Word on the Street: DMARC Records?

Q: Why aren't SPF and DKIM sufficient without DMARC for email authentication?

SPF and DKIM on their own have been found inadequate because they lack a mechanism to instruct receiving servers on how to handle messages that fail authentication checks. DMARC fills this gap by adding a policy layer that tells mail servers whether to quarantine, reject, or allow suspicious emails, and it includes alignment tests that tie SPF and DKIM results together.

Q: What actions can a DMARC policy take when an email fails authentication?

A DMARC policy can quarantine the message by diverting it to the spam folder, reject it outright to block delivery entirely, or take no action and let it through with a warning. The specific response depends on the custom policy an organization configures in advance based on its risk tolerance. Failed senders are also logged in a report for later assessment.

Q: How does DMARC use SPF and DKIM together to verify email senders?

DMARC works in tandem with SPF and DKIM by having the receiving mail server perform both authentication checks along with alignment tests before applying the domain's DMARC policy. The server verifies that the sender's IP address matches authorized records, confirms a valid DKIM signature exists, and ensures the message passes alignment. Only after these combined results are evaluated does the DMARC policy determine whether to accept, quarantine, or reject the email.

Q: What are DMARC Aggregate Reports and why do they matter?

DMARC Aggregate Reports are summaries generated by receiving mail servers that document authentication results for all messages from a given domain. These reports matter because they influence how future messages from the same domain are handled and give domain owners visibility into who is sending email on their behalf, helping them identify unauthorized or spoofed senders.

August 19, 2025

These days, emails are one of the most common causes of network attacks, and for good reason. Many users will just open any email they see and click a link without truly investigating its trustworthiness. Emails, after all, are supposed to be quick and seamless. No user wants to go through the hassle of ensuring every detail lines up with the emails they’ve received from a company before.

Beyond that, even if they do check every detail, some spammers are surprisingly convincing. If they’ve been running their operation for years, they know how to make it seem like a legitimate email message beyond just adding a poorly cropped company logo.

The best way to protect users, in this case, is to prevent these malicious phishing emails from reaching their inboxes in the first place. The only problem is that many who use Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) have found these standards inadequate on their own. This is where DMARC records come in.

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance, commonly known as DMARC, is an email authentication protocol designed to reduce the possibility of success for threat actors when they conduct phishing attacks. In other words, DMARC plays a critical role in securing email channels as it hinders an attacker’s ability to deliver threats to user inboxes.

Implementing DMARC as a security measure will allow organizations to configure a record that lists authorized senders from their domain. Such a list helps prevent cybercriminals from using the company’s email for phishing.

When this email authentication protocol is in place, it opens up the ability for businesses to countercheck all incoming messages against their DMARC records. Senders that fail the data check will be subject to pre-determined actions such as diverting their emails directly to the spam folder or blocking them outright.

Messages can also be received as normal but will come with a warning. Senders who failed the security check will be added to a report for assessment later on. The email could also go through a custom policy, which an organization can adopt beforehand according to how they approach risk.

Although DMARC isn’t capable of preventing the delivery of all malicious emails, it still plays an essential role in reducing spoof messages. It also has a crucial role in minimizing the number of suspicious emails that reach user inboxes.

As you may already know, DMARC is just one of the few email authentication standards we have today. It can be used in conjunction with SPF and DKIM in determining whether an email is genuine or not.

Combining these three protocols can also help identify if an email sender is allowed to send emails based on the organization they represent.

How Does DMARC Work?

As mentioned earlier, DMARC works in tandem with the SPF and DKIM email authentication standards to assess whether a message is safe to receive or not. Emails that fail their tests are rejected or blocked, while those that pass are allowed to reach their designated inboxes.

In DMARC, the record of a sender comes with an instruction for the recipient on what steps they should take next in case of suspicious activity. It works through the following:

Domain owners publish their DMARC DNS records and send that to their DNS hosting company.
Each time they send an email using their domain, the mail server of recipients will check if the domain uses a familiar DMARC record.
The receiving mail server then performs an SPF and DKIM authentication, including alignment tests. This is done to verify if the sender has the proper DKIM signature if their IP address or IP addresses match authorized records and if the message passes the alignment tests.
Together with the results of the SPF and DKIM protocols, the mail server can move on to apply the DMARC policy set by the sending domain. This could result in the quarantine or rejection of the message if it failed the tests but taking no action is also a possible option.
Once the mail server has determined what action to take, it then sends a report that will affect all other messages they receive from the same domain in the future. The reports generated are called DMARC Aggregate Reports, which are sent to notify the email addresses listed in the actual record.

