappear completely. The receiving server returns an error to the sending server, but the recipient never knows the email was attempted. Make sure you're ready before implementing
p=reject.
pct=10 (reject 10% of failing emails)pct=25pct=50pct=100 (after confirming no issues)p=reject, continue
checking reports monthlyp=reject; pct=100DMARC doesn't automatically apply to subdomains. If you have
marketing.example.com or support.example.com, consider your subdomain
strategy:
| Strategy | When to use | How to implement |
|---|---|---|
| Inherit Parent Policy | All subdomains send email the same way as main domain | Omit sp= or use sp=none |
| Stricter Subdomain Policy | Subdomains that should never send email | Use sp=quarantine or sp=reject in main record.For example: v=DMARC1; p=quarantine; sp=reject; rua=mailto:YOUR_RUA_ADDRESS; |
| Per-Subdomain Records | Different teams/providers manage different subdomains | Create _dmarc.subdomain.example.com records.For example: _dmarc.marketing.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:YOUR_RUA_ADDRESS;" |
You can mix these—for example, have a dedicated record for marketing and then set
sp=rejecton your main domain. The per-subdomain record takes precedence, so all other subdomains get rejected while marketing uses its own policy.
Even with careful implementation, you may encounter these challenges:
Symptoms:
Common causes:
Solutions:
v=spf1 include:mail.thirdparty.com include:yourdomain.com ~all
user@example.com) not their subdomain (user@mail.example.com) if
using strict alignmentSymptoms:
Why it happens: Email forwarding changes the envelope sender (breaking SPF) and may modify the message (breaking DKIM). This is a known limitation of email forwarding, not a DMARC bug.
Solutions:
aspf=r; adkim=r helps but doesn't completely solve forwardingCloudMailin identifies forwarding automatically: Emails with DKIM pass but SPF fail are flagged as "Possible Forwards" in the dashboard, helping you distinguish them from actual threats.
Symptoms:
Common causes:
Solutions:
dig _dmarc.yourdomain.com TXT to confirm the record
exists and is correctrua=mailto:address@domain.com (note the
mailto: prefix)Symptoms:
Solutions:
Symptoms:
subdomain.yourdomain.comWhy it happens: DMARC doesn't automatically inherit to subdomains unless you specify a subdomain policy.
Solutions:
sp=reject in your main DMARC record to
apply reject policy to all subdomains_dmarc.subdomain.yourdomain.comFollow these guidelines to implement and maintain DMARC successfully:
✅ Always start with p=none — Never skip monitoring phase, even if you're
confident in your setup. You'll discover forgotten senders.
✅ Monitor for minimum 4-6 weeks per phase — Longer is better. Capture weekly and monthly senders.
✅ Document all legitimate senders — Keep a list of authorized IPs, hostnames, and services. Update it as infrastructure changes.
✅ Use relaxed alignment (aspf=r; adkim=r) — Unless you have a specific
security need for strict alignment, relaxed is more forgiving and works with
more email infrastructure.
✅ Test email sending during each phase — Send test emails to yourself and check they pass DMARC before progressing policies.
✅ Set up automated report monitoring — Manual XML parsing doesn't scale. Use a tool to parse reports automatically.
✅ Review reports monthly after enforcement — Even at p=reject, check
reports regularly to catch new senders or authentication changes.
✅ Keep SPF updated as senders change — When you add a new ESP, payment processor, or any service that sends email, update your SPF record.
✅ Rotate DKIM keys annually — Best practice for cryptographic keys is regular rotation. Most email providers make this easy.
✅ Use pct= for gradual enforcement rollout — Don't jump straight to
pct=100 on quarantine or reject. Increase gradually (10% → 25% → 50% → 100%).
✅ Consider stricter subdomain policy (sp=reject) — For subdomains that
don't send email, using sp=reject provides extra protection.
✅ Coordinate with marketing and IT teams — Ensure everyone who manages email-sending systems knows about your DMARC implementation and rollout timeline. In our experience marketing teams are often using systems that others aren't even aware of.
✅ Document your policy progression — Keep notes on when you changed policies, what issues arose, and how you solved them. Future you will thank you.
Official Specifications:
Sender Guidelines (2024 Requirements):
Related CloudMailin Guides:
DMARC is no longer optional in 2026—it's a fundamental requirement for protecting your domain from email spoofing, maintaining sender reputation, and ensuring your legitimate emails reach recipients' inboxes. The Gmail and Yahoo sender requirements made this clear: email authentication is now mandatory for anyone serious about email delivery.
