DMARC

How DMARC Works

DMARC connects SPF and DKIM authentication with a policy that tells receiving mail servers what to do when authentication fails:

1. Email Received: A mail server receives an email claiming to be from your domain
2. SPF Check: Server verifies the sending IP is authorized via SPF
3. DKIM Check: Server verifies the cryptographic signature via DKIM
4. Alignment Check: DMARC checks if the authenticated domains align with the From header
5. Policy Applied: Based on your DMARC policy, the email is delivered, quarantined, or rejected
6. Report Sent: Aggregate reports are sent to you about authentication results

DMARC Policy Options

p=none (Monitor Only)

v=DMARC1; p=none; rua=mailto:dmarc@example.com

No action taken on failing emails. Use this to monitor your email ecosystem before enforcing.

p=quarantine

v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com

Failing emails are marked as spam or placed in quarantine. Good intermediate step.

p=reject

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

Failing emails are blocked entirely. Maximum protection but requires careful setup.

DMARC Record Anatomy

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; pct=100; adkim=s; aspf=s

Tag	Description	Values
v	Version	Always DMARC1
p	Policy	none, quarantine, reject
sp	Subdomain policy	none, quarantine, reject
rua	Aggregate report email	Email address
ruf	Forensic report email	Email address
pct	Percentage to apply policy	0-100
adkim	DKIM alignment	r (relaxed), s (strict)
aspf	SPF alignment	r (relaxed), s (strict)

Setting Up DMARC with Transactional

Step 1: Start with Monitoring

Add a DMARC record with p=none to collect data:

_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

Step 2: Analyze Reports

Monitor DMARC reports for 2-4 weeks. Identify:

• Legitimate services sending on your behalf that need SPF/DKIM setup
• Unauthorized senders you want to block

Step 3: Gradual Enforcement

Move to quarantine with a low percentage:

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com

Increase pct gradually as you verify legitimate email still passes.

Step 4: Full Enforcement

Once confident, move to reject:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

DMARC Alignment

DMARC requires that the domain in SPF or DKIM matches (aligns with) the From header domain.

Relaxed Alignment (Default)

Organizational domain must match. mail.example.com aligns with example.com.

Strict Alignment

Exact domain must match. mail.example.com does not align with example.com.

Common DMARC Issues

Reports Showing Failures from Legitimate Services

Your marketing email provider, CRM, or other services may be sending email as your domain. Add them to your SPF record and ensure they sign with DKIM.

Forwarded Emails Failing

Email forwarding breaks SPF because the forwarding server's IP isn't in your SPF record. This is a known limitation. DKIM should still pass if the email wasn't modified.

No Reports Received

• Check the rua email address is correct
• Verify your email provider accepts DMARC reports (they can be large)
• Wait 24-48 hours for reports to arrive

Why DMARC Matters

Prevent Phishing

DMARC stops attackers from sending emails that appear to be from your domain, protecting your customers from phishing.

Improve Deliverability

Major email providers (Google, Microsoft, Yahoo) increasingly require DMARC. A valid DMARC record improves inbox placement.

Enable BIMI

BIMI (Brand Indicators for Message Identification) requires a DMARC policy of quarantine or reject to display your logo in email clients.

Visibility

DMARC reports give you visibility into all email sent using your domain, helping identify unauthorized senders.