What Is DMARC (Domain-based Message Authentication, Reporting & Conformance)?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that builds on SPF and DKIM to give domain owners control over what happens when an email fails authentication checks. While SPF and DKIM verify whether an email is legitimate, DMARC tells receiving servers what to do with emails that fail those checks — accept them, quarantine them, or reject them entirely. DMARC also provides a reporting mechanism that gives domain owners visibility into who is sending email using their domain. A DMARC record is published as a DNS TXT record on the _dmarc subdomain (e.g., _dmarc.yourdomain.com). A typical record looks like: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100. The p= tag specifies the policy: none (monitor only, take no action), quarantine (route failing emails to spam), or reject (block failing emails entirely). The rua= tag specifies where aggregate reports should be sent, and pct= defines what percentage of failing emails the policy applies to. DMARC has become essential for B2B outbound email. In February 2024, Google and Yahoo implemented requirements mandating that bulk senders (those sending 5,000+ emails daily) must have DMARC configured. Even for senders below this threshold, DMARC significantly impacts deliverability because it signals to receiving servers that you take email authentication seriously. A domain with p=reject tells the world that any email failing SPF and DKIM alignment is unauthorized and should be blocked — this is the strongest trust signal available. The concept of alignment is central to DMARC. It requires that the domain in the From header (what the recipient sees) matches the domain authenticated by either SPF or DKIM. This prevents attackers from passing SPF with their own domain while spoofing your domain in the From header. DMARC alignment can be relaxed (subdomains match the organizational domain) or strict (exact domain match required). Implementation should follow a phased approach: start with p=none to collect reports and identify all legitimate sending sources, move to p=quarantine once all sources are authenticated, and finally advance to p=reject for maximum protection. Prospect AI guides teams through this progression as part of domain setup, ensuring all outbound infrastructure passes DMARC before launching campaigns.