DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an essential layer of email security for any business or organization that sends email using a custom domain name (like yourcompany.com—not @gmail.com or @outlook.com). If you’re using your own domain, DMARC helps protect it from being exploited in phishing, spoofing, and other types of email-based fraud.
By implementing a DMARC policy, you can instruct receiving email servers on how to handle messages that fail its authentication, and gain valuable reporting data about who is sending mail using your domain (e.g., @yourcompany.com) on your behalf.
What Does a DMARC Record Do?
A DMARC record is a DNS TXT entry that tells the world how your domain handles unauthenticated email. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), both of which validate different aspects of a message’s origin.
With DMARC, you can:
- Monitor – see where your domain is being used to send email—legitimately or otherwise
- Detect – unauthorized or malicious usage
- Protect – your brand and your users from phishing
- Enforce – stricter policies over time as your configuration matures
Common DMARC Policies (with Example Records)
Monitor Mode (p=none
)
This is the starting point. Email is not rejected, but reports are sent to help you understand your sending landscape.
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; sp=none; fo=1;
Quarantine Mode (p=quarantine
)
Messages that fail DMARC checks may be placed in the recipient’s spam folder.
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; sp=reject; adkim=s; aspf=s; pct=100; fo=1;
Reject Mode (p=reject
)
Failing messages are outright rejected—never delivered to inbox or spam. This is the most protective setting and should be used once your email ecosystem is fully aligned.
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; sp=reject; adkim=s; aspf=s; pct=100; fo=1;
DMARC Tag Breakdown
v=DMARC1
– Declares the DMARC protocol version (always DMARC1 for now).p=
(Policy) – Defines the policy for your domain:none
,quarantine
, orreject
.sp=
(Subdomain Policy) – Specifies the policy for subdomains. Example:sp=reject
means subdomain emails failing DMARC should also be rejected.adkim=
(DKIM Alignment Mode)s
(Strict): Thed=
domain in the DKIM signature must exactly match the “From” domain.r
(Relaxed): A subdomain match is acceptable (e.g.,mail.example.com
passes forexample.com
).
aspf=
(SPF Alignment Mode)s
(Strict): TheMail From
domain must exactly match the “From” domain.r
(Relaxed): A subdomain match is acceptable.
pct=
(Percentage) – Percentage of email to apply the policy to.pct=100
enforces it on all messages.rua=
(Aggregate Reports) – Email address to send aggregate DMARC reports, which summarize authentication results across many messages.ruf=
(Failure Reports) – Email address to send detailed failure reports (if supported by the recipient server).fo=
(Failure Options)fo=1
– Generate a report if either SPF or DKIM fails.fo=0
– Only send if both fail.fo=d
– Generate report if DKIM fails.fo=s
– Generate report if SPF fails.
What Is Alignment in DMARC?
Alignment means that the domain in the email’s visible “From” header must match (exactly or partially) the domain authenticated via SPF and DKIM.
Strict Alignment (s
): Only passes if domains match exactly.
Relaxed Alignment (r
): Allows subdomains to pass.
Example of Relaxed DKIM Alignment:
If the DKIM signature includes d=example.com
, a message with a “From:” header of info.mail.example.com
would still pass in relaxed mode.
Why DMARC Matters for Your Business
Without DMARC, anyone can send spoofed emails using your domain. That’s not just a security risk—it’s a reputation risk. If phishing messages are sent pretending to be you, your customers may lose trust, and you may be blacklisted.
DMARC helps:
- Block fake emails impersonating your domain
- Provide visibility into all mail sources using your domain
- Improve deliverability for legitimate mail by demonstrating trustworthiness
- Comply with increasing industry requirements (especially in finance, healthcare, and education)
Need Help with DMARC Setup or Strategy?
At Forward Technologies, we help businesses of all sizes properly configure, monitor, and enforce DMARC. Whether you’re just starting with a p=none
policy or ready to lock things down with p=reject
, we’ll make sure your domain is protected without disrupting legitimate email flow.