What is a DMARC record?

A DMARC (Domain-based Message Authentication, Reporting and Conformance) record is a DNS TXT record at _dmarc.yourdomain.com that tells receiving mail servers what to do when email fails SPF and DKIM authentication checks. It also enables reporting so you can see who is sending email using your domain.

What is the difference between DMARC p=none, p=quarantine, and p=reject?

p=none means monitor only — mail that fails authentication is delivered normally but reports are collected. p=quarantine means failing mail goes to the spam folder. p=reject means failing mail is rejected outright and never delivered. The recommended progression is none for 30+ days, then quarantine at pct=10 and gradually increase, then reject.

Why does Google and Yahoo require DMARC?

In 2024, Google and Yahoo mandated DMARC (at minimum p=none) for all bulk senders sending more than 5,000 messages per day. DMARC prevents domain spoofing and phishing — without it, any sender can forge the From address of your domain and potentially damage your brand or send phishing emails in your name.

What are DMARC aggregate reports (rua)?

DMARC aggregate reports are XML files sent to the email address in your rua= tag. They contain data about which mail sources are sending under your domain, SPF and DKIM pass/fail rates, and whether messages were delivered, quarantined, or rejected. They're sent daily by Gmail, Yahoo, Outlook, and other participating receivers.

DMARC Record Checker — Verify DMARC Policy and Alignment Free

DMARC Record Checker: Verify Your Domain's Email Authentication Policy

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer that binds SPF and DKIM together and makes email authentication enforceable. Without DMARC, passing SPF and DKIM don't prevent spoofing from the visible From address — anyone can forge your domain in the header recipients actually see. DMARC closes this gap by requiring alignment between the authenticated domain and the visible From address, and by specifying what to do with mail that fails those checks.

How DMARC Works: Alignment and Policy Enforcement

DMARC operates through alignment. For a message to pass DMARC, either the SPF-authenticated domain must align with the From domain, or the DKIM-signing domain must align with the From domain. Relaxed alignment (the default) allows subdomains to align — so if your From domain is yourdomain.com and the DKIM signature is from mail.yourdomain.com, alignment passes. Strict alignment requires an exact match between the authenticated domain and the From domain.

When DMARC alignment fails (neither SPF nor DKIM align with the From domain), the DMARC policy determines what happens: none delivers the mail normally but generates reports, quarantine routes it to the spam folder, and reject rejects it entirely. The policy is per-percentage with the pct= tag — you can apply quarantine to 10% of failing mail initially and increase gradually.

The DMARC Rollout Roadmap

Rushing to p=reject without monitoring first is one of the most common DMARC mistakes. The correct sequence:

p=none with rua= reporting — Deploy for 30–90 days. Collect aggregate reports to identify every sending source using your domain. Look for legitimate services you may have forgotten, and spot any unauthorized senders.
p=quarantine at pct=10 — Apply quarantine to 10% of failing mail. Monitor for any increase in legitimate mail going to spam. If clean, increase pct gradually over 2–4 weeks.
p=quarantine at pct=100 — Full quarantine enforcement. Run for 2–4 weeks while continuing to monitor reports.
p=reject — Maximum protection. Unauthorized senders using your domain have their messages rejected. Use our DMARC Generator to build the record.

2024 Google and Yahoo DMARC Requirements

Since February 2024, Google and Yahoo require DMARC (at minimum p=none with a valid rua= address) for all bulk senders sending more than 5,000 messages per day to Gmail or Yahoo addresses. Senders without DMARC face deferral, and senders without DKIM may face permanent blocking. Microsoft has issued similar requirements for Outlook.com.

The Google/Yahoo requirements are specifically: (1) authenticate with SPF or DKIM, (2) have a DMARC record (any policy), (3) keep spam complaint rates below 0.1%, (4) enable unsubscription in one click. This checker helps verify #2 instantly.

DMARC Aggregate Reports: What They Tell You

The rua= tag in your DMARC record specifies where aggregate reports are sent. Gmail, Outlook, Yahoo, and other large receivers send these XML reports daily. Each report contains: the receiving domain, the date range, the sending IP, SPF and DKIM authentication results, the disposition applied, and the count of messages. Processing these reports reveals who is sending under your domain — both authorized and unauthorized sources.

My DMARC is set to p=reject but I'm still getting spoofed emails. Why?

DMARC p=reject prevents delivery of spoofed mail at DMARC-aware receivers. But not all receivers check DMARC. Older mail servers, some corporate mail systems, and mailing list software may not implement DMARC. Also, look-alike domains (typosquats like y0urdomain.com) are not covered by DMARC — you'd need to register and protect those separately.

What is subdomain policy (sp=) in DMARC?

The sp= tag lets you apply a different policy to subdomains than to the root domain. If you set p=reject but sp=none, mail from subdomains that fails alignment would only be monitored, not rejected. Useful during migration when some subdomains aren't fully configured yet. If sp= is omitted, subdomains inherit the p= policy.

DMARC Record Checker