What Is DMARC and Why Your Business Needs It

Published April 2026 · Quick DNS Fix

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the most powerful email authentication standard available today. It builds on SPF and DKIM to give you control over what happens to emails that fail authentication — and it's now required by Google and Yahoo for senders of more than 5,000 emails per day.

What DMARC Actually Does

DMARC does three things: it tells receiving mail servers what policy to apply to emails that fail SPF or DKIM checks, it adds an alignment requirement (the From domain must match the SPF/DKIM domain), and it provides reporting so you can see who is sending email on behalf of your domain.

The Three DMARC Policy Levels

A DMARC record specifies a policy: 'p=none' means monitor only — do nothing with failing emails but send reports. 'p=quarantine' means send failing emails to the spam folder. 'p=reject' means reject failing emails entirely. You should always start at p=none to gather data before moving to enforcement.

Why DMARC Is Now Mandatory

Since February 2024, Google and Yahoo require all senders of 5,000+ emails per day to have a DMARC record with at least p=none. Even below this threshold, not having DMARC means spoofed emails from your domain might get delivered to recipients. Phishing attacks using your domain can damage your brand reputation permanently.

What a DMARC Record Looks Like

A basic DMARC record looks like: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. It's published as a TXT record at _dmarc.yourdomain.com. The rua tag specifies where aggregate reports are sent — these weekly XML reports show you which servers are sending email for your domain.

DMARC Alignment Explained

DMARC adds an alignment requirement that trips up many businesses. The domain in the From header of your emails must align with the domain that passes SPF or DKIM. If you send marketing emails from marketing@yourdomain.com via a third-party service, that service must be set up to sign with your domain's DKIM key — not their own.

How to Move from p=none to p=reject Safely

Start with p=none and collect reports for at least 2–4 weeks. Analyse the reports to identify all legitimate sending sources. Set up DKIM and SPF correctly for each source. Move to p=quarantine;pct=10 (apply to 10% of failing emails). Gradually increase to pct=100, then move to p=reject once you're confident no legitimate emails are failing.

Reading DMARC Reports

DMARC aggregate reports are XML files that show the sending IPs, volume, SPF/DKIM pass/fail rates, and DMARC disposition for each source. Most organisations use a DMARC report analyser tool to make these readable. Our Managed Pro plan includes regular DMARC report analysis as part of the service.

DMARC setup is straightforward for simple email setups, but complex for businesses using multiple sending platforms. If you send transactional email, marketing email, support email and internal email from different systems, each one needs to be configured correctly before you can safely enforce DMARC. Our Full Audit plan handles the entire setup end-to-end.

Need Help Implementing This?

Our UK-based experts can handle every fix for you. Fast turnaround, plain English report.

Book a Fix — From £49