Email Authentication

Implementing DMARC

DMARC helps protect your domain from being used in spoofed or unauthorized emails. It tells receiving mail servers how to handle messages that fail SPF or DKIM authentication — and is required by major providers like Gmail and Yahoo for bulk senders.

Prerequisites

DMARC builds on two existing authentication mechanisms. Make sure both are already in place before proceeding:

DKIM — cryptographically signs outgoing messages so recipients can verify the email wasn't altered in transit.
SPF — authorizes specific IP addresses to send email on behalf of your domain.

If your sending domain is already verified in your email settings, SPF and DKIM are already configured.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol published as a DNS TXT record at _dmarc.yourdomain.com. It serves two purposes:

Policy enforcement — instructs receiving servers to monitor, quarantine, or reject messages that fail authentication.
Reporting — provides aggregate feedback so you can identify unauthorized senders using your domain.

A message achieves DMARC compliance when it passes either SPF or DKIM (not necessarily both). It only fails DMARC when both checks fail.

1. Check for an existing record

Your organization may already have a DMARC record in place. Before adding one, check your domain's DNS:

dig TXT _dmarc.yourdomain.com +short

If a record already exists, you're set. A DMARC policy on the root domain automatically applies to subdomains unless overridden.

2. Add a DMARC TXT record

Create a TXT record in your domain's DNS provider with the following values:

Name	Type	Value
_dmarc.yourdomain.com	TXT	v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com;

Here's what each part means:

v=DMARC1 — identifies this as a DMARC record.
p=none — the policy. Starts in monitoring mode so you can observe without affecting delivery. You'll tighten this later.
rua=mailto:... — an email address where you'll receive aggregate reports (XML attachments showing which IPs are sending as your domain and whether they pass authentication).

The rua address can be on a different domain than the one you're configuring. Use a dedicated mailbox or a DMARC monitoring service to avoid cluttering your inbox.

3. Verify delivery and authentication

After adding the record, send test emails from each service that uses your domain. Open the raw message headers and confirm you see dmarc=pass in the authentication results.

Give it a few days at p=none to catch any sources you might have missed — some services send on different schedules.

Tools like Google Postmaster Tools can help you monitor SPF/DKIM pass rates. DMARC monitoring services can also aggregate your reports and surface unauthorized senders.

4. Upgrade your policy

Once you've confirmed all legitimate email is passing DMARC, move to a stricter policy. This signals to mailbox providers that your domain only sends authenticated email.

Policy	Behavior
`p=none`	Monitor only. No impact on delivery.
`p=quarantine`	Messages that fail DMARC are sent to spam.
`p=reject`	Messages that fail DMARC are blocked entirely.

DMARC parameter reference

The full set of tags you can use in a DMARC record:

Parameter	Purpose	Example
`v`	Protocol version	v=DMARC1
`p`	Policy for the domain	p=quarantine
`sp`	Policy for subdomains	sp=reject
`rua`	Address for aggregate reports	rua=mailto:dmarc@example.com
`ruf`	Address for forensic reports	ruf=mailto:forensic@example.com
`pct`	Percentage of messages to filter	pct=20
`adkim`	DKIM alignment mode (strict/relaxed)	adkim=s
`aspf`	SPF alignment mode (strict/relaxed)	aspf=r

Note: pct and ruf are part of the spec but are not consistently honored by all mailbox providers.