What is a DMARC Record?

A DMARC record is a basis by which the DMARC email authentication protocol implements itself. The record lets email servers know whether or not a domain is configured to implement DMARC and what rules it should follow in case of issues. You can think of a DMARC record as a DNS entry.

Once a DMARC record has been set, a sender can begin using their DMARC standard immediately. This record is used by mail servers that have adopted DMARC for verification purposes.

Such a record is basically made up of a specified name or host as well as tag-value pairs. Tag-value pairs are tags and values that are matched to inform the receiving mail server on what actions they should take next.

Here’s an example of a DMARC record for reference:

“v=DMARC1; p=none; rua=mailto:[email protected]”

The “v” value in a DMARC record shows the version of the protocol used. It is normally labeled as “DMARC1” and is required for such authentication. Otherwise, the receiving mail server will skip it.
The “p” value is the action to take in case a sender fails the DMARC test. The options available are none, quarantine, and reject.
The “sp” tag is an indication of the subdomain policy. It’s possible to implement different policies for main and secondary domains. Subdomains can also use their own DMARC records which will be checked before the main domains.
The “pct” tag indicates the percentage of emails that didn’t pass, and subsequently had the existing policy applied.
The “rua” tag informs mail servers where to send out DMARC reports concerning emails. You can include several addresses within this line.
The “adkim=” tag displays the type of alignment test that will be used. The two main options here are “r” for relaxed and “s” for strict.

An important thing to consider is that your DMARC setting will override the DKIM policy you specified beforehand, which can be useful in many instances.

Why is a DMARC Record Important?

The main reason why having a DMARC record is important is because of its connection to one’s email deliverability and sender reputation. The primary benefits you can get with the proper setup include:

Setting up your DMARC record ensures that your email authentication reporting stays on point against potential cybercriminal activity.
DMARC email authentication minimizes the chances of phishing practices succeeding while also reducing the possibility of false positives.
DMARC email authentication is beneficial to internet service providers (ISPs) as it helps these entities pinpoint spammers immediately. Such quick actions allow for the prevention of malicious messages that have been directed to recipient inboxes.
There is a tendency for the DMARC protocol to replace Author Domain Signing Practices (ADSP). It does so by helping in several aspects such as non-existent subdomains, wildcarding, email message quarantining, slow rollouts, and more.
DMARC can reduce complexities by making the whole email process more transparent.
Spammers that will attempt to use your domain name to send messages to your recipients can be blocked with the help of DMARC.

How to Setup Your DMARC Record

Your DMARC record is hosted using your DNS server and is available as a TXT entry. Since each hosting provider gives DNS access to its customers, it’s only natural that you can include your TXT entry where your domain is registered. Sometimes a dashboard is provided so you can input the entry easily.

Keep in mind that the steps in setting up your DMARC record won’t be the same for each provider. However, there are basic points you can follow to do so. Once you have received authentication, you can create your DNS entry with the following steps:

Create your DNS TXT record by entering a name and value for it.
Give your DMARC record a name. Some host setups allow you to append the name automatically with your domain name. In case it hasn’t been added yet, you can name your record _dmarc.yourdomain.com.
Input the values in your DMARC record.

Once you have verified that your DMARC is working as expected, you can change your “p” value to either quarantine or reject messages that failed the check. Most experts recommend quarantining messages first as it will let you identify false positives.

When you quarantine, the email will be set aside for the time being until you can review it. The option to reject stops the message from getting through whenever it fails the DMARC rules.

You want to avoid using the reject option as much as possible unless you’re extremely confident that the messages you receive will pass. You should only choose the reject option if no critical messages will be removed based on your DMARC configurations.

Understanding the DMARC Policies Available

As mentioned earlier, DMARC lets you inform the receiving inboxes what they should do with messages that fail the DMARC assessment. Each record lets you define a policy that will provide instructions on what to do next.

You have three options to choose from when setting the policy of your DMARC record. These are:

Monitor Policy

The monitor policy, or simply the “p=none” tag, is the first policy in a DMARC record. This option will inform email service providers to send a report to the email address listed within the “rua” tag.

