3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

DMARC

An email authentication policy framework that uses SPF and DKIM to detect and prevent domain spoofing, and reports back to domain owners on who is sending under their name.

Definition

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. Published as RFC 7489 in March 2015, DMARC is the email authentication standard that lets a domain owner publish a policy telling receivers what to do with messages that fail SPF or DKIM, and receive aggregate reports on who is sending mail under their domain. DMARC does not authenticate messages itself — it sits on top of SPF and DKIM and adds two things those protocols lack on their own: alignment (the visible From header domain must match the SPF or DKIM domain) and reporting (receivers send back daily XML summaries of every authentication outcome).

How it works

When a message arrives at a participating receiver (Gmail, Outlook, Yahoo, etc.), DMARC evaluation runs in three steps. First, the receiver checks SPF (does the sending IP appear in the published SPF record of the envelope-sender domain?) and DKIM (is there a valid cryptographic signature on the message?). Second, it checks alignment: the SPF or DKIM domain must match the visible From: header domain. Third, if neither SPF nor DKIM passes with alignment, the receiver looks up the DMARC record at _dmarc.<from-domain> and applies the published policy.

The three policy values are p=none (monitor only — do not affect delivery), p=quarantine (treat as spam), and p=reject (refuse delivery outright). The pct= tag lets domain owners roll enforcement out gradually, applying the policy to a percentage of failing messages while leaving the rest as if p=none were in effect.

Example

A typical DMARC record published at _dmarc.example.com:

v=DMARC1; p=quarantine; rua=mailto:rua@example.com; ruf=mailto:ruf@example.com; pct=100; adkim=r; aspf=r; fo=1

Reading it tag by tag: v=DMARC1 declares the protocol version (mandatory and always this value). p=quarantine is the policy. rua= tells receivers where to send aggregate reports. ruf= requests forensic (failure) reports. pct=100 applies the policy to all failing mail. adkim=r and aspf=r set both alignment modes to relaxed (subdomain matches count as aligned). fo=1 requests forensic reports on any single-protocol failure.

Related Terms

SPF A DNS-published list of IP addresses and hostnames authorised to send email on behalf of a... DKIM A cryptographic signature attached to outbound email that proves the message was authorise... DMARC Alignment The check that requires the SPF or DKIM domain to match the visible From header domain in... DMARC Policy The action a domain owner asks receivers to take when a message fails DMARC: monitor (none... RUA (Aggregate Report) A daily XML summary report sent by mail receivers to a DMARC-publishing domain, listing ev...

Try the tool

DMARC Busta has a free tool that helps with this concept directly.

Open tool

Automate your DMARC

DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.

Start free trial