DMARC Policy Guide: Protect Your Domain from Email Spoofing

Learn how DMARC policies protect your domain from email spoofing. Complete guide to DMARC records, policies (none/quarantine/reject), and implementation.

DMARC Policy Guide: Protect Your Domain from Email Spoofing

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM to prevent email spoofing and phishing.

Why DMARC Matters

Without DMARC, attackers can:

  • Spoof your domain
  • Send phishing emails
  • Damage your reputation
  • Impersonate executives (CEO fraud)

DMARC stops this by telling receiving servers what to do with unauthenticated emails.

DMARC Record Structure

_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Required Tags:

  • v=DMARC1: Protocol version
  • p=policy: Main policy (none/quarantine/reject)

Optional Tags:

  • rua=mailto:: Aggregate reports email
  • ruf=mailto:: Forensic reports email
  • pct=100: Percentage of emails to apply policy
  • sp=policy: Subdomain policy
  • adkim=s: DKIM alignment (strict/relaxed)
  • aspf=s: SPF alignment (strict/relaxed)

DMARC Policies

1. p=none (Monitor)

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Start here: Monitor without blocking
📊 Get reports: Learn who sends as you
⚠️ No protection: Doesn't block spoofed emails

Use for: Initial deployment, data collection

2. p=quarantine (Suspicious)

v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com

⚠️ Quarantine: Send to spam/junk folder
Some protection: Reduces inbox delivery
📊 Still get reports: Monitor effectiveness

Use for: After monitoring phase, before full enforcement

3. p=reject (Block)

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

🛡️ Maximum protection: Block unauthenticated emails
Hard fail: Email not delivered at all
Best practice: Ultimate goal

Use for: Production, after thorough testing

DMARC Alignment

DMARC requires alignment between:

  • SPF domain and From header
  • DKIM domain and From header

Relaxed Alignment (default)

adkim=r; aspf=r

From: user@example.com
SPF pass: mail.example.com ✅
DKIM pass: mail.example.com ✅

Strict Alignment

adkim=s; aspf=s

From: user@example.com
SPF pass: example.com only ✅
DKIM pass: example.com only ✅

DMARC Implementation Steps

Phase 1: Monitor (2-4 weeks)

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

Actions:

  1. Publish record
  2. Collect reports
  3. Identify legitimate senders
  4. Fix SPF/DKIM issues

Phase 2: Quarantine (2-4 weeks)

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@example.com

Actions:

  1. Apply to 10% of emails
  2. Monitor for issues
  3. Gradually increase pct
  4. Fix any problems

Phase 3: Reject (Production)

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com

Actions:

  1. Apply to 100% of emails
  2. Monitor reports continuously
  3. Update as needed

DMARC Reports

Aggregate Reports (rua)

Daily XML reports showing:

  • Who sent emails
  • SPF/DKIM results
  • DMARC pass/fail
  • Volume statistics

Example:

<record>
  <source_ip>192.0.2.1</source_ip>
  <count>250</count>
  <policy_evaluated>
    <disposition>none</disposition>
    <dkim>pass</dkim>
    <spf>pass</spf>
  </policy_evaluated>
</record>

Forensic Reports (ruf)

Individual failure reports:

  • Full email headers
  • Failure reason
  • Immediate notification

⚠️ Privacy concern: Contains email content

Common DMARC Mistakes

1. Starting with p=reject

Problem: Blocks legitimate emails

Solution: Always start with p=none

2. No DMARC Reports Email

Problem: Can't see what's happening

Solution: Always include rua=

3. Missing SPF or DKIM

Problem: DMARC always fails

Solution: Set up SPF + DKIM first

4. Subdomain Not Covered

Problem: Subdomains unprotected

Solution: Add sp= policy

v=DMARC1; p=reject; sp=reject

DMARC for Different Scenarios

Corporate Email

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=s; aspf=s

Strict: Maximum protection

Marketing Domain

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com

Moderate: Allow some flexibility

Non-sending Domain

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100

Reject all: Domain shouldn't send emails

Testing DMARC

Use MXToolbox.eu DMARC checker:

  1. Enter domain
  2. Tool fetches _dmarc record
  3. Validates syntax
  4. Checks policy
  5. Shows recommendations

Best Practices

Start with p=none - Learn first
Set up reports - Monitor continuously
Fix SPF/DKIM - Required for DMARC
Gradual rollout - Use pct parameter
Strict policy - End goal: p=reject
Subdomain policy - Cover all subdomains

Conclusion

DMARC is the final piece of email authentication:

  • Prevents domain spoofing
  • Protects brand reputation
  • Improves deliverability
  • Stops phishing attacks

Implement DMARC properly:

  1. Fix SPF and DKIM first
  2. Start with p=none
  3. Monitor reports
  4. Gradually enforce
  5. Reach p=reject

Check your DMARC policy with our free DMARC checker.

Complete Email Security: