DMARC (Domain-based Message Authentication, Reporting and Conformance), defined in RFC 7489, is an email authentication policy that builds on SPF and DKIM. DMARC tells receiving mail servers what to do when an inbound message fails authentication: deliver it normally (p=none), quarantine it to spam (p=quarantine), or reject it entirely (p=reject). Since 2024, Gmail and Yahoo require a DMARC record (at minimum p=none) on any domain sending more than 5,000 messages per day to their users.
How does DMARC actually work?
DMARC introduces the concept of alignment. SPF checks the envelope-from (the technical bounce address); DKIM checks the message signature. DMARC requires that one of these authenticate against the visible From header the recipient sees. So if your visible From is noreply@yourdomain.com but SPF authenticates bounces@mailgun.net, DMARC fails alignment, and the receiver applies your published policy.
The DMARC record lives as a TXT record at _dmarc.yourdomain.com. A minimal record looks like v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. The rua tag tells receivers where to send aggregate reports, which are XML files showing how your domain is being used (and abused) across the internet. Reading these reports surfaces unauthorized senders, misconfigured services, and active spoofing attempts.
What policy mode should you use?
Three phases. Start with p=none for 4-8 weeks to collect reports without affecting mail flow. Audit the reports to identify all legitimate senders (CRM, marketing, transactional, sales) and confirm each is authenticated through SPF or DKIM. Move to p=quarantine at 25% (pct=25) and gradually ramp to 100%, watching reports for legitimate mail being filtered. Once stable, move to p=reject. The full enforcement journey typically takes 3-6 months for a mid-sized organization. Reject-mode DMARC is the gold standard for outbound senders and brand-protection programs.
Related questions
Is DMARC required for cold outreach?
Effectively yes. As of February 2024, Gmail and Yahoo bulk-sender rules require DMARC on any domain sending more than 5,000 messages per day. Most outbound platforms hit that threshold within weeks. Modern cold outreach without DMARC will land in spam.
What's the difference between p=quarantine and p=reject?
p=quarantine tells the receiver to deliver failing mail to the spam folder. p=reject tells the receiver to block it at the gateway. Reject is stricter and prevents the recipient from ever seeing the spoofed email; quarantine still lets the recipient retrieve it from spam if they look.
What is BIMI and how does it relate to DMARC?
BIMI (Brand Indicators for Message Identification) is a standard that lets your verified brand logo appear next to your email in supported inboxes (Gmail, Apple Mail). BIMI requires DMARC at p=quarantine or p=reject with full enforcement, plus a verified Mark Certificate (VMC). It's mostly used by consumer brands and large enterprises for inbox visibility and anti-phishing.