What Is DMARC? How It Protects Your Email
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is a rule you publish for your domain that tells receiving email servers how to handle messages that fail authentication checks.
Without a DMARC record, anyone can send emails that look like they come from your company. That opens the door to phishing attacks against your customers, suppliers, and staff. DMARC closes that door.
Why DMARC Matters for Your Business
Every day, criminals send billions of fake emails pretending to be legitimate companies. This is called email spoofing. A spoofed email might ask your client to pay an invoice to a fraudulent bank account, or trick an employee into handing over login credentials.
A DMARC policy tells email providers like Google and Microsoft what to do when someone fakes your domain. Without it, those providers have no instructions and may deliver the fraudulent message straight to the inbox.
- Protects your brand reputation by stopping impersonation emails
- Reduces the risk of invoice fraud and business email compromise
- Improves email deliverability so your legitimate emails land in inboxes, not spam
- Gives you visibility into who is sending email on your behalf through DMARC reports
How DMARC Works with SPF and DKIM
DMARC does not work alone. It builds on two other email authentication protocols: SPF and DKIM. Think of them as layers in a security system.
SPF (Sender Policy Framework) is a list of servers that are allowed to send email for your domain. When a message arrives, the receiving server checks whether the sending server is on that list. You can learn more in our guide to SPF.
DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. The receiving server checks that signature against a public key published in your DNS. If the signature matches, the email has not been tampered with. See our guide to DKIM for details.
DMARC ties SPF and DKIM together. It checks that at least one of them passes and that the domain in the result aligns with the domain in the From address. This alignment check is what stops attackers from passing SPF or DKIM on their own domain while spoofing yours in the visible From field.
The Three DMARC Policies Explained
When you publish a DMARC record, you choose one of three policies. Each policy tells receiving servers what to do with emails that fail authentication.
Policy: None (p=none)
This is monitoring mode. Emails that fail checks are still delivered normally. You receive reports showing which messages passed and which failed.
Most businesses start here. It lets you see what is happening without risking disruption to legitimate email. However, it provides zero protection against spoofing.
Policy: Quarantine (p=quarantine)
Emails that fail DMARC checks are sent to the spam or junk folder instead of the inbox. This is a significant step up from none because fraudulent emails are hidden from most recipients.
Quarantine is a good intermediate step while you verify that all your legitimate sending services are properly authenticated.
Policy: Reject (p=reject)
This is full DMARC enforcement. Emails that fail checks are blocked entirely. They never reach the recipient at all.
Reject is the gold standard. It provides the strongest protection against email spoofing. Reaching this level is the goal for every business, but getting there safely requires careful preparation to avoid blocking your own legitimate emails.
What a DMARC Record Looks Like
A DMARC record is a small piece of text published in your domain's DNS settings. Here is a simplified example:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
Breaking that down: "v=DMARC1" identifies it as a DMARC record. "p=reject" sets the policy. "rua" is the email address where you want to receive aggregate reports about who is sending email using your domain.
You do not need to write this yourself. Your IT provider or a managed service like readyDMARC will set it up for you and monitor the reports.
Compliance Requirements Driving DMARC Adoption
DMARC is no longer just a best practice. It is becoming a requirement across multiple standards and platforms.
- Google and Yahoo now require a DMARC record for anyone sending more than 5,000 emails per day. Without one, your marketing emails and transactional messages may be rejected outright.
- PCI DSS 4.0, the security standard for businesses that handle card payments, includes anti-phishing requirements that DMARC directly addresses. Compliance deadlines are already in effect.
- Government frameworks in the UK, US, and Australia either mandate or strongly recommend DMARC at enforcement level for public sector organizations, and many private sector partners follow suit.
- Cyber insurance providers increasingly ask about email authentication controls during underwriting. A DMARC policy at enforcement can help demonstrate due diligence.
Common Mistakes When Setting Up DMARC
Publishing a DMARC record is straightforward, but reaching enforcement without breaking your email flow is where most businesses get stuck.
These mistakes are exactly why many businesses choose a managed service to handle DMARC implementation and ongoing monitoring.
- Jumping straight to p=reject without monitoring first, which can block legitimate emails from CRM systems, marketing platforms, or third-party invoicing tools
- Forgetting to authenticate all sending services before tightening the policy, leaving gaps that cause delivery failures
- Ignoring DMARC reports because they arrive as XML files that are difficult to read without a reporting tool
- Setting up DMARC once and never reviewing it, even as new sending services are added over time
Check your domain now
Enter your domain to see your current email security status.
Frequently Asked Questions
What is DMARC in simple terms?
DMARC is a security rule you publish for your email domain. It tells email providers like Google and Microsoft how to handle messages that fail authentication. With DMARC enforcement, fake emails that impersonate your company are blocked before they reach anyone's inbox.
Do I need DMARC if I already have SPF and DKIM?
Yes. SPF and DKIM verify parts of the email, but without DMARC there is no policy telling receivers what to do when checks fail. DMARC adds the enforcement layer and the alignment check that prevents attackers from spoofing your visible From address.
How long does it take to set up DMARC?
Publishing a basic DMARC record in monitoring mode takes minutes. However, reaching full enforcement safely typically takes four to eight weeks. That time is needed to identify all legitimate sending services and ensure they pass authentication before tightening the policy.
Will DMARC stop all phishing emails?
DMARC stops emails that impersonate your exact domain. It does not prevent phishing from lookalike domains or unrelated addresses. However, at reject policy, it eliminates the most damaging type of spoofing: someone sending email that appears to come directly from your business.
Is DMARC required by Google and Yahoo?
Yes. Since February 2024, Google and Yahoo require bulk senders to have a DMARC record. Without one, emails may be throttled or rejected. Even if you send fewer than 5,000 messages per day, having a DMARC policy improves your deliverability and protects your domain.
Understanding what is DMARC is the first step toward protecting your business from email impersonation. A DMARC policy, combined with properly configured SPF and DKIM, gives you control over who can send email as your company and what happens when someone tries to fake it.
Moving from no DMARC record to full enforcement takes careful planning, but the payoff is real: fewer phishing attacks targeting your contacts, better email deliverability, and compliance with the latest security standards. Once DMARC is enforced, you can also look into MTA-STS for email encryption in transit and BIMI to display your brand logo in inboxes.
Enter your domain above to see where you stand right now. If you need help getting to full enforcement, readyDMARC handles the setup, monitoring, and ongoing management. See our managed email security services to learn more.
Related Articles
What Is SPF? How Sender Policy Framework Works
Learn what SPF is, how Sender Policy Framework stops email spoofing, protects your domain, and impro...
Read more →What Is DKIM? How Email Signing Works
Learn what DKIM is, how DomainKeys Identified Mail protects your business emails from tampering, and...
Read more →What Is MTA-STS? Email Encryption Your Business Needs
Learn what MTA-STS is, how this email security standard forces TLS encryption for incoming mail, and...
Read more →Need help setting this up?
We handle email security end to end — no technical knowledge required on your part.