What Is DMARC (Domain-based Message Authentication, Reporting & Conformance)?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that builds on SPF and DKIM to give domain owners control over what happens when an email fails authentication checks. While SPF and DKIM verify whether an email is legitimate, DMARC tells receiving servers what to do with emails that fail those checks, accept them, quarantine them, or reject them entirely. DMARC also provides a reporting mechanism that gives domain owners visibility into who is sending email using their domain.
A DMARC record is published as a DNS TXT record on the _dmarc subdomain (e.g., _dmarc.yourdomain.com). A typical record looks like: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100. The p= tag specifies the policy: none (monitor only, take no action), quarantine (route failing emails to spam), or reject (block failing emails entirely). The rua= tag specifies where aggregate reports should be sent, and pct= defines what percentage of failing emails the policy applies to.
DMARC has become essential for B2B outbound email. In February 2024, Google and Yahoo implemented requirements mandating that bulk senders (those sending 5,000+ emails daily) must have DMARC configured. Even for senders below this threshold, DMARC significantly impacts deliverability because it signals to receiving servers that you take email authentication seriously. A domain with p=reject tells the world that any email failing SPF and DKIM alignment is unauthorized and should be blocked; this is the strongest trust signal available.
The concept of alignment is central to DMARC. It requires that the domain in the From header (what the recipient sees) matches the domain authenticated by either SPF or DKIM. This prevents attackers from passing SPF with their own domain while spoofing your domain in the From header. DMARC alignment can be relaxed (subdomains match the organizational domain) or strict (exact domain match required).
Implementation should follow a phased approach: start with p=none to collect reports and identify all legitimate sending sources, move to p=quarantine once all sources are authenticated, and finally advance to p=reject for maximum protection. Prospect AI guides teams through this progression as part of domain setup, ensuring all outbound infrastructure passes DMARC before launching campaigns.
Key takeaways
- 1
DMARC tells receiving servers what to do when emails fail SPF and DKIM checks, none, quarantine, or reject
- 2
Google and Yahoo now require DMARC for bulk senders, making it essential for outbound deliverability
- 3
DMARC alignment ensures the visible From domain matches the domain authenticated by SPF or DKIM
- 4
Implement in phases: monitor (p=none), then quarantine, then reject once all senders are properly authenticated
Frequently asked questions
What DMARC policy should I use for outbound sales?
Aim for p=reject as your end state; it provides maximum deliverability benefit and brand protection. Start with p=none for 2-4 weeks to collect reports and identify all legitimate sending sources. Move to p=quarantine for another 2-4 weeks, then advance to p=reject once you confirm no legitimate emails are failing.
What are DMARC reports and how do I read them?
DMARC aggregate reports (rua) are XML files sent daily by receiving servers, showing which IP addresses sent email using your domain and whether they passed or failed SPF, DKIM, and DMARC. Use free tools like DMARC Analyzer, Postmark's DMARC tool, or dmarcian to parse these reports into readable dashboards.
Can DMARC cause legitimate emails to be blocked?
Yes, if configured without proper preparation. Moving to p=reject before all legitimate sending sources pass SPF and DKIM alignment will cause those emails to be blocked. This is why phased implementation starting with p=none is critical; it lets you discover and fix authentication gaps before enforcement begins.
Do I need DMARC for each sending domain?
Yes. Each domain you send email from needs its own DMARC record. For outbound sales teams using multiple domains (a common practice to protect the primary domain), every domain needs SPF, DKIM, and DMARC properly configured. Subdomains inherit the parent domain's DMARC policy unless they have their own record.
Related terms
Email Deliverability
Email deliverability refers to the ability of an email to successfully reach the recipient's inbox rather than being fil…
SPF Record (Sender Policy Framework)
An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send ema…
DKIM (DomainKeys Identified Mail)
DKIM (DomainKeys Identified Mail) is an email authentication protocol that allows a sending domain to digitally sign out…
Email Authentication
Email authentication is the collection of protocols and standards that verify the identity of an email sender and the in…
Ready to turn this into pipeline?
Prospect AI runs research, copy, and multi-channel outreach as one system, so consistent pipeline stops depending on heroics.