Home/What is DMARC?

What is DMARC? How it works, the phases, and the path to p=reject.

DMARC isn't a switch you flip, but a multi-stage process. This page explains what's behind it, how monitoring, quarantine and reject work in detail – and where it gets complicated in practice.

Reading time · 14 minutes
Best for · IT managers, CISOs, IT leads
Last reviewed · April 2026
01

Introduction

Anyone sending email under their own domain in 2026 can no longer avoid DMARC. Google and Yahoo have required authentication for higher-volume senders since 2024, Microsoft has followed suit, and PCI DSS 4.0 explicitly requires it as well.

The rollout is often underestimated. A DMARC record is published in ten minutes – the real problem begins afterwards. Because DMARC is not a configuration but a measuring instrument: it shows who is really sending emails in your name. And almost always it's more systems than anyone in the organization had on their radar.

This article explains DMARC the way we do in projects with IT leadership: technically correct, but without marketing gloss. Including the points where the topic gets more complicated in practice than the documentation suggests.

02

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is a standard specified in RFC 7489 that does two things:

  1. It defines how receiving mail servers should handle emailsthat claim to come from your domain but cannot be authenticated.
  2. It ensures that you, as the domain owner, receive reports about the email traffic under your domain – including legitimate and illegitimate senders.

Technically, DMARC is a DNS TXT record published on the subdomain _dmarc.your-domain.com . A minimal record looks like this:

DNS TXT Record_dmarc.your-domain.com
v=DMARC1; p=none; rua=mailto:reports@your-domain.com;

The three mandatory tags are quickly explained:

v=DMARC1
Version. Currently only one valid value.
p=none
Policy. Determines what happens to non-authenticated mail: none, quarantine or reject.
rua=mailto:…
Reporting address. Recipients send aggregated reports to this address daily.
03

How DMARC works

DMARC doesn't check whether an email is legitimate itself. Instead, it builds on two older standards – SPF and DKIM – and adds one decisive extra check: the alignmentcheck.

The process in five steps

  1. A mail server receives an email that claims to come from your-domain.com .
  2. The server retrieves the SPF record of your-domain.com and checks whether the sending IP address range is listed there.
  3. The server checks the email's DKIM signature against the public key in the DNS.
  4. At least one of the two checks must pass and the authenticated domain must match the visible sender domain (the Fromheader). That's the alignment.
  5. If the check fails, the DMARC policy is applied: let through, move to spam, or reject. In parallel, an entry is created in the report.

The alignment step is the real added value of DMARC. Without it, an attacker could send an email from a foreign but validly signed domain claiming to come from your-bank.com – and SPF and DKIM would be satisfied. Only DMARC ensures that the visible domain is authenticated.

04

SPF, DKIM and DMARC – how they work together

In practice the three standards are often lumped together. But they answer different questions:

SPF
DKIM
DMARC
Answers the question
Answers the question
Answers the question
Is this server allowed to send mail in the domain's name at all?
Was the message signed unaltered by someone with the private key?
Does the visible sender domain match what SPF or DKIM authenticated?
Checks
Checks
Checks
Sender IP against a DNS list.
Cryptographic signature in the mail header.
Match of the domains (alignment).
Weakness
Weakness
Weakness
Breaks on forwarding.
No policy control.
Needs correctly configured SPF or DKIM.

Only the combination of the three results in functioning spoofing protection. SPF and DKIM are the upfront checks, DMARC is the rule that builds on them and generates the content of the reports.

iNote

A common misconception: DMARC does not “replace” SPF or DKIM. If SPF is faulty or DKIM isn't set up, even the best DMARC policy is useless – on the contrary, a reject policy with a broken SPF setup burns legitimate emails.

05

The path to p=reject

The actual goal of every DMARC rollout is p=reject. Only there does DMARC offer real protection against domain spoofing – before that, it's observation. The path there practically always runs through three phases that shouldn't be skipped.

Why not go straight to reject? Because on day one nobody knows everyone who actually sends under their own domain. Enforcing too early hits the third-party systems first – and they're usually business-critical.

1
Phase 1 · Monitoring
p=none · observation, no impact on delivery
Typical duration
2–4 weeks

What happens in this phase

The DMARC record is published with policy p=none . Emails are delivered normally. In the background, recipients like Google, Microsoft and Yahoo begin sending daily aggregated XML reports to the address specified in rua .

The goal is a complete assessment: which IPs send under your domain? Which of them are legitimate?

Goal at the end of the phase

  • Every legitimate sender is identified and accounted for in the SPF and DKIM configuration.
  • The share of emails passing DMARC is stable above 98%.
  • The remaining failures are explained.
!What regularly goes missing here

The phase almost never fails on the technology, but on the path of the reports. After two days the first XML files are in the inbox, nobody knows what to do with them, and from week three nobody opens them anymore.

