arrobaMail
Deliverability · Policy

DMARCyour policy against spoofing

Domain-based Message Authentication, Reporting & Conformance

Domain-based Message Authentication, Reporting & Conformance takes SPF and DKIM and joins them with a policy: what to do when someone sends using your domain without authorization. It's what closes the authentication loop.

arrobaMail · DeliverabilityDMARC
Concept

What is DMARC and how does it differ from SPF/DKIM?

DMARC (RFC 7489) doesn't authenticate on its own. What it does is tell the receiver "when an email fails both SPF and DKIM aligned with my domain, do X." That X is the policy.

The three possible policies: p=none (do nothing, just report to me), p=quarantine (send it to spam), and p=reject (reject it outright).

Beyond the policy, DMARC enables reports: the receiver sends you XML files with every sending attempt using your domain. That shows you real spoofing, includes you're missing, and subdomains you don't control.

Anatomy

Anatomy of a DMARC record

Real example

_dmarc.tudominio.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100; sp=quarantine; adkim=s; aspf=s"
v=DMARC1

Version

Indicates this is a DMARC version 1 record.

p=quarantine

Main policy

p=none (monitoring), p=quarantine (to spam), or p=reject (rejection). You always start with none.

Aggregate reports

Email address where you receive daily aggregate reports from receivers (XML files).

pct=100

Percentage

What percentage of emails the policy applies to. You start at pct=10 if you want to go gradually.

sp=quarantine

Subdomain policy

Policy for subdomains. If not specified, they inherit the main one.

adkim=s · aspf=s

Strict alignment

s = strict (exact match). r = relaxed (relaxed match, default). Start with relaxed.

Step by step

How to set it up correctly

Steps in order. Skipping one usually leads to problems that take days to diagnose.

  1. 01

    Make sure SPF and DKIM are OK

    DMARC requires at least one of the two to be aligned with your domain. If SPF is broken and DKIM is too, DMARC will fail across the board.

  2. 02

    Publish DMARC with p=none at first

    Start with pure monitoring: v=DMARC1; p=none; rua=mailto:[email protected]. You're not blocking anything, just receiving reports.

    Tip: This is crucial. Skipping this step and going straight to quarantine is the #1 cause of lost legitimate emails.

  3. 03

    Analyze the reports for 2-4 weeks

    The XML reports that arrive at rua= show which servers send on your behalf, which pass SPF/DKIM and which don't. You'll detect missing includes and possible spoofers.

    Tip: There are tools that parse the XML files automatically (Postmark DMARC, Dmarcian, Valimail).

  4. 04

    Fix gaps in SPF and DKIM

    If you see legitimate servers that aren't passing, add them to SPF and set up DKIM for them. If you see spoofers, you already have the data to escalate later.

  5. 05

    Move up to p=quarantine with gradual pct

    When the reports show that 95%+ of your emails are authenticated, move up to p=quarantine pct=10. Then pct=25, 50, 100. Only move to p=reject once everything is clean.

Common mistakes

What breaks often (and how to fix it)

Jumping from p=none to p=reject

Going straight to reject without monitoring is a guarantee that you'll lose legitimate emails.

How to fix it: Follow the path: none → quarantine with gradual pct → reject. At least 1 month at each stage.

Not processing the RUA reports

The reports are XML files that arrive in your inbox. Without parsing them, you learn nothing and DMARC adds no value beyond blocking.

How to fix it: Use Dmarcian, Postmark DMARC, Valimail, or your own parser. The reports are gold.

Forgetting about subdomains

If you don't specify sp=, subdomains inherit p=. But if you have subdomains you don't use, it's best to set sp=reject explicitly.

How to fix it: Set sp= explicitly based on actual usage. Unused subdomains go straight to sp=reject.

Strict alignment with relaxed SPF/DKIM

If you set adkim=s or aspf=s but your platform uses subdomains for tracking, alignment fails and DMARC blocks.

How to fix it: Start with adkim=r and aspf=r (relaxed). Move to strict only once you've confirmed it doesn't break anything.

Verification

How to confirm it's set up right

Three ways to check — from your terminal or online tools. If all of them return OK, you're done.

01

Linux/Mac terminal

dig TXT _dmarc.tudominio.com +short

Returns the published DMARC record.

02

Test email to Gmail

Headers > Show original > DMARC

Shows "dmarc=pass action=none header.from=yourdomain.com".

03

Online

mxtoolbox.com/dmarc.aspx

Record validation + diagnostics for related SPF/DKIM.

How arrobaMail handles it

At arrobaMail, we help you build your DMARC record, interpret your first reports, and stage the migration from p=none to p=reject without breaking your legitimate sends.

Frequently asked questions

What people ask most about DMARC

Yes, they're different things. SPF and DKIM authenticate. DMARC applies a policy on top of what happens when they fail. Without DMARC, each receiver decides on its own what to do with an email that fails authentication.

When reports show that 99%+ of your legitimate emails are authenticating OK and you've monitored without surprises for several weeks. There's no rush: p=quarantine already protects against phishing.

It means the visible Header-From domain (what the user sees) matches the domain authenticated by SPF/DKIM. Without alignment, DMARC fails even if SPF and DKIM individually pass.

No. Aggregate reports are statistics: how many emails, from which IPs, with what results. They don't include content. Forensic reports (RUF) do, but almost no one sends them for privacy reasons.

Gmail, Yahoo, and Microsoft are tightening requirements for bulk senders (more than 5,000 emails/day). Without DMARC, you'll increasingly be sent to spam or blocked outright. What used to be optional is now virtually mandatory.

Get started with arrobaMail
in under 5 minutes.

Free plan, AI generations included, no credit card required — and real support from a real team.

Try it free now
WhatsAppOur team replies