What Is DMARC? A Plain-English Guide for Business Owners

If you have ever Googled "what is DMARC" and landed on a page full of acronyms and protocol diagrams, you are not alone. DMARC is one of those things that sounds deeply technical but actually solves a very simple problem: it stops other people from sending email that looks like it came from your domain.

This guide explains what DMARC is, why it matters for your business, and when you need to set it up. No sysadmin background required.

What Is DMARC, Exactly?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication protocol that tells receiving mail servers what to do when they get a message claiming to be from your domain but failing authentication checks.

Think of it this way. You own the domain yourcompany.com. Without DMARC, anyone on the internet can send an email with a "From" address of ceo@yourcompany.com, and most mail servers will accept it without question. That is called domain spoofing, and it is the backbone of phishing attacks, business email compromise, and brand impersonation.

DMARC gives you a way to publish a policy in your DNS records that says: "If someone sends an email from my domain and it fails SPF and DKIM checks, here is what you should do with it." The options range from doing nothing (just send me a report) to quarantining the message to rejecting it outright. For a closer look at the differences between those enforcement levels, see our quarantine vs reject comparison.

A DMARC record is a single DNS TXT record published at _dmarc.yourcompany.com. When a mail server receives a message from your domain, it looks up that record and follows your instructions.

Why DMARC Matters for Your Business

DMARC is not just a security checkbox. It directly affects whether your emails reach inboxes and whether criminals can impersonate your brand.

It protects your domain from spoofing. Without DMARC, attackers can send emails that appear to come from your domain. They might impersonate your CEO to trick employees into wiring money, or they might send fake invoices to your clients. A DMARC policy set to reject tells receiving servers to drop those fraudulent messages entirely.

It improves your email deliverability. Gmail, Yahoo, and Microsoft all use DMARC as a signal when deciding whether to deliver your email to the inbox or the spam folder. Starting in early 2024, Google and Yahoo began requiring DMARC for bulk senders. Even if you are not sending thousands of emails per day, having a DMARC record tells mail providers that you take email authentication seriously, and that helps your legitimate messages land where they should.

It gives you visibility into who is sending email as you. One of the most underrated features of DMARC is its reporting mechanism. When you publish a DMARC record with a reporting address, mail servers send you aggregate reports showing every source that attempted to send email using your domain. You might discover a forgotten marketing tool, a compromised server, or an active spoofing campaign you did not know about.

It is increasingly required. Beyond Google and Yahoo's requirements, many industries and enterprise partners now require DMARC as part of vendor security assessments. If you work with larger companies, government agencies, or regulated industries, you will likely be asked about your DMARC policy.

The Prerequisites: SPF and DKIM

DMARC does not work on its own. It relies on two other email authentication protocols that need to be in place first: SPF and DKIM.

SPF (Sender Policy Framework) is a DNS record that lists the servers authorized to send email on behalf of your domain. When a mail server receives a message, it checks whether the sending server's IP address is included in your SPF record. If you have not set up SPF yet, you can create one at spfcreator.com.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server verifies that signature against a public key published in your DNS. This proves the email was actually sent by an authorized system and was not tampered with in transit. You can generate DKIM keys at dkimcreator.com.

DMARC ties these two together. It checks whether a message passes SPF or DKIM (or both) and whether the domain in those checks aligns with the domain in the "From" header. This alignment requirement is what makes DMARC effective at stopping spoofing. A spammer might be able to pass SPF using their own domain's servers, but DMARC ensures the SPF domain matches the "From" domain the recipient sees. For a detailed side-by-side breakdown of how these three protocols differ, see SPF vs DKIM vs DMARC.

What a DMARC Record Looks Like

A DMARC record is a DNS TXT record published at the _dmarc subdomain of your domain. Here is a typical example:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com; pct=100;

Let's break down each part:

• v=DMARC1 -- This identifies the record as a DMARC policy. It is always DMARC1.
• p=none -- This is your policy. It tells receiving servers what to do with messages that fail DMARC. none means take no action (just report). Other options are quarantine (send to spam) and reject (block entirely).
• rua=mailto:dmarc-reports@yourcompany.com -- This is where aggregate reports get sent. You will receive XML reports from mail providers showing who is sending email as your domain.
• pct=100 -- The percentage of messages the policy applies to. Start at 100 with p=none, then use lower percentages when you move to stricter policies to phase in enforcement gradually.

There are additional optional tags like ruf for forensic reports, sp for subdomain policies, and adkim/aspf for controlling how strictly SPF and DKIM alignment is checked. But the record above is a solid starting point for most businesses.

You can verify your existing DMARC record at any time using dmarcrecordchecker.com.

When You Need to Create a DMARC Record

The short answer: now. If your domain sends email and you do not have a DMARC record, you should create one. Here are the specific scenarios where it becomes urgent:

You send marketing or transactional email. If you use tools like Mailchimp, SendGrid, HubSpot, or any service that sends email on your behalf, you need DMARC. Google and Yahoo now require it for domains sending more than 5,000 messages per day, but even lower-volume senders benefit from the deliverability boost.

You have experienced or are worried about spoofing. If your clients, partners, or employees have received phishing emails that appear to come from your domain, DMARC is the fix. A reject policy will stop those spoofed messages from reaching anyone.

You are going through a security review. SOC 2 assessments, vendor security questionnaires, and cyber insurance applications increasingly ask whether you have DMARC in place. Having a published policy with enforcement shows you take email security seriously.

You manage multiple domains. Agencies, consultants, and businesses with several domains should have DMARC on every domain, including domains that do not send email. If you manage client domains, our guide to DMARC for agencies covers the specifics of multi-domain management. Attackers specifically target "parked" domains because they often lack authentication records. Publishing a simple v=DMARC1; p=reject; on non-sending domains shuts that down.

The good news is that creating a DMARC record takes about five minutes. You generate the record, add a single TXT entry to your DNS, and you are done. Our guide on how to set up DMARC walks you through the process step by step.

Monitor Your New DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.