DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM. It tells receivers what to do when authentication fails and can send you aggregate reports about who is sending as your domain.
Where DMARC lives
DMARC is a TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100| Tag | Meaning |
|---|---|
p=none | Monitor only—no enforcement |
p=quarantine | Failed mail often goes to spam |
p=reject | Failed mail should be rejected |
rua= | Aggregate report destination |
pct= | Percentage of mail subject to policy |
Recommended rollout
p=none— Publish DMARC with reporting. Fix SPF/DKIM alignment issues.p=quarantine— Enforce softly while monitoring complaint rates.p=reject— Strongest protection once alignment is stable.
Skipping straight to reject without aligned SPF and DKIM can block legitimate mail from secondary tools.
Alignment matters
DMARC passes when messages align with your From domain via SPF or DKIM. A valid SPF record on the envelope domain is not enough if the visible From domain does not align.
Check DMARC in seconds
FeedPipeline queries _dmarc.yourdomain.com alongside SPF, DKIM, and MX records. Run a free audit on any domain you manage or research for clients.
Takeaway
DMARC is your policy layer. Start with reporting, fix authentication gaps, then tighten policy as confidence grows.