What DMARC actually is

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It's an email validation protocol built on top of SPF and DKIM that tells receiving mail servers what to do when an email fails authentication checks.

Without DMARC, anyone can forge the "From" address on emails sent from your domain. That email asking the CFO to wire $47,000 to a new account? It can look like it came from your CEO's address. DMARC is the control that makes that kind of impersonation significantly harder.

Why it matters for your team

If you're running a SaaS product or any business that sends email on behalf of your brand, your domain's reputation is an asset. Here's what DMARC actually protects:

• Phishing protection — attackers can't cheaply impersonate your domain in spoofed emails
• Deliverability — major inbox providers (Google, Microsoft, Yahoo) now require DMARC alignment for bulk senders
• Brand trust — customers and partners can verify that emails from your domain are legitimate
• Visibility — DMARC aggregate reports show every sender currently using your domain, including the ones you forgot about

How to check your current DMARC record

The fastest way is to do a DNS lookup for a _dmarc.yourdomain.com TXT record. Here's how:

Option 1 — Use a DMARC checker (recommended)

Run your domain through EdgeIQ's free DMARC checker and get a full breakdown of your record, policy level, and alignment status in seconds.

Option 2 — Command line lookup

dig TXT _dmarc.yourdomain.com +short

Or on macOS:

nslookup -type=TXT _dmarc.yourdomain.com

Option 3 — Online lookup tool

MXToolbox, Google Admin Toolbox, and many others offer free DMARC record lookups. Paste your domain and read the raw TXT record output.

Reading your DMARC record

A published DMARC record looks something like this:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; fo=1; adkim=s; aspf=s

Here's what each piece means:

• v=DMARC1 — version identifier, always the first value
• p=<policy> — what receivers should do with unauthenticated email (the critical setting)
• rua — email address for aggregate reports (where failures show up)
• fo — reporting options for failure events
• adkim — DKIM alignment mode (s = strict, r = relaxed)
• aspf — SPF alignment mode (s = strict, r = relaxed)

The three DMARC policy levels explained

This is the most important part. Your p= value determines what happens to email that fails DMARC checks:

p=none — Monitoring only

Receivers take no action on failing messages. You get reports, but you're not protected. This is the right starting point to collect baseline data, not a destination.

p=quarantine — Probation

Failing messages get moved to spam or junk. Not blocked outright, but significantly degraded deliverability for unauthenticated senders impersonating your domain. A reasonable mid-stage policy.

p=reject — Full enforcement

Receivers block unauthenticated messages entirely. This is the target. When your DMARC record is healthy and your legitimate senders are all aligned, p=reject is what you want. It means attackers cannot get spoofed emails delivered from your domain.

Common reasons your record might fail

• No DMARC record published at all
• SPF and DKIM aren't configured for all legitimate sending platforms
• Mixed alignment modes (strict vs relaxed) causing false failures
• A sender adding a new tool (CRM, support platform, transactional provider) without updating SPF
• Subdomains sending mail without their own DMARC record or a wildcard policy

DMARC compliance checklist

What to do next

Start by checking what your domain currently says. If you don't have a DMARC record yet, that's the first thing to fix. If you do but it's at p=none, move it forward once you've reviewed the reports and confirmed your legitimate senders are aligned.

For a quick, automated readout of your domain's DMARC status — including policy level, record syntax, and alignment flags — use the EdgeIQ DMARC checker below.