ONLINE
Bento

DMARC: Complete Guide to Email Authentication and Protection

By AnjaMarch 3, 202514 min read

You've probably gotten those fake emails from "Amazon" or "PayPal" asking for your password. That's email spoofing - when someone uses your domain to send fake emails, DMARC gives email providers a way to stop them and protects your domain from scammers who send emails pretending to be you. It works by combining two other security protocols, SPF and DKIM, into one powerful shield for your domain.

But DMARC does more than just check if emails are real: it tells Gmail, Outlook, and other email providers exactly what to do with fake emails using your domain. You can tell them to send suspicious emails to spam or block them entirely. Getting this right means your real emails get delivered while the fake ones get stopped.

This guide walks through setting up DMARC for your domain, from basic DNS records to advanced policies. We'll cover the technical parts in plain language so you can protect your domain without getting lost in the details.

TL;DR: DMARC Basics

DMARC (Domain-based Message Authentication, Reporting & Conformance) combines SPF and DKIM to stop email spoofing and phishing attacks using your domain.

How it works:

  • You need SPF or DKIM already set up (preferably both)
  • DMARC policies tell email providers what to do with suspicious emails
  • You get reports showing who's sending email from your domain

The three DMARC policies:

  • p=none: Just monitor and report (start here when setting up)
  • p=quarantine: Send suspicious emails to spam folders
  • p=reject: Block suspicious emails completely

What to watch out for: You need SPF or DKIM working first. Start with p=none to see what's happening, then slowly increase protection once you know all your legitimate emails are authenticating properly.

For setting up the prerequisites, see our SPF records guide and DKIM guide. For DMARC monitoring tools, check best DMARC tools.

What Is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It's an email security protocol that stops people from sending fake emails that look like they come from your domain.

Think of DMARC as the bouncer at the email club: when an email shows up claiming to be from your domain, DMARC checks its ID. It uses SPF and DKIM as those ID checks and if the email fails the check, DMARC tells the email provider what to do based on your rules.

The key difference between DMARC and other email authentication is control. SPF says which servers can send email for you. DKIM adds a digital signature to prove emails haven't been tampered with, but it's DMARC that takes both of those checks and adds instructions for what happens when emails fail. Without DMARC, email providers guess what to do with suspicious emails and with it you tell them exactly how to handle it.

DMARC also sends you reports about every email claiming to be from your domain. You'll see which emails passed authentication, which failed, and where they came from. This visibility is crucial for spotting problems with legitimate emails or identifying spoofing attempts.

How DMARC Works

DMARC authentication happens in four steps every time someone receives an email from your domain.

First, the receiving email server checks if the email passes SPF or DKIM. SPF verifies the sending server is authorized. DKIM verifies the email hasn't been changed. The email needs to pass at least one of these checks, though passing both is better.

Second, the email server looks up your DMARC policy. This is a DNS record you publish that contains your rules. The server finds this record and reads your instructions.

Third, the server follows your policy instructions. If you set p=none, it delivers the email but notes the authentication result. If you set p=quarantine, failed emails go to spam. If you set p=reject, failed emails get blocked entirely.

Fourth, the email server sends you a report about what happened. These reports come in two types - aggregate and forensic. Aggregate reports give you daily summaries of all authentication results. Forensic reports give you details about specific failed emails, though many providers don't send these for privacy reasons.

The alignment check is where DMARC gets strict. The domain in the "From" address that recipients see must match the domain that passes SPF or DKIM. If you send from newsletter@example.com, either your SPF record needs to authorize the sending server for example.com, or your DKIM signature needs to be valid for example.com. This alignment requirement stops spoofing attempts that try to bypass authentication by using different domains.

DMARC Policies

DMARC gives you three policy options that control how email providers handle messages that fail authentication.

p=none (Monitor Only)

The p=none policy is your starting point. Email providers deliver all emails normally but send you reports about authentication results. This is perfect when you're first setting up DMARC because you can see what's happening without breaking anything.

Use p=none to discover all the legitimate services sending email for your domain. Marketing platforms, CRM systems, password reset services, and other tools might be sending emails you forgot about. The reports will show you everything, letting you fix authentication issues before they cause problems. Most domains stay at p=none for several weeks while gathering data.

p=quarantine (Quarantine)

The p=quarantine policy tells email providers to treat failed emails as suspicious. Most providers send these emails to spam folders, though some might add warning labels or handle them differently.

Move to p=quarantine after you've fixed authentication for all legitimate senders. This gives you protection against spoofing while still allowing recipients to check their spam folders if something important gets caught. You can also set a percentage, like pct=50, to quarantine only half of failed emails while you test the impact.

