What is a DMARC record?

Email remains one of the most important channels for communicating with customers, but it is also one of the most frequently abused. As a brand, when you expand your sales, automation and email marketing, not only does the volume of emails you send increase - but so does the risk that someone will start impersonating a domain associated with your organisation.

In practice, this means that as a domain owner, simply setting up an email account or an email marketing tool is no longer enough. You must also ensure that receiving servers can recognise whether the sender is genuinely sending messages on your behalf, or whether someone is attempting to impersonate you.

This is where the DMARC record comes in. It is a feature that enhances security and helps protect your domain’s reputation.

What is a DMARC record and how does it work?

DMARC is an email authentication protocol that allows a domain owner to specify how mail servers should handle emails sent from their domain.

The acronym DMARC stands for Domain-based Message Authentication, Reporting and Conformance. This mechanism combines SPF and DKIM with a policy for handling messages that do not meet the requirements and fail verification.

Put simply, the DMARC record tells receiving servers what to do with a message if it has failed validation or if the sender’s domain does not match the data used by SPF and DKIM. This means that receiving servers do not have to assess for themselves whether a given message is trustworthy, nor do they have to rely solely on the sender’s IP address.

Cooperation is key: DMARC, SPF, DKIM

It is important to note that DMARC does not operate in isolation, but relies on SPF and DKIM - namely the Sender Policy Framework and DomainKeys Identified Mail mechanisms - and then checks domain consistency.

This means that messages will only be authenticated if the SPF record configuration, DKIM signatures and the sender’s domain are consistent with one another.

See also: DKIM – what is it and how do you configure it? >>>

DMARC and deliverability

From a business perspective, the DMARC policy also affects email deliverability and the security of sending emails on behalf of a given domain.

When the DMARC record is correctly configured, receiving servers can more easily recognise legitimate traffic, and messages that pass the DMARC check are more likely to end up in the inbox rather than the SPAM folder. This is particularly important where emails support sales, onboarding, password recovery, system notifications or email marketing activities.

In practice, the DMARC record is therefore a layer of control that organises policies, supports the correct identification of the mail server and helps protect the domain’s reputation. A well-configured DMARC policy for the sender’s domain enhances your domain’s security and reduces the risk of abuse.

Read also: Email deliverability in 2026: key observations and challenges for marketers >>>

What does a DMARC record contain?

A DMARC record contains parameters that specify how receiving servers should treat emails sent from your domain. It is published as a TXT record in the DNS zone.

The most important elements of the DMARC record are v=DMARC1, i.e. the protocol version, and p=, i.e. the DMARC policy. It is the DMARC policy that determines what should happen to messages that fail validation - whether they should be monitored only, sent to the spam folder, or rejected.

The DMARC record may also contain fields responsible for DMARC reports, such as rua and ruf, as well as additional tags, e.g. pct, adkim, aspf or sp. These allow the domain owner to refine the DMARC rules, the scope of the rule’s operation, and how emails are assessed, including for subdomains.

How to safely implement a DMARC policy?

A DMARC policy should be implemented gradually, rather than immediately set to the most restrictive option. Although adding a DMARC record itself is simple, in practice the most important thing is to prepare the entire process properly.

Email providers such as Google and Yahoo ultimately recommend a reject policy. However, before setting this, it is worth starting with none, analysing the DMARC reports and identifying all sources sending emails from the domain in question.

Only once you are certain that legitimate messages are correctly authenticated by SPF and DKIM, and that messages do not generate errors in the reports, can you safely move on to more restrictive settings. This approach reduces the risk of deliverability issues and helps avoid situations where legitimate messages fail DMARC checks.

Summary

The DMARC record is one of the fundamental elements of domain and email protection. It helps determine how receiving servers should handle messages that fail SPF and DKIM verification, whilst supporting security, the sender’s reputation and deliverability.

In practice, a well-configured DMARC record allows the domain owner to better control who is responsible for sending emails on behalf of their brand. This is particularly important for companies that use tools for email marketing, marketing automation and transactional messaging.

Frequently Asked Questions (FAQ)

How do I enable DMARC?

To enable DMARC, you need to create a DMARC record as a TXT record in your domain’s DNS settings. It usually starts with a policy of p=none, so that you can first collect DMARC reports and check whether SPF and DKIM are configured correctly.

How do I check DMARC?

You can check your DMARC configuration using a tool such as DMARC Checker, e.g. EasyDMARC

Such a tool reads the TXT record published in your domain’s DNS. Simply enter the domain name to see if the DMARC record exists, has the correct syntax, and whether the DMARC policy has been set correctly.

What does DMARC stand for?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is a standard that combines SPF and DKIM with a policy specifying how to handle messages that fail verification when sending emails.

What is the DMARC policy?

A DMARC policy is a rule specifying what receiving servers should do with messages that fail validation. It can take the form of p=none, p=quarantine or p=reject, depending on whether you wish to simply monitor traffic, route messages to spam, or reject them entirely.