Define what happens to email that fails SPF and DKIM, and receive aggregate reports on who's sending from your domain.
⚡ Monitored by EmailExacto IntelligenceDMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM. It lets you tell receivers what to do with unauthenticated email — nothing (none), mark as spam (quarantine), or reject — and sends you aggregate reports showing all sources sending from your domain.
DMARC alignment requires the SPF-authenticated domain or DKIM-signing domain to match the From: header domain, preventing lookalike spoofing attacks.
A DMARC record is a DNS TXT record at _dmarc.yourdomain.com:
Key tags: p sets policy (none/quarantine/reject), rua receives aggregate XML reports, pct controls the percentage of failing mail the policy applies to, sp sets a subdomain policy. Start at p=none, review reports, then progress to quarantine then reject.
DMARC at p=reject is the only way to completely prevent unauthorised senders from impersonating your domain in the From: header — closing the door on brand-spoofing phishing attacks. Since February 2024, Gmail and Yahoo require DMARC for bulk senders. Microsoft followed in May 2025.
EmailExacto automatically collects and parses DMARC aggregate reports from Google, Microsoft, Yahoo, and other major senders.
✓Start with p=none to collect data without affecting mail flow, then move to quarantine then reject.
✓Set rua= to an address you actively monitor — unread DMARC reports are wasted intelligence.
✓Achieve p=reject to fully protect your domain from brand impersonation.
✓Use sp= to set a separate policy for subdomains that don't send email.
✓Review DMARC reports for unauthorised senders — they often reveal shadow IT.
✓Don't set pct= below 100% in production — partial policies leave your domain partially exposed.
Expert-written training delivered to your inbox every Tuesday. No spam. Unsubscribe anytime.
Join thousands of senders building better email habits.