SPF tells receiving servers which IPs are authorized to send for your domain. DKIM proves a message was not tampered with after leaving your server. Both are useful — but neither tells receiving servers what to do when an email fails those checks. That gap is exactly what DMARC (Domain-based Message Authentication, Reporting, and Conformance) closes. Without DMARC, a phishing email that fails SPF and DKIM might still land in someone's inbox because the receiving server has no clear instruction. With DMARC at p=reject, that same email gets deleted before any human sees it.
How DMARC Works
DMARC is a DNS TXT record published at _dmarc.yourdomain.com. When a receiving mail server gets a message claiming to be from your domain, it checks two things: did the message pass SPF or DKIM, and does the domain in the From: header align with the domain that passed those checks? If either condition fails, the receiving server refers to your DMARC policy to decide what to do next.
The DMARC record has three enforcement levels:
- p=none — Monitor-only mode. Authentication failures are reported back to you but no action is taken on the message. Use this during initial setup to understand your sending environment without accidentally blocking legitimate mail.
- p=quarantine — Failed messages are routed to the spam or junk folder rather than the inbox. A step up from none; you've started enforcing without going straight to rejection.
- p=reject — Failed messages are rejected outright by the receiving server. They never reach the inbox, spam folder, or any other folder. This is the target state for full protection.
DMARC Alignment: The Key Concept
DMARC introduces a concept called alignment that catches a category of spoofing that SPF and DKIM alone cannot stop. An attacker can own evil-domain.com, pass SPF for that domain, but set the From: header to yourcompany.com. Without DMARC, this passes SPF technically. With DMARC, alignment fails because the domain in the From: header does not match the domain that actually passed SPF.
DMARC alignment comes in two modes:
- Relaxed alignment (default) — The Organizational Domain must match. So SPF passing for
mail.yourcompany.comsatisfies DMARC alignment foryourcompany.com. - Strict alignment (
aspf=soradkim=s) — The exact domain must match.mail.yourcompany.comdoes not satisfy alignment foryourcompany.comunder strict mode.
DMARC Reporting: The Intelligence Layer
The reporting functionality is what separates DMARC from a simple enforcement rule. When you include rua=mailto:reports@yourdomain.com in your DMARC record, every major mail provider — Gmail, Outlook, Yahoo, and many others — sends you aggregate XML reports showing:
- Every IP address that sent mail claiming to be from your domain
- How many messages that IP sent
- Whether those messages passed or failed SPF, DKIM, and DMARC alignment
- The disposition applied (none, quarantine, or reject)
These reports arrive daily and give you a complete picture of your sending ecosystem. You will typically discover services you forgot were sending on your behalf: old transactional email systems, third-party CRMs, vendor notification services. Each one needs to be either authorized (added to SPF, configured with DKIM) or identified as a spoofing attempt.
The ruf tag enables forensic reports — individual message-level failure reports sent in near real time. These are useful for debugging specific delivery failures but contain sensitive message header data, so not all providers send them.
Architecture of a DMARC Record
A complete DMARC TXT record looks like this:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100; adkim=r; aspf=r
Breaking down the tags:
v=DMARC1— Required version identifierp=reject— Policy for the organizational domainrua— Aggregate report destination (can be an external service)ruf— Forensic report destinationpct=100— Apply the policy to 100% of failing messages (you can start at a lower percentage during rollout)adkim=r— DKIM alignment: relaxedaspf=r— SPF alignment: relaxedsp=— Optional subdomain policy; if omitted, the organizational domain policy applies to subdomains too
Real-World Use Cases
Stopping phishing campaigns targeting customers: A financial institution publishes p=reject. An attacker crafting phishing emails claiming to be from the bank's domain finds every attempt rejected before it reaches any inbox. Brand impersonation attempts stop working almost immediately.
Onboarding a new marketing platform: A company adding a new email service provider first reviews DMARC aggregate reports to understand current mail flows. They add the new ESP's sending IPs to SPF and configure DKIM signing before moving to p=quarantine, avoiding blocking legitimate campaign emails.
Compliance requirements: PCI DSS, HIPAA-adjacent security frameworks, and cyber insurance requirements increasingly mandate DMARC at p=reject. Organizations using Google Workspace or Microsoft 365 are subject to enforced DMARC requirements for high-volume sending since 2024.
