What Is DMARC and How Does It Work?
Learn what DMARC is, how DMARC uses SPF and DKIM alignment, what policy modes mean, and how DMARC helps prevent domain spoofing.
Tools For This Topic
What DMARC is
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication and policy framework designed to reduce spoofing and phishing that abuse your domain in the visible From address.
DMARC works by building on SPF and DKIM. A message can satisfy DMARC if SPF or DKIM passes and the authenticated domain aligns with the visible From domain.
That alignment requirement is the key difference. SPF and DKIM provide signals, while DMARC turns those signals into an enforceable policy tied to brand identity.
How DMARC works
- The receiver checks SPF against the sending IP and envelope sender domain
- The receiver checks DKIM signatures for validity and signing domain
- The receiver tests whether SPF and or DKIM align with the visible From domain
- The published DMARC record tells the receiver how to treat messages that fail
This means you can have mail that passes SPF but still fails DMARC because the authenticated domain does not match the domain users actually see in the From header.
DMARC policy modes
- p=none monitors mail flow and requests reporting without enforcement
- p=quarantine asks receivers to treat failing mail as suspicious
- p=reject asks receivers to reject failing mail outright
Most organisations move through these modes gradually. Monitoring with p=none is usually the safest starting point because it reveals unknown senders before enforcement begins.
Why DMARC matters
DMARC helps protect customers, staff, and partners from spoofed email that looks as if it comes from your domain. It also improves visibility into your real sending ecosystem by generating aggregate reports from participating receivers.
For many teams, that reporting is just as valuable as the enforcement. It exposes forgotten vendors, shadow SaaS tools, forwarding issues, and domains that are not fully aligned.
What to check before enforcing DMARC
- Every legitimate sender is authorised in SPF and or signs with DKIM
- The authenticated domain aligns with the visible From domain
- Aggregate reports are being collected and reviewed
- Your mailbox can handle report volume and third-party report destinations are authorised if required
- You have tested major senders such as Microsoft 365, Google Workspace, marketing tools, help desks, and ticketing systems
Use These DNS Pro Tools
If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.
Related Tools
Related Articles
SPF vs DKIM vs DMARC: What Is the Difference?
Learn the difference between SPF, DKIM, and DMARC, how they work together, and why you usually need all three for a strong email authentication setup.
What Is a DMARC Record? Tags, Policy, and Examples
Learn what a DMARC record is, what the main DMARC tags mean, how policy works, and how to review a DMARC record correctly.
What Is an SPF Record? Syntax, Mechanisms, and Limits
Learn what an SPF record is, how SPF syntax and mechanisms work, what qualifiers mean, and what to check when reviewing an SPF policy.