Web & DNS

What Is a DMARC Record? How to Check and Fix Yours

Without a DMARC record, anyone can send email pretending to be from your domain. Here is what DMARC does, how to check your current policy, and how to fix it.

What Is a DMARC Record? How to Check and Fix Yours

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS-based email authentication standard that tells receiving mail servers what to do when an email claims to be from your domain but fails authentication checks. Without a DMARC record, your domain can be spoofed criminals can send phishing emails that appear to come from your address. Check your DMARC record instantly with the DMARC Checker.

How DMARC Works

DMARC builds on two existing standards:

  • SPF checks whether the sending server's IP is authorised to send mail for your domain
  • DKIM verifies the email has not been tampered with using a cryptographic signature

An email passes DMARC if it passes either SPF or DKIM and the domain in those checks aligns with the domain in the From header. DMARC then tells the receiver what to do if a message fails: none (monitor only), quarantine (send to spam), or reject (block completely).

Anatomy of a DMARC Record

A DMARC record is a TXT record at _dmarc.yourdomain.com. A typical record looks like:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
  • v=DMARC1 version, always this value
  • p=quarantine policy: none / quarantine / reject
  • rua aggregate report destination (daily XML reports)
  • pct=100 percentage of messages to apply the policy to

Setting Up DMARC: Step by Step

  1. First ensure you have a valid SPF record and DKIM configured in your email provider
  2. Start with p=none to collect reports without blocking any mail
  3. Monitor reports for 2–4 weeks to identify legitimate senders you may have missed
  4. Move to p=quarantine once you are confident in your SPF/DKIM coverage
  5. Finally move to p=reject to fully protect your domain from spoofing

Google and Yahoo now require a DMARC record with at least p=none for all bulk senders. See the Google email sender requirements for current bulk sending rules.

Checking Your DMARC Record

Use the DMARC Checker to instantly look up your current policy. Also verify your MX records are correctly configured since mail delivery and authentication are closely related.

Frequently Asked Questions

What happens if I do not have a DMARC record?

Without DMARC, receiving mail servers have no policy to enforce. Spoofed emails from your domain may be delivered directly to recipients' inboxes. Since 2024, Google and Yahoo quarantine or reject email from domains without DMARC when sent in bulk. The full specification is defined in RFC 7489.

Will DMARC break my email?

Starting with p=none guarantees no mail is blocked. Only move to quarantine or reject after reviewing aggregate reports confirming all your legitimate mail sources pass SPF and DKIM.

What is the difference between DMARC quarantine and reject?

Quarantine tells receivers to send failing mail to the spam folder. Reject tells receivers to refuse the connection entirely the email never reaches the recipient. For maximum protection, p=reject is recommended once your mail flow is fully authenticated.

Related

Keep reading

Mar 15, 2026 DNS Records Explained: A, AAAA, MX, NS, TXT, CNAME and More DNS records control everything from where your website lives to whether your emails get delivered. Here is what each record type does and when you need to change it. Mar 23, 2026 How to Check Your SSL Certificate Before It Expires An expired SSL certificate takes your site offline and destroys visitor trust instantly. Here is how to check expiry dates, read certificate details, and set up renewal reminders. Mar 27, 2026 SPF, DKIM, and DMARC: Email Authentication Explained SPF, DKIM, and DMARC work together to prevent email spoofing and improve deliverability. Here is how each one works and how to check your current setup.