DMARC vs SPF vs DKIM: Comparison
| Feature | SPF | DKIM | DMARC |
|---|---|---|---|
| What it does | Authorizes sending IPs | Cryptographically signs messages | Enforces policy on failures + reports |
| DNS record type | TXT at root domain | TXT at selector._domainkey | TXT at _dmarc subdomain |
| Survives forwarding | No — forwarded mail breaks SPF | Yes — signature travels with the message | Can pass on DKIM alignment even if SPF breaks |
| Stops header spoofing | No | No | Yes — via alignment check |
| Provides reporting | No | No | Yes — daily aggregate XML reports |
| Enforcement action | Soft fail or hard fail hints | Pass/fail signal only | None, quarantine, or reject |
Deploying DMARC: The Safe Rollout Path
Rushing to p=reject without understanding your mail flows is the fastest way to block your own legitimate emails. The recommended progression:
- Publish
p=nonewith rua reporting. Do nothing to enforcement yet. Collect reports for 2–4 weeks. - Analyze reports. Identify every sending source. Authorize legitimate ones through SPF and DKIM. Flag unknown ones as potential threats.
- Move to
p=quarantine; pct=10. Apply quarantine policy to 10% of failing messages. Monitor for legitimate mail being caught. - Increase pct gradually. 10% → 50% → 100% quarantine over several weeks. Fix any legitimate sources that surface.
- Move to
p=reject; pct=100. Full enforcement. Spoofed messages are now rejected at the server level.
Common Misconceptions
Misconception 1: DMARC alone stops all phishing
DMARC stops phishing that uses your exact domain in the From: header. It does not stop lookalike domain attacks — where an attacker registers yourcompany-security.com and sends phishing from that. Those domains are not yours, so your DMARC record has no authority over them. Lookalike domain monitoring requires a separate defensive registration and threat intelligence approach.
Misconception 2: p=none provides some protection
p=none provides zero enforcement. It is purely a monitoring mode. A spoofed email still reaches the inbox if the receiving server respects p=none. Its only value is as a temporary diagnostic step before moving to enforcement.
Misconception 3: Setting up DMARC is a one-time task
Email ecosystems change continuously. New services get onboarded, old ones get replaced, marketing teams add new sending tools without telling IT. DMARC aggregate reports need regular review — at minimum monthly — to catch new unauthorized sending sources before they cause deliverability problems or represent real spoofing attempts.
Misconception 4: DMARC guarantees inbox delivery
DMARC is an authentication standard. Passing DMARC improves deliverability by signaling legitimacy, but it does not override spam filters. A well-authenticated email with poor content, high spam complaint rates, or a damaged sending IP reputation can still go to the junk folder.
Pro Tips for DMARC Implementation
- Use a dedicated DMARC report parsing service (like Validity's DMARC Analyzer, Postmark, or dmarcian) rather than trying to parse raw XML reports yourself. The reports are machine-generated and not human-readable in volume.
- Publish a subdomain policy separately with
sp=rejectif you never send email from subdomains. This closes a common loophole where attackers spoof subdomains that inherit a weaker organizational-domain policy. - For organizations using Microsoft 365 or Google Workspace: both platforms now enforce DMARC for senders above volume thresholds. Verify your DMARC record is in place before reaching those thresholds, not after.
- When combining multiple email services (transactional, marketing, CRM), test each one in a staging environment to confirm it passes DMARC alignment before adding it to production SPF and DKIM configuration.
- Archive DMARC reports for at least 90 days. Historical data is invaluable when investigating a targeted phishing incident — you can see exactly when an attacker's IP first appeared in your report data.
- Set
pctbelow 100 only as a temporary rollout measure. A permanentpct=50policy means 50% of spoofed messages still reach inboxes. The goal is always 100% enforcement.
External processors, TLS, and data handling
When rua=mailto: targets a vendor inbox, receivers must still honor DMARC external destination verification records published under the report domain. HTTPS aggregate endpoints (where supported) avoid mailbox quotas and simplify automated ingestion. Forensic ruf traffic can contain message fragments—treat storage like security telemetry with retention limits and access controls to satisfy GDPR-style minimization expectations.