All you need to know about DMARC

You can think of DMARC as a contract for cooperation between you (the domain owner) and the inbox providers who receive your mail (Microsoft, Google, and many others).

It sets shared rules for:

• how your domain’s email should be verified (authentication),
• what to do with emails that can't be verified (enforcement), and
• how recipients report back (monitoring).

Let’s unpack those ideas.

Authentication: Proving your mail is really yours

When an email is sent on behalf of your domain, the recipient’s mail server wants to make sure it’s actually from you — not from a bad actor pretending to be you.

DMARC builds on two earlier standards that do the technical legwork:

• SPF tells the world which servers are allowed to send mail on behalf of your domain.
• DKIM adds a digital signature to each message so receivers can confirm it was authorized by you and wasn’t changed along the way.

For a message to be considered authenticated, what we call “DMARC compliant,” it needs to

1. pass either SPF or DKIM, and
2. align the domain in at least one passing check with the one that appears in the “From” line, the address people actually see.

When a message doesn’t meet those conditions, DMARC gives you, the domain owner, a way to signal inbox providers how to treat that mail.

Enforcement: Deciding what happens to failures

Once DMARC is in place, you choose a policy that tells inbox providers how strictly to handle mail that fails authentication.

There are three levels:

• p=none – just report back; don’t block or reject anything yet.
• p=quarantine – send non-compliant mail to the spam folder.
• p=reject – stop non-compliant mail before it reaches anyone’s inbox.

It is recommended to start with p=none to gather information safely before enforcing stricter rules that may block legitimate traffic. Over time, as you fix legitimate sources that fail checks, you can move toward p=quarantine or p=reject. That’s when DMARC becomes a real defense, not just a diagnostic tool.

Monitoring: Learning from DMARC reports

Upon request, inbox providers send you daily summaries called “aggregate reports.”

They show:

• how many emails were sent from what IP address,
• whether those messages passed SPF and/or DKIM, and
• how they were handled by the recipient (accepted, quarantined, rejected).

These reports come as XML files — technically rich, but not exactly readable. And while they contain valuable clues, they lack context: an IP address alone doesn’t tell you which service sent the mail, what organization owns it, or whether it’s expected. On top of that, each provider sends its own reports, so to get the full picture you have to combine all of them.

That’s why most people rely on dedicated platforms to collect, organize, and visualize these reports. They make it possible to actually understand how your domain is being used — or abused — and to make confident decisions about tightening your DMARC policy over time.

Resources

• DMARC standard (RFC 7489, 2015)
• Upcoming DMARC standard draft (draft-ietf-dmarc-dmarcbis-41, 2025)