What is DMARC?

Definition

Domain-based Message Authentication, Reporting, and Conformance is the policy layer of email authentication. SPF and DKIM each perform a useful check on their own, but neither one, by itself, looks at the From address that a recipient actually sees, and neither one tells a receiving server what to do when a check fails. DMARC fills both gaps. It instructs receivers on how to treat unauthenticated mail, and it produces reports that give the domain owner visibility into how the domain is being used.

The name itself describes the three jobs it does. The authentication part means DMARC builds directly on the results of SPF and DKIM. The reporting part means receivers send the domain owner aggregate data about messages claiming to come from the domain, including how many passed and how many failed. The conformance part means the domain owner can declare a policy that receivers should conform to, ranging from take no action, to deliver to spam, to reject outright. Together these turn SPF and DKIM from isolated checks into an enforceable, observable defense of the domain's identity.

How It Works

A DMARC policy is published as a single DNS TXT record at the subdomain _dmarc.yourdomain.com. The record begins with v=DMARC1, states the requested policy in a p= tag, and usually includes a rua= tag giving an address where aggregate reports should be sent. When a message arrives, the receiving server runs SPF and DKIM as usual, then performs the DMARC evaluation on top of those results.

The heart of DMARC is alignment. It is not enough for SPF or DKIM simply to pass. The domain that those checks validated must also match the domain shown in the visible From header, because protecting that visible From address is the whole point of DMARC. There are two alignment modes. Relaxed alignment, the default, accepts a match at the organizational domain level, so a subdomain can align with its parent domain. Strict alignment requires an exact domain match. DMARC passes when at least one of SPF or DKIM both passes and aligns with the From domain. This is why a message can pass SPF or DKIM on its own and still fail DMARC if the validated domain does not line up with the From address, a common surprise when senders first tighten their policy.

When a message fails DMARC, the receiver applies the published policy. A policy of p=none asks the receiver to take no special action and simply include the message in reports, which is the monitoring setting. A policy of p=quarantine asks the receiver to treat failing mail with suspicion, typically by routing it to the spam folder. A policy of p=reject asks the receiver to block failing mail entirely, so it never reaches the inbox or the spam folder. The recommended rollout is gradual: start at none, study the aggregate reports to confirm every legitimate sending source is authenticating and aligning, then move to quarantine and finally to reject once the data shows it is safe. Enforcing a strict policy before the setup is complete can cause a domain to block its own legitimate mail.

Why It Matters for Email Deliverability

DMARC matters for two connected reasons. The first is security. Without DMARC, an attacker can send phishing mail that displays a trusted company's exact domain in the From address, because SPF and DKIM alone do not police that visible field. A DMARC policy of quarantine or reject lets the real domain owner instruct the world's mailbox providers to stop that forged mail before it reaches anyone. The second reason is deliverability. A DMARC record signals to providers that a domain takes authentication seriously, which supports the domain's reputation and inbox placement.

DMARC has also become a hard requirement. Under the 2024 sender requirements from Google and Yahoo, bulk senders must publish a DMARC record with a policy of at least p=none, and they must authenticate with SPF and DKIM in a way that aligns under DMARC. A domain without a DMARC record can find its bulk mail throttled or rejected. At the same time, the reports DMARC returns are valuable in their own right, because they reveal every service sending mail under the domain. That visibility helps a sender confirm that all of its legitimate tools, from marketing platforms to support systems, are authenticating correctly before any stricter policy is enforced.

How VeriMails Handles It

DMARC and email verification defend deliverability from opposite ends of the message. DMARC protects your domain identity on the mail you send, making sure receivers can trust that a message claiming to be from your domain really is. Email verification protects the quality of the list you send to, making sure every address is real and reachable. A domain can have a flawless DMARC policy and still hurt its reputation by mailing dead addresses, so the two practices complement each other rather than overlap.

VeriMails handles the recipient side. Every address you submit is checked through syntax validation, an MX and DNS lookup, a live SMTP handshake, catch-all detection, disposable address detection, and role-based detection, removing the invalid addresses that would bounce and erode the reputation your DMARC, SPF, and DKIM records work to protect. To help on the authentication side, VeriMails offers a free DMARC generator that builds a correctly formatted record so you can begin in monitoring mode and tighten the policy as your reports confirm it is safe. You can verify a list through the REST API or a bulk CSV upload, with clear deliverability categories for campaign decisions. Verification starts at $0.0019 per email, with 10,000 credits for $19 and subscriptions from $15 per month, and every account begins with 100 free credits, no credit card required, that never expire.

Frequently Asked Questions