DMARC Policy
Domain-based Message Authentication, Reporting & Conformance
What is DMARC?
DMARC builds on SPF and DKIM to tell receiving mail servers what to do with emails that fail authentication checks, and provides reporting on email authentication results.
Why is it important?
DMARC protects your domain from being used in phishing and spoofing attacks, improves email deliverability, and gives you visibility into who is sending emails on behalf of your domain.
Impact
Without proper DMARC policy, your domain can be easily spoofed, damaging your brand reputation and exposing your customers to phishing attacks.
Current Configuration
- Domainexample.com
- DMARC Policyp=none
- Aggregate Reportsrua@example.com
- Last CheckedDecember 3, 2025 - 10:30 AM
- StatusNeeds Improvement
DMARC Policy Levels
None
Monitoring OnlyEmails that fail authentication are still delivered. You receive reports but no action is taken.
- Monitor authentication failures
- Receive aggregate reports
- No protection against spoofing
Quarantine
RecommendedEmails that fail authentication are marked as spam or sent to the junk folder.
- Good protection level
- Failed emails quarantined
- Safe transition from "none"
Reject
Maximum SecurityEmails that fail authentication are completely rejected and never delivered.
- Maximum protection
- Failed emails rejected
- Best brand protection
How to Upgrade Your DMARC Policy
- Ensure your SPF and DKIM records are properly configured and working correctly.
- Log in to your domain registrar or DNS hosting provider's control panel.
- Navigate to the DNS management section for your domain (example.com).
- Locate your existing DMARC TXT record (or create one if missing) at _dmarc.example.com
- Update the policy from "p=none" to "p=quarantine" for initial protection:v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1
- Monitor your DMARC reports for 2-4 weeks to ensure legitimate emails are passing.
- Once confident, upgrade to "p=reject" for maximum protection:v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1
- Save the DNS record and wait for propagation (typically 15 minutes to 48 hours).
DMARC Record Tags Explained
- v=DMARC1Protocol version (required)
- p=none/quarantine/rejectPolicy for domain
- sp=none/quarantine/rejectPolicy for subdomains (optional)
- rua=mailto:addressAggregate report email
- ruf=mailto:addressForensic report email
- pct=100Percentage of emails to filter
- adkim=s/rDKIM alignment mode (strict/relaxed)
- aspf=s/rSPF alignment mode (strict/relaxed)
Recommended DMARC Records
Start with monitoring, then gradually increase protection:
Phase 1 - Monitoring (Start Here):
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; pct=100
Phase 2 - Quarantine (After 2-4 weeks):
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100; fo=1
Phase 3 - Reject (Maximum Protection):
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; pct=100; adkim=s; aspf=s; fo=1
With Subdomain Policy:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-reports@example.com; pct=100