Need email infrastructure? Try PostScale -- transactional email API built in the EU. PostScale

    DMARC Explained - Policy, Alignment, and Reports

    Learn how DMARC uses SPF and DKIM alignment to stop domain spoofing, how p=none/quarantine/reject works, and how to roll out DMARC safely.

    Updated

    TL;DR

    DMARC tells receivers what to do when mail claiming to be from your domain fails SPF/DKIM alignment. Publish it as a TXT record at _dmarc.example.com. Start with p=none and aggregate reports, identify every legitimate sender, move to p=quarantine, then p=reject. DMARC is the policy layer that turns SPF and DKIM from signals into enforceable protection against visible From-domain spoofing.

    What you'll learn

    • Understand DMARC alignment and policy enforcement
    • Publish a correct DMARC TXT record
    • Use aggregate reports to discover legitimate and abusive senders
    • Roll out from monitoring to reject without breaking mail

    DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer for email authentication. It uses SPF and DKIM, checks whether either aligns with the visible From domain, and tells receivers what to do when alignment fails.

    Without DMARC, SPF and DKIM are useful signals. With DMARC, they become an enforceable anti-spoofing policy.

    What DMARC Solves

    Attackers often spoof the visible From: header because that is what users see. SPF alone may pass for a different envelope sender. DKIM may pass for a third-party domain. DMARC asks the important question:

    Does this message authenticate as the domain shown to the user?

    DMARC passes if:

    • SPF passes and the SPF-authenticated domain aligns with the From domain, or
    • DKIM passes and the DKIM d= domain aligns with the From domain

    Only one aligned pass is required.

    DMARC DNS Record

    Publish DMARC as a TXT record at _dmarc.example.com:

    _dmarc.example.com.  3600  IN  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

    Common tags:

    TagMeaning
    v=DMARC1Version marker. Must come first.
    p=noneMonitor only. No enforcement.
    p=quarantineSend failing mail to spam/junk.
    p=rejectReject failing mail during SMTP.
    rua=Aggregate report destination.
    ruf=Forensic report destination. Less common.
    pct=Percentage of mail subject to policy.
    sp=Subdomain policy.
    adkim=DKIM alignment mode: r relaxed or s strict.
    aspf=SPF alignment mode: r relaxed or s strict.

    Rollout Plan

    Phase 1: Monitor

    v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

    Run this for at least two to four weeks. Identify all legitimate senders: workspace mail, transactional email, marketing tools, support systems, billing systems, and internal apps.

    Phase 2: Fix Authentication

    For every legitimate sender:

    • SPF includes the sender or its bounce domain.
    • DKIM signing is enabled.
    • DKIM d= aligns with your From domain where possible.
    • Third-party platforms use verified sending domains.

    Phase 3: Quarantine

    v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@example.com

    Increase pct gradually:

    pct=25 -> pct=50 -> pct=100

    Phase 4: Reject

    v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; sp=reject

    This is the target state for domains that send mail. Domains that never send mail should usually publish a reject policy too.

    Strict vs Relaxed Alignment

    Relaxed alignment allows organizational-domain matches:

    • From: example.com
    • DKIM d: mail.example.com
    • Result: aligned in relaxed mode

    Strict alignment requires exact domain match:

    • From: example.com
    • DKIM d: mail.example.com
    • Result: not aligned in strict mode

    Most domains start with relaxed alignment. Strict alignment is useful for high-control environments after all senders are understood.

    DNScale Setup

    curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "_dmarc",
    "type": "TXT",
    "content": "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com",
    "ttl": 3600
  }'

    Validation

    dig TXT _dmarc.example.com +short

    Check received headers:

    Authentication-Results: mx.example;
  spf=pass smtp.mailfrom=bounce.example.com;
  dkim=pass header.d=example.com;
  dmarc=pass header.from=example.com

    The key result is dmarc=pass.

    Common Mistakes

    • Starting with p=reject before discovering all senders
    • Sending reports to a mailbox nobody parses
    • Publishing multiple DMARC records
    • Forgetting subdomains with sp=
    • Assuming SPF pass automatically means DMARC pass
    • Not enabling DKIM on third-party senders

    Frequently asked questions

    Where is a DMARC record published?
    Publish DMARC as a TXT record at _dmarc.yourdomain. The value starts with v=DMARC1 and includes a policy such as p=none, p=quarantine, or p=reject.
    What does DMARC alignment mean?
    Alignment means the authenticated SPF or DKIM domain matches, or organizationally matches, the visible From domain. DMARC passes if either SPF or DKIM passes and aligns.
    Should I start with p=reject?
    No. Start with p=none and aggregate reports. Use reports to find legitimate senders, fix SPF/DKIM, then move to quarantine and finally reject.
    What are rua and ruf?
    rua is the address for aggregate reports, usually daily XML summaries. ruf is for forensic failure reports, which are less widely sent and can contain sensitive data. Most deployments start with rua only.
    Why does DMARC fail when SPF passes?
    SPF can pass for the envelope sender while failing alignment with the visible From domain. DMARC requires authentication plus alignment. DKIM alignment often saves forwarded mail where SPF breaks.

    Related guides

    Ready to manage your DNS with confidence?

    DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.

    Start free