What is DMARC? (Domain-based Message Authentication)
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication standard built on top of SPF and DKIM that lets a domain owner tell receiving servers what to do with mail that fails authentication — monitor, quarantine, or reject — and to receive aggregate reports on who is sending mail using their domain.
How DMARC works
DMARC is a DNS TXT record at _dmarc.yourdomain.com. It does two jobs. First, it tells receiving servers what to do with mail that fails authentication, through the p= policy tag. Second, it asks those receivers to send back aggregate reports (the rua= tag) listing who is sending mail using your domain and whether it passed — which is how you discover shadow senders before you enforce.
The three policies
- p=none — monitor only. Delivery is unchanged, but you start receiving reports. Every domain should begin here.
- p=quarantine — treat failing mail as suspicious, usually routing it to the spam folder.
- p=reject — refuse failing mail outright. This is the end goal for a domain you want fully protected against spoofing.
Alignment is the point
A message can pass raw SPF or DKIM and still fail DMARC. DMARC additionally requires alignment: the domain that SPF or DKIM authenticated must match the domain in the visible From: header. Without alignment, an attacker could pass authentication on a domain they control while spoofing yours in the From: line. Alignment closes that gap.
Rolling out safely
Start at p=none and read the aggregate reports for two to four weeks. Confirm every legitimate service — your email API, invoicing tool, support desk, newsletter platform — is authenticating and aligned. Only then move to quarantine, and later reject. Jumping straight to reject is the most common way teams block their own mail. PostStack parses DMARC aggregate reports for you and surfaces them in the deliverability dashboard so the progression is evidence-based.
Frequently asked questions
What are the three DMARC policies?
p=none monitors only — it changes nothing about delivery but turns on reporting, and is where every domain should start. p=quarantine tells receivers to treat failing mail as suspicious (usually routing it to spam). p=reject tells them to refuse failing mail outright. The intended path is none → quarantine → reject as you confirm from reports that legitimate mail passes.
What is DMARC alignment?
Alignment requires that the domain authenticated by SPF or DKIM matches the domain in the visible From: header. A message can pass raw SPF or DKIM yet still fail DMARC if those checks authenticate a different domain than the one the recipient sees. Alignment is what stops an attacker from passing authentication on their own domain while spoofing yours in the From line.
Why should I start DMARC at p=none?
Because p=none lets you collect aggregate reports and discover every service legitimately sending on your behalf — newsletters, invoicing tools, support desks — before you enforce. Jumping straight to p=reject without that visibility is the most common way teams accidentally block their own transactional or marketing email.