DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS record that tells receiving email servers what to do with emails that fail authentication checks (SPF and DKIM). It prevents attackers from sending emails that appear to come from your domain.

How do I add a DMARC record to my domain?

Add a TXT record to your DNS with the name _dmarc.yourdomain.com and a value like: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com. Start with p=none to monitor, then move to quarantine, then reject.

What happens if I have no DMARC record?

Without a DMARC record, anyone can send emails that appear to come from your domain. This enables CEO fraud, phishing attacks, and brand impersonation targeting your customers and employees.

Will setting DMARC p=reject break my email?

It can if you have third-party services sending email on your behalf that aren't in your SPF record. Always start with p=none, check the DMARC aggregate reports (rua) for a few weeks, add all legitimate senders to SPF, then move to p=quarantine and finally p=reject.

Free DMARC Record Checker — Instant Results

Q: What is the difference between p=none, p=quarantine, and p=reject?

p=none means no action is taken — spoofed emails are delivered normally. p=quarantine sends suspicious emails to spam. p=reject blocks spoofed emails entirely so they never reach the recipient.

What does your DMARC policy mean?

DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do when they receive an email claiming to be from your domain that fails authentication checks. There are three policy levels:

p=none

Monitor mode. Spoofed emails pass through as normal. You receive reports (if rua is set) but no action is taken. Your domain can be freely spoofed.

p=quarantine

Suspicious emails go to spam. Better than none, but spam is still checked by many users. A stepping stone toward reject — not a final destination.

p=reject

The only policy that fully protects your domain. Spoofed emails are rejected at the server and never reach anyone's inbox. Target state for all domains.

How DMARC works with SPF and DKIM

DMARC doesn't work alone. It relies on two underlying authentication mechanisms:

SPF — Specifies which mail servers are authorised to send email on behalf of your domain. Checked via a TXT record at your root domain.
DKIM — Adds a cryptographic signature to outbound emails, letting receivers verify the email wasn't tampered with and came from an authorised source.
DMARC — Sets the policy for what happens when SPF and/or DKIM fail. It also enables aggregate reports so you can see who is sending email on your domain's behalf.

DMARC enforcement (p=reject) only works correctly when SPF and DKIM are both properly configured for all your legitimate sending sources (your email server, marketing tools, transactional email services, etc.).

How to set up DMARC (step by step)

Start with p=none and reporting: Add _dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]" — this starts collecting reports without affecting delivery.
Review aggregate reports for 2–4 weeks: The rua address receives XML reports from mail providers. Tools like dmarcian or Google Postmaster Tools parse these for you.
Fix all legitimate senders in SPF: Add any email-sending service (Google Workspace, Mailchimp, SendGrid, etc.) to your SPF record before tightening DMARC.
Move to p=quarantine: Update your record to p=quarantine; pct=100 and monitor for a week or two.
Move to p=reject: The final step. Confirm no legitimate mail is being blocked, then set p=reject.

Frequently asked questions

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS-based email authentication standard. It tells receiving mail servers what to do with emails that claim to be from your domain but fail SPF and DKIM checks — letting you block email spoofing and phishing that impersonates your brand.

What is the difference between p=none, p=quarantine, and p=reject?

p=none: Monitor mode — spoofed emails are delivered normally. Useful only for the initial monitoring phase. p=quarantine: Suspicious emails go to spam/junk. Better protection, but recipients can still see them. p=reject: Spoofed emails are rejected at the server and never reach inboxes. This is the only policy that fully protects your domain.

Will DMARC p=reject break my email?

It can, if you have third-party services sending email on your domain's behalf that aren't covered by SPF or DKIM. This is why you start with p=none, review the aggregate reports, and ensure all legitimate senders are authorised before tightening to quarantine and then reject. Moving too quickly is the most common mistake.

What are the rua and ruf tags?

rua (Reporting URI for Aggregate) specifies where to send daily XML aggregate reports — summary data on all emails claiming to be from your domain. ruf (Reporting URI for Forensic) requests individual failure reports for messages that fail DMARC. rua is far more widely supported and the more important one to configure.

How often does my DMARC record change, and how do I get alerted?

Your DMARC record can be changed accidentally or by an attacker who gains access to your DNS provider. Changes are invisible unless you're actively monitoring. EdgeIQ's Inbox Shield monitors your DMARC, SPF, and DKIM records weekly and alerts you immediately if anything changes or degrades.

My domain has no DMARC record — how urgent is this?

Very. Without a DMARC record, anyone can send email appearing to come from your CEO, your support team, or any address at your domain — with no technical barrier. This enables CEO fraud, supplier invoice fraud, and phishing attacks against your customers. Adding even a p=none record with rua reporting is a better starting point than nothing.

Monitor your DMARC record automatically

Inbox Shield checks your DMARC, SPF, and DKIM records weekly and alerts you the moment anything changes, degrades, or breaks — before attackers can exploit it.

Set Up Free Monitoring with Inbox Shield →