Many organizations stop at p=quarantine because it balances security with flexibility. Recipients can still retrieve emails from spam if needed, which helps when you have third-party services that occasionally fail authentication.

p=reject (Reject)

The p=reject policy provides maximum protection. Email providers completely block emails that fail DMARC checks. These emails never reach the recipient, not even in spam folders.

Only move to p=reject when you're confident all legitimate emails will pass authentication. This usually means having SPF and DKIM both configured properly for every service that sends email for your domain. Banks, government agencies, and security-conscious organizations often use p=reject because stopping spoofing is more important than the occasional lost email.

You can use subpolicy settings to apply different rules to subdomains. Setting sp=reject with p=quarantine lets you strictly protect subdomains while keeping the main domain more flexible.

DMARC DNS Records

DMARC policies live in your DNS as TXT records. The record name always follows the same pattern: _dmarc.yourdomain.com.

Here's a basic DMARC record:

_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

This record has three parts. The v=DMARC1 identifies it as a DMARC record. The p=none sets your policy. The rua=mailto:dmarc@example.com tells providers where to send aggregate reports.

You can add more settings to fine-tune your policy. The pct tag lets you gradually roll out enforcement. Setting pct=25 applies your policy to only 25% of emails, useful when moving from quarantine to reject. The ruf tag requests forensic reports, though many providers don't send these. The sp tag sets a policy for subdomains that's different from your main domain policy.

A more advanced record might look like this:

_dmarc.example.com TXT "v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; sp=reject"

This quarantines 50% of failed emails from the main domain, rejects all failed emails from subdomains, and requests both report types.

The record must be exactly at _dmarc.yourdomain.com. Not dmarc.yourdomain.com or yourdomain.com._dmarc. Getting the format wrong means DMARC won't work at all.

How to Set Up DMARC

Setting up DMARC takes five steps. Each step builds on the previous one, so don't skip ahead.

Step 1: Verify SPF and DKIM are working. DMARC needs at least one of these authentication methods working properly. Check your SPF record includes all services that send email for you. Verify DKIM signatures are being added to your emails. Use email testing tools to confirm both are passing authentication checks. If neither SPF nor DKIM works, DMARC can't function.

Step 2: Create your monitoring record. Start with this simple DMARC record that just collects data:

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com"

Create a dedicated email address for reports. You'll get XML files that are hard to read manually, so most people use DMARC analysis tools or services that parse these reports into readable dashboards.

Step 3: Add the record to your DNS. Log into your DNS provider (where your domain is registered or hosted) and add a new TXT record with the name _dmarc and paste your DMARC policy as the value. Some providers want the full _dmarc.yourdomain.com as the name. Save the record.

Step 4: Analyze your DMARC reports for 2-4 weeks. Reports usually start arriving within 24 hours and then you should look for legitimate services that are failing authentication. Common culprits include marketing automation platforms, customer support tools, and forgotten services from years ago. Then add these to your SPF record or set up DKIM for them and watch your pass rates improve as you fix each service.

Step 5: Gradually increase enforcement. Once your authentication pass rate is above 95%, move to p=quarantine with pct=25. This quarantines 25% of failed emails. Monitor for another week. If no legitimate emails are affected, increase to pct=50, then pct=100. After a month at full quarantine with no issues, consider moving to p=reject.

The whole process typically takes 2-3 months. Rushing through these steps risks blocking legitimate emails, so take your time.

DMARC Reporting

DMARC reports come in two flavors, each serving different purposes.

Aggregate reports (RUA) arrive daily or weekly as compressed XML files. They show statistics about email authentication from each receiving domain. You'll see how many emails passed or failed, which IP addresses sent them, and what authentication methods were used. These reports help you spot trends and identify services that need fixing.

The XML format is technical, but the data is valuable. Each report shows the sending IP address, the number of messages, SPF results, DKIM results, and the policy action taken. Free tools like DMARC Analyzer or Postmark's DMARC Digests turn these XML files into readable charts and tables.

Forensic reports (RUF) are detailed reports about individual failed emails. They include message headers and sometimes partial message content. These help you investigate specific authentication failures. However, most major email providers stopped sending forensic reports due to privacy concerns - gmail, Yahoo, and Outlook don't send them anymore.

Understanding your reports helps you make informed decisions. A legitimate service showing consistent authentication failures needs to be fixed, while random IPs sending small volumes of failed emails are probably spoofers you can safely ignore. Sudden spikes in failed authentication might indicate a new spoofing campaign or a configuration change that broke authentication.

Keep report emails separate from your regular inbox. The volume can be overwhelming, especially for popular domains. Many organizations use specialized DMARC reporting services that aggregate reports from all sources and provide dashboards instead of managing raw XML files.