The good news is that DMARC implementation, while requiring careful attention, is straightforward when you follow the phased approach:
p=none) for 4-6 weeks to identify all legitimate sendersp=quarantine) with gradual rollout using pct=p=reject) once you're confident in your authentication setupThe biggest challenge most organizations face isn't implementing DMARC—it's managing the reports. Raw XML data is overwhelming and impractical to parse manually, which is why automated dashboards have become essential. Whether you use CloudMailin's built-in DMARC monitoring or another solution, having visibility into your email authentication ecosystem is critical for successful DMARC implementation.
By implementing DMARC, you're not just checking a compliance box—you're actively protecting your brand from impersonation, defending your customers from phishing attacks, and improving your email deliverability. The time invested in proper DMARC setup pays dividends in reduced abuse, better inbox placement, and increased customer trust.
Ready to get started? Create your monitoring-only DMARC record today, set up report collection, and begin the journey to full domain protection. Your domain reputation will thank you.
Get started with CloudMailin's DMARC monitoring: Automatic report parsing, visual dashboards, and 4-category sender classification—currently free in beta. Set up DMARC monitoring.
Q: How long does DMARC setup take?
A: The DNS configuration itself takes 5-10 minutes. However, you should allow
24-48 hours for DNS propagation and for the first reports to arrive. The
monitoring phase should last at least 4-6 weeks before progressing to
enforcement policies. In total, plan for 6-12 weeks from initial setup to full
p=reject enforcement if following the recommended gradual rollout strategy.
Q: Can DMARC break email forwarding?
A: Yes, email forwarding can cause DMARC failures because it changes the
envelope sender (breaking SPF alignment). Some forwarders also modify messages
in ways that break DKIM signatures. This is a known limitation of email
forwarding, not a DMARC flaw. Using relaxed alignment (aspf=r; adkim=r) helps,
but accept that some forwarded emails may fail DMARC even when legitimate. ARC
(Authenticated Received Chain) is an emerging solution that helps preserve
authentication through forwarding.
Q: What if I don't have DKIM configured?
A: DMARC requires either SPF or DKIM to pass and align—you don't technically need both, but having both provides redundancy and better protection. If you only have SPF configured, DMARC will work, but you're vulnerable to scenarios where SPF fails (like email forwarding). We strongly recommend configuring DKIM before implementing DMARC for robust authentication.
Q: Is p=reject safe?
A: Yes, but only after proper monitoring. If you've spent 4-6 weeks in p=none
monitoring, progressed through p=quarantine, and verified that 99%+ of
legitimate mail passes DMARC, then p=reject is safe. Use the pct= parameter
to roll out gradually (start with pct=10 and increase weekly). Never jump
straight to p=reject without monitoring—you risk blocking legitimate emails.
Q: How often should I check DMARC reports?
A: During monitoring phase (p=none): Check daily, at least for the first
week, then every few days. During quarantine phase (p=quarantine): Check
weekly. After reaching reject (p=reject): Check monthly to ensure no new
legitimate senders are being blocked. Set up alerts (if your dashboard supports
them) for sudden increases in failures or new unexpected senders.
Q: Do I need DMARC for subdomains?
A: DMARC doesn't automatically inherit to subdomains. You have three options:
(1) Use the sp= tag in your main domain's DMARC record to set a policy for all
subdomains, (2) Create individual DMARC records for each subdomain at
_dmarc.subdomain.yourdomain.com, or (3) Do nothing, and subdomains won't have
DMARC protection. For subdomains that never send email, setting sp=reject in
your main record provides strong protection.
Q: What's the difference between p=quarantine and p=reject?
A: p=quarantine sends failing emails to the spam/junk folder—they're not
delivered to the inbox, but recipients can still find them if they check spam.
p=reject blocks failing emails entirely at the SMTP level—they never reach the
recipient, not even spam. The receiving server returns an error to the sending
server, and the email disappears. Quarantine is safer for initial enforcement;
reject is the strongest protection once you're confident in your setup.
Q: Can I use CloudMailin for DMARC monitoring even if I use another provider for sending?
A: Yes! CloudMailin's DMARC monitoring is independent of where you send email. You can send through any ESP, your own mail server, or any other provider, and still use CloudMailin's dashboard for DMARC report collection and analysis. Just add CloudMailin's unique RUA address to your DMARC record, and reports from all receivers (Gmail, Yahoo, etc.) will be collected and parsed automatically.
CloudMailin Team
20 May 2020
CloudMailin Team
20 Sep 2024
CloudMailin Team
4 May 2020