What DMARC policy should I use?

Start with p=none for monitoring, then progress to p=quarantine and finally p=reject as you verify legitimate senders are properly authenticated.

Yes, as of 2024, DMARC is required by Google and Yahoo for bulk email senders (5,000+ emails per day).

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that protects your domain from being used in phishing and spoofing attacks. It builds on SPF and DKIM to give you control over what happens to emails that fail authentication.

How DMARC Works

DMARC acts as the policy layer on top of SPF and DKIM. When an email arrives, the receiving server:

Checks SPF

Verifies the sending IP is authorized for the domain

Checks DKIM

Validates the email's digital signature

Checks Alignment

Ensures the From: domain matches SPF or DKIM domain

Applies DMARC Policy

Takes action based on your policy (none, quarantine, or reject)

DMARC Policy Options

p=none

Monitor mode. Emails are delivered normally, but you receive reports about authentication failures.

Best for: Getting started, gathering data

p=quarantine

Suspicious emails are sent to spam/junk folder instead of inbox.

Best for: Transitioning to enforcement

p=reject

Emails that fail authentication are rejected entirely and not delivered.

Best for: Maximum protection

DMARC Record Syntax

Example DMARC Record

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; pct=100

Tag	Required	Description
v=DMARC1	Yes	Version identifier (must be first)
p=	Yes	Policy: none, quarantine, or reject
rua=	No	Email address for aggregate reports
ruf=	No	Email address for forensic reports
pct=	No	Percentage of emails to apply policy (default 100)
sp=	No	Policy for subdomains
adkim=	No	DKIM alignment: strict (s) or relaxed (r)
aspf=	No	SPF alignment: strict (s) or relaxed (r)

How to Implement DMARC

Follow this step-by-step process to safely implement DMARC for your domain:

Set Up SPF and DKIM First

DMARC requires SPF and/or DKIM to be in place. Use our SPF checker and DKIM lookup to verify your setup.

Start with p=none

Begin in monitoring mode to collect data without affecting email delivery. Add reporting addresses to receive DMARC reports.

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Analyze Reports

Review DMARC reports to identify legitimate senders that aren't properly authenticated. Fix any issues before moving to enforcement.

Move to Quarantine

Once legitimate senders pass authentication, upgrade to p=quarantine. Start with a low percentage (pct=10) and gradually increase.

Enforce with Reject

Finally, move to p=reject for maximum protection. This blocks all emails that fail DMARC authentication.

Why DMARC is Essential in 2024

DMARC is no longer optional. Google and Yahoo now require DMARC for bulk email senders. Here's why it matters:

Prevents Spoofing

Stops attackers from sending phishing emails that appear to come from your domain

Improves Deliverability

Authenticated emails are more likely to reach the inbox

Provides Visibility

DMARC reports show who is sending email as your domain

Enables BIMI

DMARC at p=quarantine or higher is required for BIMI logo display

Check Your DMARC Record Now

Use our free DMARC checker to validate your record, analyze your policy, and get recommendations for improvement.

Free DMARC Checker →