DMARC (Domain-based Message Authentication, Reporting & Conformance) protects your domain from being used in phishing and spoofing attacks. It works alongside DKIM and SPF to verify that emails claiming to come from your domain are actually authorized by you. This article explains how DMARC works, what the different policy levels mean, and how to use it effectively.
When you'll need this
Read this article if you want to understand what DMARC does before setting it up, you're deciding which DMARC policy to use, you want to understand DMARC reporting, or you already have a DMARC record and want to know how it works with SendX.
Why DMARC matters
DKIM and SPF are powerful on their own, but they have a gap. They authenticate emails, but they don't tell inbox providers how to handle failures. A spoofed email might fail DKIM, yet still land in someone's inbox because the receiving server didn't know what action to take.
DMARC closes that gap. It gives you, the domain owner, control over what happens to unauthenticated emails. It also provides visibility through reporting, so you can see who is sending email using your domain, whether legitimately or not.
For email marketers specifically, DMARC is no longer optional. Gmail and Yahoo now require DMARC for bulk senders. Without it, your campaigns may be filtered to spam or rejected outright.
How DMARC works
When an inbox provider receives an email claiming to be from your domain, it performs a series of checks:
SPF Check: Is the sending server authorized to send on behalf of this domain?
DKIM Check: Does the email have a valid digital signature?
Alignment Check: Does the "From" address match the domain used in SPF or DKIM?
DMARC requires that at least one of these checks passes and aligns with your sending domain. If both fail or don't align, the inbox provider looks at your DMARC policy to decide what to do next.
DMARC policies explained
Your DMARC record includes a policy (the p= tag) that tells inbox providers how to treat emails that fail authentication. There are three options:
p=none (Monitor Only)
Emails that fail authentication are still delivered normally. This policy is used for monitoring. You'll receive reports showing which emails passed or failed, but no action is taken against failures.
This is the recommended starting point. It lets you see what's happening with your domain without risking legitimate emails being blocked.
p=quarantine
Emails that fail authentication are sent to the recipient's spam or junk folder. They're not outright rejected, but they won't reach the inbox.
This is a middle-ground policy. It protects recipients from suspicious emails while giving legitimate senders a chance to fix authentication issues.
p=reject
Emails that fail authentication are blocked entirely. They never reach the recipient, not even in spam.
This is the strictest policy and offers maximum protection against spoofing. However, it can cause problems if you have legitimate email sources that aren't properly authenticated. Only move to p=reject once you're confident all your authorized senders are set up correctly.
DMARC reporting: rua and ruf
One of DMARC's most valuable features is reporting. When you publish a DMARC record, you can request reports from inbox providers about emails sent using your domain.
rua (Aggregate Reports)
These are daily summary reports sent to the email address you specify. They show:
How many emails were sent using your domain
Which ones passed or failed authentication
Where they were sent from (IP addresses)
Aggregate reports help you understand the big picture. Are there senders you didn't know about? Are legitimate emails failing authentication?
Example in a DMARC record: rua=mailto:dmarc-reports@yourdomain.com
ruf (Forensic Reports)
These are detailed reports sent in near real-time for individual emails that fail authentication. They include more specific information about each failure.
Forensic reports are useful for investigating specific issues, but not all inbox providers send them due to privacy concerns. They can also generate a high volume of messages.
Example in a DMARC record: ruf=mailto:dmarc-forensics@yourdomain.com
For most email marketers, aggregate reports (rua) provide enough visibility. Forensic reports are optional and typically used by organizations with dedicated security teams.
What a DMARC record looks like
A DMARC record is a TXT record added to your domain's DNS. Here's a simple example:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Breaking it down:
v=DMARC1β Identifies this as a DMARC record (required)p=noneβ The policy (none, quarantine, or reject)rua=mailto:dmarc@yourdomain.comβ Where to send aggregate reports
A more complete record might look like:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
The pct=100 means the policy applies to 100% of emails. You can set a lower percentage during testing (like pct=10) to apply the policy to only a portion of your traffic while you monitor results.
DMARC in SendX
When you authenticate your domain in SendX, we provide a DMARC record for you to add to your DNS. By default, SendX recommends a simple, compliant DMARC record that meets Gmail and Yahoo's requirements.
If you already have a DMARC record on your domain with a different policy (for example, p=quarantine or p=reject), SendX can detect and respect your existing policy. You don't need to change it. Just make sure your DKIM records for SendX are in place so your emails pass authentication under your existing DMARC policy.
The right way to roll out DMARC
If you're new to DMARC, don't jump straight to p=reject. Here's a safer approach:
Step 1: Start with p=none
Publish a DMARC record with p=none and an rua address to receive reports. Monitor for 2-4 weeks to see all the sources sending email on your domain's behalf.
Step 2: Authenticate all legitimate senders
Make sure every service that sends email for you (marketing platforms, CRMs, transactional email tools, etc.) has proper DKIM set up. Fix any gaps you discover in the reports.
Step 3: Move to p=quarantine
Once you're confident legitimate emails are authenticated, switch to p=quarantine. Monitor your reports and email deliverability for any issues.
Step 4: Move to p=reject (optional)
If you want maximum protection and have verified everything is working, move to p=reject. This fully blocks unauthenticated emails.
Many businesses stay at p=quarantine indefinitely, and that's perfectly fine. The important thing is having DMARC in place with at least p=none to meet inbox provider requirements.
Common questions
What DMARC policy should I use?
Start with p=none if you're new to DMARC. This lets you monitor email activity without affecting delivery. Once you've verified all legitimate senders are authenticated, you can move to p=quarantine or p=reject.
I already have a DMARC record. Do I need to change it for SendX?
No. If you have an existing DMARC record, keep it. Just make sure you add the DKIM records SendX provides so your emails authenticate properly under your current policy.
Will a strict DMARC policy block my marketing emails?
Only if those emails aren't properly authenticated. As long as your DKIM records are set up correctly in SendX, your emails will pass DMARC regardless of your policy level.
Do I need to read DMARC reports?
You don't have to, but they're useful. Reports help you spot unauthorized senders using your domain and identify legitimate emails that might be failing authentication. If you'd rather not manage reports yourself, third-party DMARC monitoring services can process and visualize them for you.
What happens if I don't set up DMARC?
Your emails may be filtered to spam or rejected by Gmail, Yahoo, and other providers that require DMARC for bulk senders. You also lose visibility into who is using your domain to send email.
Can I use a subdomain for DMARC?
Yes. DMARC records can be set at the subdomain level. If you're sending from mail.yourdomain.com, you can have a separate DMARC policy for that subdomain. However, if no subdomain policy exists, the parent domain's DMARC policy applies.