DMARC tells inbox providers what to do when an email claims to be from your domain but fails authentication. It takes 2 minutes to add and protects your domain from impersonation. Gmail and Yahoo now require it for bulk senders.
DKIM and SPF verify that an email is legitimate. DMARC answers a different question: what should happen to an email that fails those checks?
Without DMARC, an inbox provider receiving a suspicious email from your domain has to make its own judgement call — and it might let the email through. With DMARC, you give explicit instructions: "Monitor it," "send it to spam," or "reject it outright."
DMARC is a single TXT record in your DNS. You start in monitor mode (so nothing gets blocked while you're getting set up) and tighten it over time as you confirm your legitimate sending is passing authentication.
Add this TXT record to your DNS. Replace dmarc@yourdomain.com with a real email address you control — you'll receive aggregate reports there.
At most registrars, the Name field should be just _dmarc (without your root domain). Some require the full value — check your registrar's help docs if unsure.
p=none means "monitor but don't block anything." This is the right starting point — it lets you receive reports and confirm your legitimate sending passes authentication before you start blocking or quarantining anything.
Once you've been running p=none for a week or two and confirmed your reports show only legitimate email, you can tighten the policy:
There's no required timeline. Some senders stay on p=quarantine indefinitely. The important thing is not to jump straight to p=reject before you've confirmed your sending setup is solid.
The rua= tag tells inbox providers where to send aggregate reports — daily summaries of every email that claimed to be from your domain, including whether it passed or failed authentication. These reports arrive as XML attachments.
Use a real email address you check, or a dedicated inbox. You can also use a free DMARC report parser like dmarcian.com or postmaster.google.com to visualise the data in a friendlier format.
In 2024, Google and Yahoo announced that bulk senders (anyone sending more than 5,000 emails per day to Gmail or Yahoo addresses) must have a DMARC record in place. Senders without it risk having their emails rejected by both providers.
Even if you're sending smaller volumes, a DMARC record signals to inbox providers that you're a responsible sender who has thought about authentication. It's a small step that has an outsized positive effect on long-term deliverability.
DMARC checks whether at least one of SPF or DKIM passes and aligns with your From domain. Make sure you've completed DKIM setup first, otherwise DMARC will report everything as failing.