DMARC Troubleshooting

Common DMARC problems have straightforward solutions once you know what to look for.

Authentication failures from legitimate senders usually mean your SPF record is missing authorized servers or DKIM isn't configured. Check if the failing service is in your SPF record and verify they're signing emails with DKIM. Some services need you to enable DKIM in their settings. Marketing platforms often have DKIM disabled by default.

DMARC record not found errors happen when the record format is wrong. Double-check you created the record at _dmarc.yourdomain.com exactly. The record must be a TXT record, not CNAME or another type. Make sure quotation marks in the policy are straight quotes, not curly quotes from word processors.

Reports not arriving could mean several things. Check your rua email address is correct and can receive emails. Some email providers limit report sizes or block them entirely. DNS propagation can take 48 hours, so new records might not work immediately. Try using a dedicated DMARC reporting service instead of a regular email address.

Alignment failures occur when the visible "From" domain doesn't match the SPF or DKIM domain. This often happens with mailing lists or forwarding services that modify emails. To fix itm, you might need to whitelist certain senders or adjust your alignment mode from strict to relaxed using the aspf=r or adkim=r tags.

Legitimate emails getting blocked means you moved to enforcement too quickly. Immediately change your policy back to p=none or reduce the pct value and review your reports to find what service is failing authentication. You should fix the authentication issue before trying enforcement again.

Testing changes takes time because of DNS caching. After updating your DMARC record, wait at least a few hours before testing. Some email providers cache DNS for 24 hours, so full propagation takes time.

Where Bento Fits: DMARC Setup Included

Setting up DMARC yourself means juggling DNS records, authentication protocols, and report analysis. Here's how Bento handles these complexities for you.

Guided DMARC setup. Bento walks you through creating DMARC records that work with your sending setup. Instead of guessing at the right configuration, you get specific instructions based on your domain and sending patterns. The platform verifies your records are formatted correctly and published properly.

Built-in authentication monitoring. Bento tracks your SPF, DKIM, and DMARC status continuously. If authentication starts failing, you get alerts before it affects deliverability. The dashboard shows your authentication health at a glance, no XML parsing required.

Deliverability infrastructure included. Most email services charge extra for deliverability features or require separate tools, but Bento includes authentication setup, reputation monitoring, and delivery optimization in the base platform. You don't need multiple tools to manage email security.

When Bento makes sense: You want DMARC protection without becoming an email authentication expert. You're sending marketing, transactional, or automated emails and need them to reach inboxes. You'd rather focus on your business than troubleshooting DNS records.

When specialized tools make sense: You need forensic-level DMARC analysis across multiple domains. You're managing email authentication for an enterprise with complex requirements. You want detailed reports about every authentication attempt.

The honest pitch: Bento won't replace dedicated DMARC analysis platforms for large enterprises as those tools provide deeper analytics and more granular control. But if you want reliable email delivery with authentication handled correctly, Bento gives you that without the complexity or additional costs.

Ready to Set Up DMARC?

1. Start by checking your SPF and DKIM setup. Both need to work before DMARC can protect your domain. Test your current authentication using online tools to see what's already working.

2. Create a monitoring DMARC record with p=none. This lets you see what's happening without affecting email delivery. Use a dedicated email address for reports or sign up for a DMARC monitoring service.

3. Add your DMARC record to DNS through your domain provider. Most providers have guides for adding TXT records. Copy your record exactly, including all semicolons and quotation marks.

4. Watch your reports for at least two weeks. Fix any legitimate services that are failing authentication. Add missing services to SPF, enable DKIM where possible, and verify alignment is working.

5. Once authentication is solid, gradually increase enforcement. Start with p=quarantine at 25%, then increase the percentage weekly. Only move to p=reject when you're completely confident in your setup.

Related resources: Master the basics with our SPF records guide and DKIM guide. Compare monitoring options in best DMARC tools. For complete deliverability setup, see email deliverability tools.

DMARC stops spoofing and improves deliverability, but only when set up carefully. Take time to monitor before enforcing policies. Your domain's reputation depends on getting this right.

Enjoyed this article?

Get more email marketing tips delivered to your inbox. Join 4,000+ marketers.

No spam, unsubscribe anytime.

Keep Reading

How To Handle An Email Deliverability Crisis Calmly
Jesse Hanley
Jesse Hanley
CAN-SPAM and PO Boxes: Clearing Up the Confusion
Jesse Hanley
Jesse Hanley
BIMI Alternatives: How to Get Your Logo to Show Next to Your Emails
Jesse Hanley
Jesse Hanley

Ready to try better email marketing?

Start your 30-day free trial. Cancel anytime.

Free30-day trial·No credit card required·Book a demo