What is DMARC? How it works and how to set it up
Published on July 3, 2026 8 min read
DMARC protects your domain against spoofing and phishing. Learn what DMARC is, how to set up a DMARC record and which policy to choose.
DMARC is a DNS setting that stops criminals from sending email that appears to come from your domain. It builds on SPF and DKIM and tells receiving mail servers what to do with messages that fail the checks: do nothing, move them to spam or reject them. This article explains what DMARC is, how it works together with SPF and DKIM, how to set up a DMARC record and which policy (none, quarantine or reject) suits your situation.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is a TXT record in your DNS that does two things. First, it sets a policy: what should a receiving server do when a message that claims to be from your domain fails the checks? Second, it enables reporting: you receive summaries of who is sending email on behalf of your domain.
Where your MX record decides which server receives your incoming email, and SPF and DKIM state who may send on behalf of your domain, DMARC adds the final piece. Without DMARC, receivers check SPF and DKIM, but they never look at the From address the reader actually sees. That gap is exactly what fraudsters exploit in phishing and spoofing.
How does DMARC work with SPF and DKIM?
DMARC never works on its own. It relies on two existing techniques that you need to have in place first.
- An SPF record lists which servers may send on behalf of your domain. The receiver checks the envelope address (the Return-Path), not the visible From address.
- DKIM adds a digital signature to your outgoing email. The receiver verifies that signature using a public key in your DNS.
Neither of them looks at the From address your reader sees in their mail program. A spammer can pass SPF and DKIM for their own domain while putting your domain in the From field. DMARC closes that gap with alignment.
Alignment: the heart of DMARC
Alignment means that the domain in the visible From address has to match the domain that SPF or DKIM checked. DMARC passes as soon as at least one of the two passes and is aligned with your From domain. If both fail, or belong to a different domain, your DMARC policy takes over.
There are two modes. In relaxed mode (the default), a subdomain counts as a match with the parent domain, for example mail.yourdomain.com and yourdomain.com. In strict mode the domain has to be identical. You control this with the aspf tag (for SPF) and the adkim tag (for DKIM). DKIM is the stronger pillar, because a DKIM signature still checks out when your email is forwarded, whereas SPF breaks at that point.
Setting up a DMARC record
A DMARC record is an ordinary TXT record in your DNS. At LJPc hosting you manage it in the DNS settings of your domain. Work through it step by step.
- First, make sure SPF and DKIM work for every service that sends for you (your mail server, newsletter tools, your accounting software or your CRM). DMARC needs that foundation.
- Create a TXT record with the name _dmarc. The full name then becomes _dmarc.yourdomain.com.
- For the value, include at least the version and a policy. Start with a policy that blocks nothing.
- Add a rua address so that you receive reports. Without that address you cannot tell whether things are going well.
- Publish exactly one DMARC record per domain and wait for the change to propagate. That can take up to 48 hours, depending on the TTL.
A safe starting value looks like this:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com;
This line says: this is a DMARC record (v=DMARC1), take no action for now (p=none), and send the summary reports to dmarc@yourdomain.com. Your email keeps working as normal; you are only gathering data.
The policy options: none, quarantine and reject
The p tag decides what a receiver does with email that fails the DMARC check. There are three values, which you roll out in this order.
| Policy | What the receiver does | When to use it |
|---|---|---|
p=none | Takes no extra action and delivers the email as normal, but still sends you reports. | As a starting point, to see who sends on your behalf. |
p=quarantine | Treats failing email as suspicious and delivers it to the spam or junk folder. | Once you are sure your own mail is aligned. |
p=reject | Refuses failing email completely, before it is delivered. | As the end state, for full protection against spoofing. |
Stay on none for at least a few weeks and read your reports. Only move to quarantine, and later to reject, once all your legitimate senders pass and are aligned. That way you avoid blocking your own email. Since the updated DMARC standard from 2026 (RFC 9989), the old pct tag, which let you apply the policy to a percentage of your mail, has been removed. You now step through the three policies one at a time while watching the reports.
Key DMARC tags
A DMARC record is made up of tags separated by semicolons. These are the ones you will meet most often.
| Tag | Meaning |
|---|---|
v | The version. Always v=DMARC1, and it must be the first tag. Required. |
p | The policy for your domain: none, quarantine or reject. |
rua | Address for the daily aggregate reports, for example mailto:dmarc@yourdomain.com. |
ruf | Address for detailed per-message failure reports. Far from universally supported. |
sp | A separate policy for subdomains. Without this tag, p also applies to your subdomains. |
adkim / aspf | The alignment mode for DKIM and SPF: r for relaxed (the default) or s for strict. |
t | Test mode (t=y). New in RFC 9989. It lets you trial a stricter policy without applying it yet. |
DMARC reports: how you know it works
Reports are the most useful part of DMARC. Receivers such as Google and Microsoft send a daily aggregate report to your rua address. It shows which servers sent email on behalf of your domain and whether SPF and DKIM passed and were aligned.
These reports are XML files that are hard for humans to read. Use a DMARC reporting service or tool that turns the data into a clear overview. That is how you spot legitimate senders you still need to authenticate, and how you see straight away if someone is abusing your domain.
Solving common problems
| Problem | Cause and fix |
|---|---|
| No DMARC record is found | The name has to be exactly _dmarc and the value must start with v=DMARC1. Check for typos. |
| DMARC seems to be ignored | There is more than one DMARC record at _dmarc. Only one is allowed, so remove the others. |
| Your own email lands in spam after quarantine | A sending service is not aligned. Enable DKIM for that service and step back to none for a while. |
| Forwarded email fails SPF | Forwarding breaks SPF. Rely on DKIM alignment, which survives forwarding. |
| Legitimate mail blocked after reject | You moved to reject too soon. Go back to none or quarantine until every sender passes. |
With a well-configured DMARC record, you protect your domain against abuse and improve your own email deliverability. Move up step by step from none to reject and keep an eye on your reports. Still stuck? Get in touch with support.
Frequently asked questions
What is the difference between DMARC, SPF and DKIM?
SPF decides which servers may send on behalf of your domain, and DKIM adds a digital signature to your email. DMARC ties those two to the visible From address and adds a policy and reporting. SPF and DKIM are the checks; DMARC decides what happens when they fail.
Do I need SPF and DKIM before I set up DMARC?
Yes. DMARC depends entirely on SPF and DKIM. For a DMARC check to pass, at least one of the two has to pass and be aligned with your From domain. So set up SPF and DKIM first, and only then switch on DMARC.
Which DMARC policy should I choose?
Always start with p=none. That lets you collect reports without any email being held back. Move to p=quarantine and finally p=reject once you are sure all your legitimate senders pass. Reject gives the best protection against spoofing.
Where do I put the DMARC record?
In your DNS, as a TXT record named _dmarc, so that the full name becomes _dmarc.yourdomain.com. At LJPc hosting you do this in the DNS settings of your domain. Publish no more than one DMARC record per domain.
How long before DMARC works?
The record itself is usually active within a few minutes, and within 48 hours at the latest, depending on the TTL. For a reliable picture, leave the policy on none for a few more weeks so you gather enough reports before you tighten it.
Is DMARC required?
For large senders, yes. Google and Yahoo (since 2024), and Microsoft (since May 2025), require SPF, DKIM and DMARC from anyone sending a lot of email to their users. For smaller domains DMARC is strongly recommended too, because it helps prevent your domain being spoofed.