DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to tell receiving mail servers what to do when authentication fails. It also provides a reporting mechanism so domain owners can see who is sending email on their behalf.
The DMARC record
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com.
Example:
v=DMARC1; p=reject; rua=mailto:dmarc@suped.com; adkim=r; aspf=r; fo=1;Tags
| Tag | Purpose | Values |
|---|---|---|
v | Version (required) | DMARC1 |
p | Policy (required) | none (monitor only), quarantine (send to spam), reject (block) |
rua | Aggregate report recipients | Comma-separated mailto: addresses |
ruf | Forensic report recipients | Comma-separated mailto: addresses |
adkim | DKIM alignment mode | r (relaxed, default) or s (strict) |
aspf | SPF alignment mode | r (relaxed, default) or s (strict) |
pct | Percentage of emails to apply policy to | 1-100 (default 100) |
sp | Subdomain policy | none, quarantine, or reject (overrides p for subdomains) |
fo | Failure reporting options | 0 (both fail), 1 (either fails, recommended), d (DKIM fails), s (SPF fails) |
Alignment
DMARC requires that the domain checked by SPF or DKIM matches the From header domain.
- Relaxed - Organizational domain match.
mail.example.comaligns withexample.com. - Strict - Exact domain match only.
mail.example.comdoes not align withexample.com.
Recommended rollout path
p=none- Monitor traffic without affecting delivery. Review DMARC reports to identify all legitimate sending sources.p=quarantine- Start sending unauthenticated email to spam. Usepctfor gradual rollout.p=reject- Block all unauthenticated email. Full protection against spoofing.
DMARC reports
ISPs send daily aggregate reports (XML) to the addresses in your rua tag. These reports show which IPs sent email using your domain and whether authentication passed or failed. Suped processes these reports automatically and presents them in a readable format.