This policy is used for monitoring as it doesn’t outright reject or quarantine messages that failed DMARC assessment. Instead, reports will be sent for now to give you an idea of which sender has constantly missed the mark.

The monitor or none policy will only provide details on which user is sending the messages on behalf of a certain domain. Being flagged for monitoring doesn’t affect one’s email deliverability.

Quarantine Policy

The quarantine policy, or the “p=quarantine” tag, is an instruction for email receivers to immediately quarantine messages that fail DMARC checks. These emails are sent to the spam folder to help recipients avoid accessing them accidentally.

On the other hand, email messages that pass the DMARC record checking are directed to the main inbox of the recipient. These messages can be accessed without worry as they are most likely safe to do so.

The quarantine policy’s overall aim is to minimize the negative impacts of spoofing. However, the emails aren’t removed right away as they will still show up in spam folders.

Reject Policy

The last policy is known as the reject policy. It uses the “p=reject” tag and is designed to block emails from reaching any of the recipients’ inboxes or spam folders. Similar to the quarantine policy, the reject policy also reduces the effects of spoofing.

However, outright rejection is considered safer, especially for companies that have low levels of risk tolerance.

It’s important to remember that a DMARC policy isn’t a request but an obligation. Although email service providers will take into account your DMARC policy, they are in no way required to follow through with it.

This is especially true when these receivers have their own local email authentication policies in place. In case the provider is quite positive that the incoming message is genuine and safe, they can apply their own policies to let it through.

Email receivers will regularly override existing DMARC policies with their local rulesets even if you, for instance, applied the reject policy in your DMARC record.

Why Use DMARC Despite Having SPF and DKIM

One of the most effective ways to protect yourself and your contacts from email spoofing is to implement the DMARC email authentication protocol. In itself, this is a valid reason why any email marketer should aim to use DMARC for their next campaign.

For those who are already using SPF and DKIM, incorporating DMARC will provide additional lines within your DNS records. The good news is that they aren’t complex and can be set up easily.

DMARC is especially effective against spoofing activity as it provides these two benefits to users:

When you configure your DMARC records properly, cybercriminals will have a much harder time attempting to spoof your email’s domain. These individuals will see that there is little chance of succeeding, and most would abandon their plot right away. Many attackers would rather choose an easier target rather than deal with one that implements several authentication protocols.
The receiving mailbox servers prefer senders whose emails come from domains secured with DMARC authentication. They would most likely consider their messages legitimate compared to those with a single protocol in place. With that said, emails that pass DMARC authentication checks will have a higher chance of being delivered than a message that doesn’t have it.

Who Can Use DMARC?

Widely-used cloud-based platforms like Google Workspace and Microsoft Office 365 supports DMARC email authentication. In fact, DMARC has already been included in verifying emails since 2010.

The goal of DMARC is to ensure cybercriminals will have a more difficult time trying to send spam messages using valid email addresses. It aims to combat the rampant increase in phishing attacks that are quite prevalent nowadays.

That’s why business owners and organizations using their own domains should apply DMARC authentication. Not only will this help a domain owner protect their brand reputation, but it also increases the trustworthiness of their online identity.

Conclusion

DMARC is a crucial email authentication standard that has been around for many years now. It works in tandem with SPF and DKIM protocols to improve mail servers’ overall ability to identify potential spammers and spoofers.

Incorporating the DMARC protocol in email marketing is more important today than ever. Brands that want to increase their chances of landing in their recipients’ inboxes should seriously consider using this authentication method.

Setting up your DMARC record is easy and can be done in just a few steps. Although the methods of applying it will differ depending on the provider, the approach follows the same concept of ensuring your record is set up properly before proceeding.

When you have your own DMARC DNS record in place, you have a better chance of reaching your email subscribers rather than simply being content with just a single email authentication protocol.

We offer tools and features that help you reduce negative rates and enhance the deliverability of your marketing campaigns

Why aren't SPF and DKIM sufficient without DMARC for email authentication?

What actions can a DMARC policy take when an email fails authentication?

How does DMARC use SPF and DKIM together to verify email senders?

What are DMARC Aggregate Reports and why do they matter?

View all posts

Your spam-to-fame
story starts here

Get a Free Consultation How it works

No obligations. Nada.