DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It lets domain owners publish a policy in DNS that tells recipient servers what to do when an email fails SPF or DKIM checks - nothing, quarantine it to spam, or reject it outright.
The Three DMARC Policies
| Policy | What Happens on Failure | Use When |
|---|---|---|
| p=none | No action - just report failures to you | Starting out, gathering data |
| p=quarantine | Failed emails go to spam/junk folder | Moderate protection, still validating setup |
| p=reject | Failed emails are outright rejected | Full protection - use when confident in email setup |
DMARC Record Format
v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100
- p=reject - Reject email that fails alignment
- rua= - Send aggregate reports to this address
- pct=100 - Apply the policy to 100% of messages (use lower % when rolling out)
DMARC Alignment
DMARC requires "alignment" - the From: domain must match the domain used in SPF or DKIM. This prevents attackers from passing SPF/DKIM on one domain while showing a different domain in the From: field.
Does Gmail Use DMARC?
Yes. Google requires DMARC for bulk email senders (sending 5,000+ messages/day to Gmail addresses). Without a DMARC record with at least p=none, bulk emails may be rejected.
People Also Ask
- What happens if I don't have a DMARC record?
- Your domain has no protection against spoofing. Anyone can send email appearing to come from your domain. Google and Yahoo also require DMARC for bulk sending, so deliverability will suffer.
- How do I pass DMARC verification?
- Set up valid SPF and DKIM records, then publish a DMARC record. Start with p=none to collect reports, then gradually move to p=quarantine and p=reject as you confirm all legitimate sending is covered.
Related: SPF | DKIM | DNS Lookup