A second recurring mistake: the first DKIM third-party is accounted for, the second isn't. In a typical mid-sized organization, between ten and twenty different systems send under the company domain.

2
Phase 2 · Quarantine
p=quarantine · non-authenticated mail goes to spam
Typical duration
4–6 weeks

What happens in this phase

The policy is raised to p=quarantine . From now on, recipients treat non-authenticated emails under your domain like spam – they usually end up in the junk folder.

Goal at the end of the phase

  • No more business-critical emails end up in spam due to missing authentication.
  • SPF and DKIM coverage is above 99% and stable.
  • pct=100 has been running without issues for at least two weeks.
!Why p=quarantine isn't enough

Quarantine is a stopover, not a destination. Spoofed email under quarantine lands in the recipient's junk folder, not nowhere. If someone clicks a fake invoice there, that's harder to defend legally and organizationally than with reject.

3
Phase 3 · Enforcement
p=reject · non-authenticated mail is rejected
Duration
permanent

What happens in this phase

The policy is set to p=reject. Receiving servers definitively reject every email that can't be authenticated as coming from your domain. Spoofed messages don't reach the recipient. That's the goal.

When is a domain really ready for reject?

  • The DMARC pass rate is permanently stable at a level that no longer suggests business-critical errors.
  • Every remaining error is assigned to a specific system – no more “unknown sender” in the reports.
  • There are no new third-party onboardings in the pipeline that aren't yet authenticated.
!The most expensive mistake

A premature p=reject regularly leads to the same result: on switchover day, invoice dispatch or applicant notifications stop working because the relevant third-party system never fully had DKIM.

06

DMARC reports: what they show

Reports are the heart of DMARC. Without them, the policy is blind. Recipients like Google send one or more XML documents to the ruaaddress daily.

google.com!your-domain.com!1712534400.xml
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
  </report_metadata>
  <record>
    <row>
      <source_ip>52.28.144.77</source_ip>
      <count>1842</count>
      <policy_evaluated>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
  </record>
</feedback>

Each report contains, per sending IP address, the number of mails, the result for SPF and DKIM, and the policy applied.

iIn reality

A mid-sized company domain receives between 100 and 1,000 such files per month. Without a tool, the data is practically unusable for humans.

07

Why it matters now

DMARC has been specified since 2012, but only in the past two years has the pressure to enforce risen measurably. Three developments are acting in parallel:

from 5,000
Google & YahooMandatory DMARC authentication for senders from 5,000 mails/day.
PCI 4.0
PaymentsPCI DSS 4.0 explicitly requires DMARC as part of anti-phishing controls.
M365
MicrosoftOutbound tenants require DMARC alignment, or risk rate limits and quarantine.

What used to be a best practice has thus become a prerequisite for regular mail operation with larger recipients.

08

Where it gets complex in practice

The documentation makes DMARC out to be a linear process. In real setups there are a few points where it regularly snags.

SPF flattening and the 10-lookup limit

SPF allows a maximum of ten DNS lookups per record. Anyone who has integrated four or five third-parties quickly runs into this limit. The result is a permerror – SPF is effectively broken.

Third-party DKIM for marketing and transactional mail

Services like Mailchimp, Sendgrid or Salesforce Marketing Cloud can in principle handle DKIM signing – but only if the customer sets the appropriate CNAMEs on the domain side and the keys are rotated.

Email forwarding

When a recipient forwards the mail, SPF practically always breaks – the sender IP is then no longer the originally authorized one. DKIM usually stays intact.

Edge cases: mailing lists, shared services, legacy services

There are constellations that can't be solved cleanly. Mailing lists often don't change the Fromheader and therefore break DMARC. Old fax gateways, ticketing systems or internally operated mailers have no way to do DKIM signing.

iWhat we notice in practice

About three in five organizations underestimate the number of actually sending systems by a factor of two or three during the assessment. In almost all cases the real effort is not technical but organizational.

First steps

Three ways to get DMARC under control.

Depending on internal capacity and desired pace. All three ultimately lead to p=reject – the difference is how much you carry yourself.

Check it yourself

Record Analyser & Generator.

Free tools

Instantly check what's currently in the DNS. Generate a first DMARC record. No sign-up, no commitment.

Analyse record →
Guided rollout

DMARC Monitoring.

Evaluate reports, raise the policy safely

Collect, aggregate and translate reports automatically. Steer the path to p=reject based on data.

See monitoring →
Hand it over entirely

DomainSecurity Taskforce.

We do it for you.

Our team handles the entire rollout up to p=reject. With the Score-80 Guarantee.

Discover the Taskforce →