Glossary
Definition
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS record that tells receiving mail servers what to do when a message fails SPF or DKIM alignment: do nothing, quarantine it, or reject it. It also asks those servers to send back reports, so a domain owner can see exactly who is sending mail in their name.
We verify billions of email addresses, and the health of the sending domain behind each one shapes whether mail ever lands. DMARC is the policy that decides what happens to messages that fail authentication, and in 2024 it stopped being optional. Here is what DMARC actually is, how it builds on the records you may already have, and how to turn it on without blocking your own mail.
DMARC does not replace SPF or DKIM; it sits on top of them and gives them teeth. SPF publishes which servers are allowed to send for your domain. DKIM attaches a cryptographic signature that proves a message was not tampered with on the way. Each is a useful check, but on its own neither one tells a receiver what to do when the check fails, and neither one is tied to the address your recipient actually sees.
That last point is the heart of DMARC: alignment. A message can pass SPF or DKIM for some unrelated domain while still spoofing your visible From address. DMARC closes that gap by requiring that the domain which passes SPF or DKIM matches the domain in the From header. A message is DMARC-compliant when at least one of the two passes and aligns. That is what makes DMARC an anti-spoofing control rather than just another signal.
A DMARC record is a single TXT entry published at _dmarc.yourdomain.com. Its most important tag is the policy, p=, which is the instruction every receiving server obeys. There are three levels, and they form a deliberate ramp:
A record can also enforce a percentage with pct= and set alignment strictness, so you can ratchet enforcement up gradually instead of flipping a switch.
Reporting is the half of DMARC people forget, and it is the half that makes safe rollout possible. Two report types flow back to the addresses you name in the record. Aggregate reports (the rua tag) are daily XML summaries showing every source that sent mail as your domain, how much each sent, and whether it passed SPF, DKIM, and alignment. They are how you discover the forgotten newsletter tool or invoicing service sending on your behalf before you accidentally block it.
Forensic reports (the ruf tag) are near-real-time samples of individual messages that failed. They carry more detail, but because that detail can include message content, many receivers send them rarely or not at all for privacy reasons. For most teams the aggregate reports do the heavy lifting, and a report-parsing service turns that raw XML into a readable view of who is sending in your name.
DMARC moved from best practice to baseline requirement in early 2024, when Gmail and Yahoo began requiring bulk senders to publish a valid DMARC policy, align SPF or DKIM with the visible From domain, keep spam complaints under a threshold, and support easy one-click unsubscribe. The intent is to make spoofing far harder and to put accountability on whoever owns the sending domain.
The practical consequence is blunt: if you send mail at any real volume and you have no DMARC record, a growing share of your messages will be filtered or rejected before a human sees them. DMARC has become part of the price of admission to the inbox, alongside a clean list and good engagement. You can confirm a domain’s setup with our DMARC, DKIM and SPF check and verify the mail servers behind it with the MX lookup.
The danger in DMARC is enforcing before you understand your own mail flows and silently blocking legitimate senders. The safe path is a staged rollout that the reporting makes possible:
p=none record with an rua address and collect aggregate reports for a few weeks.p=quarantine, optionally ramping with pct=, and keep watching the reports.p=reject for full protection.Authentication and list quality are two sides of the same coin. DMARC stops other people abusing your domain, but sending to dead or risky addresses still drives bounces and erodes the reputation DMARC is meant to protect. That is why we treat domain mail health and address quality together: run your contacts through email verification so that once your DMARC policy is enforcing, the mail going out is also reaching real, reachable people. For verifying at scale, the volume tiers are on the pricing page.
Keep learning
DMARC sits inside the wider set of email authentication and deliverability concepts. These are the terms most worth understanding next.
A DNS record listing which servers are allowed to send mail for a domain.
A cryptographic signature that proves a message was not altered in transit.
The protocol mail servers speak to hand a message from sender to recipient.
Confirming an address is real, reachable, and safe to send to before you send.
A permanent delivery failure, usually because the mailbox does not exist.
A temporary delivery failure, like a full inbox or a server that is briefly down.
See a domain's DMARC, DKIM, and SPF records side by side in two seconds, with anything missing or misconfigured flagged. No signup.
Common questions
The questions we get most about DMARC, answered with the same logic our verification engine uses to read domain mail health.
DMARC is a published instruction that sits in your domain’s DNS. It tells every receiving server one thing: “if a message claiming to be from my domain does not pass SPF or DKIMin a way that lines up with the visible From address, here is what you should do with it.”
That instruction is one of three choices, and the receiver acts on it automatically. DMARC is what turns SPF and DKIM from passive signals into an enforceable anti-spoofing policy.
SPF lists which servers may send mail for your domain. DKIM adds a cryptographic signature that proves a message was not altered in transit. Each one checks a different thing, and on its own neither one decides what happens to a failing message.
DMARC is the layer on top. It ties SPF and DKIM to the address your recipient actually sees, then publishes the policy and the reporting. SPF and DKIM are the tests; DMARC is the verdict and the paper trail.
They are the three enforcement levels in your DMARC record. p=none means monitor only: receivers report on failing mail but still deliver it. p=quarantine tells them to treat failing mail as suspicious, usually routing it to spam. p=reject tells them to block it outright.
The accepted path is to start at p=none, read the reports until your legitimate senders pass, then move to quarantine and finally reject. Jumping straight to reject risks blocking your own mail.
Since early 2024, Gmail and Yahoo require bulk senders to publish a valid DMARC policy, align SPF or DKIM with the visible domain, and keep spam complaints low. The goal is to shut down spoofing and shift accountability onto whoever owns the sending domain.
In practice it means that if you send marketing or transactional mail at volume and you have no DMARC record, a growing share of your messages will be rejected or filtered before anyone reads them.
Aggregate reports (the rua address in your record) are daily XML summaries: which sources sent mail as your domain, how much, and whether it passed SPF, DKIM, and alignment. They are how you find every legitimate and illegitimate sender before you enforce.
Forensic reports (the ruf address) are near-real-time samples of individual failing messages. They are richer but carry privacy considerations, so many receivers send them sparingly or not at all.
No. DMARC stops other people sending mail in your name and is now a baseline that mailbox providers expect, so missing it actively hurts you. But it does not by itself place mail in the inbox.
Inbox placement still depends on list quality, engagement, and a clean sending reputation. Sending to dead or risky addresses raises your bounce rate and undoes the trust DMARC builds, which is why we pair authentication with email verification.
A DMARC record is a TXT entry at _dmarc.yourdomain.com. You can look it up directly, but the faster read is to check it alongside SPF and DKIM, since DMARC only enforces what those two report.
Our DMARC, DKIM and SPF check pulls all three records for a domain at once and flags what is missing or misconfigured, and our MX lookup confirms the mail servers behind them.
DMARC is one signal of a domain’s mail health: it shows the domain takes authentication seriously. When we score whether an address is safe to send to, the configuration of its domain, including authentication and SMTP behavior, feeds into the verdict.
Test any address with the free email checker, and see volume options on the pricing page when you need to verify at scale.