DMARC

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS policy record that builds on SPF and DKIM to define what receiving mail servers should do with emails that fail authentication — and directs aggregate and forensic reports back to the domain owner. It has three enforcement levels: none (monitor, take no action), quarantine (route failed messages to spam), and reject (block failed messages entirely).

DMARC solves the enforcement gap in SPF and DKIM. Those standards define how to check authenticity but don't specify what to do when checks fail. DMARC adds the policy layer — telling receiving servers to quarantine or reject unauthenticated messages — and adds visibility through reports that show which servers are sending email on behalf of the domain (authorized or not).

For companies running cold outreach, DMARC has two distinct benefits. First, it protects the company domain from being spoofed by third parties sending phishing or spam that claims to be from rep@gangly.com. Second, starting at DMARC p=none with monitoring gives visibility into all sending infrastructure claiming to use the domain — essential for diagnosing unexpected bounces and authentication failures.

DMARC policy levels explained

DMARC has three policy levels, each with different enforcement implications.

• p=none — monitor only. Emails that fail SPF and DKIM are still delivered, but reports are sent to the rua (aggregate) and ruf (forensic) email addresses in the DMARC record. Use this first to identify all legitimate sending sources before enforcing. Required starting point for most new DMARC setups.
• p=quarantine — emails failing DMARC checks are routed to spam/junk folder rather than the inbox. This is a middle ground: failed messages aren't lost (recipients can find them in spam) but they're treated with suspicion. Move here after at least 2–4 weeks of monitoring at p=none and confirming all legitimate senders are authenticated.
• p=reject — emails failing DMARC checks are rejected outright and never delivered. The strongest protection against spoofing. Move here only after confident that all legitimate sending infrastructure is in the SPF record and DKIM-signed. A premature p=reject that blocks a legitimate sending service causes undelivered email.

How to set up DMARC

1. Ensure SPF and DKIM are already configured and passing on the domain. DMARC requires at least one of these to align for messages to pass.

2. Create a DMARC TXT record in DNS at the subdomain _dmarc.[yourdomain.com]. Example: 'v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1'

3. Start with p=none. Monitor reports for 2–4 weeks. Use a DMARC report analyzer (Dmarcian, EasyDMARC, or Postmark's free DMARC analyzer) to read the aggregate XML reports and identify all sending sources.

4. Confirm all legitimate sending services are in the SPF record and DKIM-signing their messages. Update SPF and DKIM for any services that are failing authentication.

5. Move to p=quarantine, monitor for 2–4 more weeks, then advance to p=reject when satisfied that all legitimate traffic is passing.

DMARC and cold email compliance

Google's February 2024 sender requirements mandate DMARC at p=none or higher for all senders sending more than 5,000 messages per day to Gmail. Yahoo has the same requirement. These requirements effectively make DMARC mandatory for any sales team running high-volume cold outreach.

Beyond compliance, DMARC at p=quarantine or p=reject actively protects the company domain from phishing attacks that spoof the domain — where attackers send emails appearing to be from rep@yourcompany.com to trick prospects or employees. Domain spoofing attacks have increased as phishing has become more targeted; DMARC enforcement is the primary defense.

See SPF → and DKIM →

Frequently asked questions