What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy defined in RFC 7489. It builds on SPF and DKIM by adding a policy layer that tells receiving servers what to do when email fails authentication, and a reporting mechanism that gives domain owners visibility into how their domain is being used in email.

How DMARC works

A DMARC record is a DNS TXT record published at _dmarc.example.com:

v=DMARC1; p=reject; rua=mailto:[email protected]

When a receiving server gets email claiming to be from example.com, it:

  1. Checks SPF and DKIM authentication
  2. Verifies alignment - the authenticated domain must match the From header domain
  3. Applies the DMARC policy (none, quarantine, or reject) to messages that fail

DMARC policies

  • p=none - monitoring only; collect reports but deliver all email regardless of authentication
  • p=quarantine - send failing email to the spam/junk folder
  • p=reject - reject failing email outright; it is never delivered

Only quarantine and reject provide actual protection against spoofing. The p=none policy is a monitoring step, not a security control.

Why DMARC is critical

Without DMARC, SPF and DKIM failures have no guaranteed consequence. Receiving servers make their own decisions about what to do with unauthenticated email. DMARC gives domain owners control over this decision and provides the reporting needed to monitor domain abuse.

Google and Microsoft now require DMARC for bulk email senders. SurfaceLoop checks DMARC records across all your domains and flags policies stuck at p=none, missing subdomain policies, and other configuration gaps.

Map your attack surface - first scan free