What is DMARC? 10 common DMARC questions answered

Email is one of the most common forms of business communication exploited by cybercriminals to attempt phishing and spamming. But, businesses can protect this vital channel by implementing SPF, DKIM, and DMARC– the pillars of email authentication. This blog focuses on answering the 10 most common DMARC questions.

What is DMARC?

DMARC is an email authentication system that prevents cybercriminals from compromising your business’s email domain. It’s built on existing protocols, SPF and DKIM, where you set DMARC policy to none, quarantine, or reject to decide how recipients’ mail servers should treat emails failing SPF and/or DKIM checks.

It was developed by a group of contributors from PayPal and Bank of America, among other financial institutions, joining hands with Google, Microsoft, and Yahoo! and was initially adopted by security experts in the finance domain. Currently, most technology-driven companies are investing in DMARC services and tools irrespective of their industry as it promotes online security, prevents exact domain impersonation, and improves email deliverability rate.

What Does DMARC Stand For?

DMARC stands for Domain-based Message Authentication Reporting and Conformance. Its enforcement policies protect your domain against abuse in phishing or spoofing attacks.

What is a DMARC Record?

A DMARC TXT record is a text entry in the DNS that instructs the worldwide email servers about your DMARC policy. It also contains information about whom to send XML reports to tell how your email is proceeding through the ecosystem. You must monitor these DMARC reports to detect unidentified and suspicious activities attempted using your domain name. 

A usual DMARC TXT record looks like this:

v=DMARC1; p=none; rua=mailto:example@xyzdomain.com 


  • v (version tag) represents the version of the protocol, and currently, there’s only one version. So, the value is always v=DMARC1
  • p (policy tag) shows the domain policy (none, quarantine, or reject) to recipients’ email servers to direct how to treat emails failing SPF and DKIM checks
  • The rua tag contains a comma-separated list of email addresses defining where receivers should send aggregate reports

What is a DMARC Policy?

A DMARC policy lets you specify how recipients’ mail servers treat emails failing SPF and DKIM verification checks while also reporting back to the domain owner. 

There are three policies for DMARC enforcement:

None policy (p=none)

This policy doesn’t protect against phishing as all the emails (passed and failed) land in the receiver’s inbox. It’s set only in the initial stage of DMARC implementation as it doesn’t affect email delivery.

Quarantine policy (p=quarantine)

As per the quarantine policy, the domain owner prompts the recipient’s mailbox to mark failed emails as spam.

Reject policy (p=reject)

Lastly, the reject policy completely bars the entry of unqualified emails to the recipient’s mailbox, thereby proffering absolute enforcement.

How Does DMARC Work?

SPF and DKIM are the pillars for DMARC and work in conjunction with each other to verify a sender’s authenticity to prevent phishing, spoofing and other email-based cyberattacks. Here’s how the entire process flows:

  • You start by creating and publishing a properly configured DMARC record to your DNS
  • When an email is sent from your domain, the recipient’s mail server checks if a DMARC record corresponds to the domain
  • The mail server performs SPF and DKIM authentication and alignment checks to determine the sender’s genuineness. They verify if:
    • the message has a valid DKIM signature, and was signed by the same domain as the from
    • the sender’s IP address belongs to the list of authorized IP addresses added to the SPF record
    • the email header passes the domain alignment test
  • Depending upon the SPF and DKIM verification results, the DMARC policy is applied
  • Lastly, DMARC Aggregate Reports are sent to email addresses mentioned in your domain’s DMARC TXT record

Does DMARC Require Both SPF and DKIM to Work?

No, you can set up DMARC with either SPF or DKIM; it’s not necessary to implement both protocols. However, this deployment practice isn’t encouraged because a multilayered security approach is more effective in protecting your domain against cyberattacks.

If you are configuring it without DKIM and have only SPF in place, then DKIM checks will always fail and DMARC verification results are up to SPF check and SPF identifier alignment

However, in this case, legitimate emails sent from your domain will experience false negatives on forwarding since the intermediate server’s IP address won’t be listed in your SPF record. This will cause both SPF and DKIM checks to fail. 

If you were to deploy only DKIM, then SPF check would always fail and the results will be on the basis of DKIM identifier alignment.

What are the Benefits of DMARC?

When implemented at a policy of p=reject, DMARC helps businesses avoid phishing, spamming, and domain spoofing. Without its implementation, cybercriminals can send fraudulent emails on behalf of your company and request recipients to share sensitive details that can be misused. This can tarnish your business reputation which can consequently impact sales, customer-relationship, stock rates, employee retention, etc.

Not just this, but DMARC also improves your domain’s email deliverability rate, ensuring no genuine message lands in the spam folder or gets completely rejected by intended recipients’ mailboxes. Imagine how badly your marketing and PR campaigns could fail if genuine emails sent from your domain didn’t reach the intended recipients’ inbox folders.

How to Setup DMARC?

To completely understand the DMARC meaning and working process, you must know how to set it up in the first place. You can follow the steps below for DMARC email protection. But be warned – implementing DMARC alone can be a complicated and potentially damaging process, as if done incorrectly, could negatively impact your deliverability rates.

  1. Login to your DNS hosting provider and create a DMARC TXT record.
  2. Select TXT DNS record type.
  3. Add host value. Most probably you will enter the value _dmarc and your hosting provider will automatically append the domain or subdomain followed by the value.
  4. Enter v, p and rua tag values, along with other optional values if you want. Please note that each tag should be separated by semicolons. 
  5. Hit the create or save button and your DMARC record will be generated.
  6. Lastly, check your DMARC setup using our free investigate tool.

How to Read DMARC Reports?

A DMARC report is usually sent once a day to email addresses added to the record. These are in XML format and consist of report metadata and one or more records. This is what you can expect from it:

  • The total number of emails sent from one IP address for the report time period.
  • The results of SPF, DKIM, and DMARC checks.
  • Actions taken by a receiver which is against the nature of the policy set. For example, moving an email from the spam folder to the inbox.

A major problem with raw DMARC reports is that they can be complex and disjointed, which is why many companies look to use a reliable DMARC service or tool to display the results of these reports simply and coherently. To view your DMARC reports quickly and easily, you can start your free OnDMARC trial here. 

Is DMARC Necessary?

DMARC isn’t necessary for email authentication. You can deploy SPF and/or DKIM only, however, that won’t be too effective against email-based cyberattacks.

A strong DMARC policy of p=reject mitigates cyberattacks attempted by impersonating business owners, employees, or third-party vendors using your domain for sending emails. It decreases the probability of BEC and domain spoofing attacks while also ensuring a good deliverability rate.

Get to full DMARC protection fast

Understanding DKIM and SPF meaning is important before deploying DMARC as it works in conjunction with them. You can start by setting your DMARC policy to none, where no action is taken against the failed emails. Later, you can set it to quarantine or reject to ensure nobody receives fraudulent emails from your domain. But if you want to get to full DMARC protection and reap the benefits, then get started with OnDMARC today, the only DMARC solution to get you to p=reject in weeks, not months.


Faisal Misle

3 Apr. 2023



Recent Posts


The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more